PMDF System Manager's Guide


Previous Contents Index

14.2.6 Auxiliary Properties

PMDF supports fetching "auxiliary properties", that is, per-user attributes, during the user authentication process since under some circumstances this can be the most efficient approach. A primary use for this facility is to associate an e-mail address with an authenticated user during SMTP AUTH processing.

A SASL authentication source can provide values for attributes, or a separate auxiliary properties module can provide values for attributes.

A RULESET security ruleset definition can include:


AUXPROP_ENABLE=auxprop-module-name,... 
or


AUXPROP_ENABLE=+auxprop-module-name,... 
An auxprop-module-name would be defined in a PROP_SOURCE section of the form


[PROP_SOURCE=auxprop-module-name] 
IMAGE=unix-path-or-openvms-logical-or-nt-dll
FUNCTION=entry-point
The FUNCTION option can be omitted if the entry point is called sasl_auxprop_init . Contact Process Software for information on the API for writing site-supplied auxiliary property modules; note that the API is currently subject to change.

Normally, the auxiliary properties modules are called in order to fill in any attributes they support which haven't already been filled in automatically by an authentication source. An initial plus character, + , as the first character of the AUXPROP_ENABLE option value causes an auxiliary properties module to override values for properties from a previous auxiliary properties module or authentication source.

The supplied pre-defined auxiliary properties modules are:

MSGSTORE

Determine the e-mail address if a PMDF user profile (PMDF MessageStore or PMDF popstore profile) for the user exists and has a store type of popstore or msgstore.

PASSWD (UNIX only)

Look up attributes via the getpwnam API.

LOCALMAIL

Determine the local e-mail address for a user by looking up the local channel official host name and glueing that onto the user name. However, if the ruleset being applied has the MAIL_DOMAIN option set to a different domain, then that other domain will instead be used to glue onto the user name. Thus if


MAIL_DOMAIN=domain
is set, this means that if user chris authenticates using that security ruleset, then his email address is chris@domain rather than chris@local-channel-domain . As this is implemented by the LOCALMAIL auxiliary properties module, it doesn't override the behavior of the MSGSTORE auxiliary properties module.

DEFAULT

This is the default, and is equivalent on UNIX to having


AUXPROP_ENABLE=MSGSTORE,PASSWD,LOCALMAIL 
or on OpenVMS or NT systems to having


AUXPROP_ENABLE=MSGSTORE,LOCALMAIL 
set in the ruleset being applied. Note that an initial plus character, + , has no effect in front of DEFAULT.

Note that these modules are designed to do nothing if the caller didn't ask for the appropriate properties. Currently, the auxiliary property of main interest is an "authenticated" e-mail address; for instance, the PMDF SMTP server will ask for the "SASL_AUX_MAILADDR" property (used if the authrewrite keyword is present on the incoming TCP/IP channel). And the MSGSTORE and LOCALMAIL auxiliary properties modules supply such a property.

A PROP_SOURCE section need not be present in the security configuration file for the above pre-defined auxiliary properties module, unless it is desired to modify some portion of the modules usual operation. But site-supplied auxiliary property modules must be established via a PROP_SOURCE definition.

When the MSGSTORE authentication source is used, its auxiliary properties behavior is automatically that of the MSGSTORE auxiliary properties module. When the PASSDB or SYSTEM authentication sources are used, their auxiliary properties behavior is automatically that of the LOCALMAIL auxiliary properties module.


Previous Next Contents Index