I am trying out Tigase Server to replace our current Ejabberd instance because it seems Tigase offers much more flexibility in authentication against SQL databases.
The situation is as follows: we have a PostgreSQL database for our mail infrastructure, containing various tables, among others a "virtual_users" table that holds e-mail addresses and encrypted/hashed passwords. This mailserver database is the main authentication source for many of the services we run.
Now I want to let the Tigase Server authenticate users against that database. So we have one user DB that is managed by Tigase and one auth DB that is external to Tigase and should be touched only as little as possible.
init.properties thus looks like this:
Note that the user DB is also a PostgreSQL database but distinct from the authentication DB.
For this scenario the "tigase-custom" authenticator seems to be the best choice. I just need to create the correct SQL queries or stored procedures but I am uncertain how the user DB and the auth DB interact and what piece of information is to be queried from where.
I have written a stored procedure for the mailserver database that returns the e-mail address (= JID) of a user if he has submitted the correct password. Passwords are never stored in clear text, only hashed. This SP looks like this (not very pretty but works):
create or replace function
check_user_login(username text, pass text)
returns text as $$
select email into result
where email = username
and password = crypt(pass,
where email = username
and password <> '')
$$ language plpgsql;
The details are not really relevant but I use a sub-SELECT here to allow for different formats of the password hashes (DES, MD5, SHA1, salted, unsalted, etc). We took over a legacy database that stored the passwords only CRYPTed but new users and passwords should use a more secure hash algorithm.
So this SP is used as "basic-conf/auth-repo-params/user-login-query" and seems to work.
But what else does Tigase expect me to provide? Which queries are supposed to work against which database?
"init_db_query" obviously talks to the user DB, as does "user-logout-query" I suppose. But "add-user" and "del-user"? And "update-password-query"? Does Tigase store any passwords in its user DB? If so, why? And if not, is "update-password-query" supposed to update the passwords in the main authentication DB?
What about the SASL mechanisms? As far as I can tell SASL is of no interest to me since the authentication is purely SQL-based and all the hashing and encrypting takes place in the auth DB itself.
Please enlighten me :) The tigase-custom-auth-connector guide is useful but unclear on a few crucial details, such as those described above.
What I want to do, in the end, is use Tigase and its user DB to store everything relevant to the user but use my external mailserver database for authentication. There is also no way I can afford to store clear-text passwords anywhere. Can this be done?
Thanks in advance!
PS: Many, if not all, links to the Trac instance on projects.tigase.org return 404, i.e. http://projects.tigase.org/server/trac/browser/trunk/database/postgresql-schema-4.sql