#
# innldapcheck: 

/* C code pinched from pwcheck, pinched from cyrus imap */
/* written over a crate of beer by Keith Lewis  */
/* documentation & several changes by Bas Meijer */

	This module is the source for a LDAP "authinfo generic" 
	program.  This program takes a user's login name and password
	(supplied either as arguments or as responses to prompts) and
	validates them against the contents of an LDAP database.  

	If the user properly authenticates themselves, a nnrp.auth style
	record indicating the user's authenticated login and permitting
	reading and posting to all groups is output on stderr (for reading by
	nnrpd) and the program exits with a 0 status.  If the user fails to
	authenticate, then a record with the attempted login name and no
	access is output on stderr and a non-zero exit status is returned.

	Exit statuses:
	0       Successfully authenticated.
	1	getpeername() failed, returned a bad address family, or 
		gethostbyaddr() failed.
	2	Entry not found in password file.
	3	No permission to read passwords, or password field is '*'.
	4	Bad password match.

	Environment:
	Run by nnrpd with stdin/stdout connected to the reader and stderr
	connected back to nnrpd.  
	An authenticationsession sends this to stdin:

ClientHost: localhost
ClientIP: 127.0.0.1
ClientPort: 1080
LocalIP: 127.0.0.1
LocalPort: 119
ClientAuthname: username
ClientPassword: password
.
[EOF]

	we simply filter ClientAuthname and ClientPassword
	and find dn for uid in ldap and bind to the ldapserver with 
	found dn and given password

	INSTALLATION
	edit config.h
	make 
	make init if you want to make test and fill your ldapserver
	make test
	#define DEBUG 0 in ldap_pwd_ok.c if tests are OK
	/* DEBUG can be 0-32, with increasing logging in 
	/var/log/news.notice, 1 is fine on testing, if you're not sure
	about your ldap server increase DEBUG, but 32 is insecure 
	so don't use it where badeyes peek around */

	make install as root
	
	# edit install in Makefile or  add this to /etc/news/readers.conf:

auth "passwords" {
	hosts: "*"
	key: "pwd"
	auth: "ldapcheck -s localhost"
}
access "passwords" {
	key: "pwd"
	newsgroups: "*,!control*,!junk"
	access: "Read Post"
}

# restart innd: /etc/init.d/innd restart


# EXAMPLE DEBUG WITH TELNET
telnet localhost 119
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
200 example.com InterNetNews server INN 2.3.2 ready
authinfo user testuser
381
authinfo pass password
281
IHAVE <test@example.com>
335
Path: not-for-mail
From: telnet@example.com
Newsgroups: local.test
Subject: telnet test
Message-ID: <test@example.com>
Date: 31 Dec 2001 13:44:00 CET

A test
.
235
QUIT
205 .
Connection closed by foreign host.

