External authentication

[pcdinh]

Hi,

I find that external authentication that is implemented in ejabberd is rather inefficient, inflexible. The reason is

1. The number of CGI processes (authentication script) is fixed when ejabberd starts. It can not be extended if the traffic is higher than planned
2. ejabberd distributes authentication requests across CGI processes in a round robin manner without concerning if the CGI process is busy or not. External authentication script is implemented in blocking mode, that accepts a single request at a time, making it less scalable. No such thing like backlog queue.
3. External authentication script locates in the same machine as ejabberd. They must share system resource with each other. If ejabberd is overloaded, their CGI processes will be affected
4. Local external authentication script in a ejabberd box makes it harder to implement proper security model and deployment. External authentication script is written in a different language, requires different settings and access rules, libraries

I don't know if MongooseIM has implemented an alternative solution. E.x: do authentication via a webservice using a restful API call (isuser, auth)

PS: eJabberd's authentication engine is hard to debug

[michalwski]

Thanks for your input. MongooseIM has the same external auth mechanism as ejabberd unfortunately. This mechanism is used very rarely and it is not recommend to use it on production because of the reasons you've pointed out.
REST Auth sounds good and we do it already but always we integrate such authentication method with already existing customer's services.
Making it more generic maybe useful.

[michalwski]

@pcdinh take a look at our latests changes ( #274 ). We've just added new auth mechanism which may interest you.