0

There's these external scripts here: https://docs.ejabberd.im/admin/configuration/authentication/#external-script

Which have zero documentation outside of saying "point your config file to the location of the script you wrote" and a list of examples. But there's no information on what you need to be doing in your script. I looked at some of the examples and it seems like it expects certain output to stdout. But I don't know what! Also, does the authentication work for things like user creation? My goal here is to be able to have a single Django project with Django authentication that will allow me to login to multiple different programs I have written. What exactly is the authentication doing when it uses the external script? What happens if I just simply accept all users and make a script that approves everything and everyone? What if I allow users with invalid urls? For example, they try to login with a host that isn't in the ejabberd.yml file? What if the ejabberd.yml file only has localhost and myexamplesite.com as a host and I authenticate a user from pizzahut.com? How does ejabberd handle this? What exactly does authentication mean to ejabberd?

Is what I want to do possible, without modification of the sourcecode?

Ryan Glenn
  • 1,325
  • 4
  • 17
  • 30

1 Answers1

0

There's these external scripts here: https://docs.ejabberd.im/admin/configuration/authentication/#external-script But there's no information on what you need to be doing in your script.

In that page there's a paragraph that says:

The details on the interface between ejabberd and the script are described in the Developers Internals section: External.

Did you follow that link? And it didn't solve any of your doubts?

What exactly is the authentication doing when it uses the external script?

ejabberd_auth_external runs extauth, which sends the corresponding query to your extauth script, and expects a reply yes/no.

What happens if I just simply accept all users and make a script that approves everything and everyone?

Well, then all registration and login attempts that pass ejabberd requirements will be succesfull. In fact, there's an example extauth script included in ejabberd that does exactly that, see https://github.com/processone/ejabberd/blob/master/examples/extauth/check_pass_null.pl

What if I allow users with invalid urls?

I don't understand what's the context of a HTTP URL in a XMPP scenario.

Do you mean an invalid JID, for example username@username@server ? ejabberd will reject account registration or login attempt using such JID long before the process flow reaches your extauth script

For example, they try to login with a host that isn't in the ejabberd.yml file?

Again, ejabberd will reject account registration or login attempt using such JID long before the process flow reaches your extauth script

What if the ejabberd.yml file only has localhost and myexamplesite.com as a host and I authenticate a user from pizzahut.com?

A client may TRY to authenticate, but ejabberd immediately rejects it with a stream-error host-unknown; your extauth script is not even called. Try using check_pass_null.pl, that extauth script accepts everything, but ejabberd does not.

How does ejabberd handle this?

As explained before, which makes sense to me, after reading the documentation at https://docs.ejabberd.im/developer/guide/#external

What exactly does authentication mean to ejabberd?

Wht exactly do you mean?

Is what I want to do possible, without modification of the sourcecode?

If you have a custom database, that feature is possible as long as you write an extauth script that uses your custom database.

By the way, once you write your script, if it is brand new (and not a small customization of the existing ones), I guess you will publish it somewhere, so other Django admins can benefit from your work, right?

PD: https://github.com/processone/ejabberd/discussions/3760

Badlop
  • 3,840
  • 1
  • 8
  • 9
  • What happens if a user uses an external auth script, and they try to login with an account that has not been registered in ejabberd, but the account exists within their auth service? Will ejabberd create it? – Ryan Glenn Jan 28 '22 at 22:39
  • It is quite obvious that you didn't attempt to try this yourself with the example script in the first place, as I suggested. Your question includes a conceptual error that I already clarified. In fact, that new question implies that you didn't even understand what I said in the initial response. – Badlop Jan 31 '22 at 16:51
  • No I didn't test it yet. I wrote up an authentication script for my setup over the weekend. I haven't had the time to actually test anything. I know that you said that ejabberd will do some regular checks. I don't think that your response answers my previous question though. You said that the external script needs to use my custom db. However, this doesn't answer the question: "If someone logs in and you're using a auth script and the account does not exist within your database... what happens?" I know ejabberd has it's own internal database. Is this disabled when you're using an auth script? – Ryan Glenn Jan 31 '22 at 17:04
  • "Is this disabled when you're using an auth script?" If you tell ejabberd to use as auth_method your external script, then ejabberd will use external, not internal, not SQL, not LDAP, not something else! – Badlop Jan 31 '22 at 21:38
  • It seems like if you accept a password using an external auth script, it will save that first password you used as the password for that user. Is this true? – Ryan Glenn Feb 10 '22 at 20:52
  • In case somebody else reaches this question, the answer is yes, and Daniel found the cause of that unexpected behaviour: auth_use_cache: true Explained in https://github.com/processone/ejabberd/discussions/3768#discussioncomment-2153064 – Badlop Feb 11 '22 at 11:49