Contents |
CASL/CCA User Syncronization Protocol (CUSP)
CUSP is a very basic SEND/ACK based protocol that runs over any kind of connectable socket (more on this in a bit). CUSP transmissions may be encrypted using any number of methods, including SSL, that provide exact-form decryption. CUSP was developed for the CASL project.
The "client" opens a connection to the "server", and sends commands in the syntax of "command parameter_string". The "server" either replies with an "OK" or an error message (hopefully intelligent).
As mentioned before, CUSP with run over any "connectable socket" connection. This means it can run over TCP, or even a Local UNIX Domain Socket. References to "LAD", refer to a CUSP server running on a Local UNIX Domain Socket, and references to "RAD" refer to a CUSP server running on a TCP socket.
user username,password
In order to prevent any random programmer from writing a CUSP client and thus manipulating user databases, the first step in a CUSP connection is session authentication. This is currently provided via a pre-set username/password combination, but may be substituted with SSL certificates, Kerberos Tokens, etc.
add username:password:uid:gid:real name:
This command, used to add a new user, varies based on platform. The above syntax is for UN*X based machines, the format to be sent to Windows NT based machines is "username:password:real name:group1:group2:group3....:groupX", as NT can support any number of groups per user. The session must be authenticated to execute this command.
del username
Deleting a user is as simple as issuing this command followed by the username. The session must be authenticated to execute this command.
auth username,password
This command is no longer supported. It was used to ask a CUSP server to authenticate the username and password by merely returning true or false (1 or 0). The session did not need to be authenticated to execute this command.
passwd username,oldpassword,newpassword,confirmpassword
The passwd command is used to change a user's password. If the pre-arranged "override password" is used in the "oldpassword" field, then a "password change override" occurs, and the CUSP server changes the password even if the old password doesn't match. If the aforementioned string is not in the "oldpassword" field, then it must match the current password for that username. The aforementioned override password should be rejected from any forms or other UI's as a matter of principle. If you want to have a UI-accessible override password, make it something else, and behind the scenes send the CUSP override password if the UI override password is issued. The session must be authenticated to execute this command.