[P4] Enhancing INN With LDAP

Basic newsgroup access control for InterNetwork News (INN) is:

• based upon host name/address, user authentication, user access permissions, and newsgroup list
• adequate for most purposes
• provides only one active mechanism per host or user authentication
• unable to provide finer grained access control

INN V2 introduces new Perl script to allow finer grained control over news article posting.

In conjunction with LDAP data, the filter_nnrpd.pl script is used to provide finer grained newsgroup access.

Special local newsgroup project required:

• unrestricted read access by local users
• restricted post access by limited authorized users, and no use of INN ``moderator'' mechanism

Problems encountered:

• basic INN access and posting mechanisms could not satisfy requirements
• where to store information about limited authorized users

Resolution implemented in conjunction with filter_nnrpd.pl script:

• special INN userids plus passwords are defined in nnrp.access, INN ``user authentication'' file
• protected LDAP attributes defined to contain special INN ``authorized userids''
• protected LDAP attributes defined to contain hostnames of ``authorized users''
• LDAP ACL's used to protect requisite LDAP attributes
• LDAP is used to store information about special local newsgroup including ``owner''
• when an article is to be posted to special newsgroup, script uses LDAP data to determine access privileges
• special newsgroup reply postings only allowed from ``authorized user'' host or INN authenticated ``authorized userid''
• Web-based LDAP access allows ``owner'' of special newsgroup to dynamically update authorized user data independent of INN operation
• LDAP data and Web-based access to it provide a ``contact spot'' where users can obtain more information about special newsgroup, and who to contact about it