How to get the client IP for authentication purposes in an external auth script?

joe-average-user commented 1 month ago

Hello all,

for lack of a better way of communication I try this one :-) I'd like to make an external authentication script like those published on the website. But reading the ones already there I see no option to get the client ip in such a script. Can anyone capable please elaborate on how to do that? Thank you!

Regards

weiss commented 1 month ago

for lack of a better way of communication I try this one :-)

There's the ejabberd@conference.process-one.net room, for example.

I'd like to make an external authentication script like those published on the website. But reading the ones already there I see no option to get the client ip in such a script. Can anyone capable please elaborate on how to do that?

This would require an ejabberd patch for passing the IP address to the authentication script. I need that myself and could give you my local commit if you happen to build ejabberd from source.

joe-average-user commented 1 month ago

Hello,

thank you for your immediate reaction. It would be great to have your commit! And please add a short info on what version to apply best, as I am doing this on a productive platform. I am building it on arch linux. Thanks again!

-- Regards

mremond commented 1 month ago

Hello @weiss,

Do you think we could have a patch that is backward compliant with older version of the script for people that use it in production already ?

weiss commented 1 month ago

It would be great to have your commit!

It's currently used with a very old ejabberd version and it's based on other local commits, but I had a quick go at rebasing it onto ejabberd 24.02:

https://github.com/weiss/ejabberd/tree/feature/extauth-ip

I did not yet get around to testing this version (beyond "it compiles"), sorry.

Do you think we could have a patch that is backward compliant with older version of the script

I think this would require a new ejabberd option to specify the extauth format/version.

joe-average-user commented 1 week ago

Hello again, we made further tests and seem to have included your patch into ejabberd 23.10. Now some questions arise, mainly from and around checking the system.

is there an ejabberdctl command which allows to feed an example IP so one can see it comes out at the script?
is there a way to reduce the number of spawned scripts? For 100 domains ejabberd spawns 100 scripts that just sit around most of the time. sure they are all "parked" in a stdin read, but still the whole idea to make a script pool for every hosted domain is ... oversized?
I am not all that fond of the way the data is handed over on stdin. It effectively prevents using a shell script as there seems no way to read a binary 2-byte length from stdin and then the corresponding command string. Sure this works in a lot of script languages, but why it cannot be a plain and simple null-terminated string is at least unclear.
the dev example python script does not work at exactly this position because actual python3 cannot sys.stdin.read(2), but needs sys.stdin.buffer.read(2), same for output string. So even the demo code falls over this weird construct. Nevertheless many thanks for helping out with the extauth-ip patch!

Regards

processone / ejabberd

How to get the client IP for authentication purposes in an external auth script? #4217

the dev example python script does not work at exactly this position because actual python3 cannot sys.stdin.read(2), but needs sys.stdin.buffer.read(2), same for output string. So even the demo code falls over this weird construct. Nevertheless many thanks for helping out with the extauth-ip patch!