couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Timothy McKernan <timbitsandby...@gmail.com>
Subject Re: Two-way SSL authentication?
Date Fri, 18 Nov 2016 13:44:36 GMT
On Thu, Nov 17, 2016 at 4:36 PM Robert Samuel Newson <rnewson@apache.org>
wrote:

> Hi Tim,
>
> Authentication handlers are pluggable once again, and that feature will
> appear in our next release (tentatively designated 2.1.0).
>

Great, I thought I'd read that recently but couldn't put my finger on the
post.


> We'd definitely merge a patch that added an authentication handler where
> the DN was used to look up a user in the normal CouchDB _users database.
>

This seems doable, at least as a starter project for me to try. The rest -
eh, I wanted to see if there is any interest in it. Chaining multiple
handlers would introduce a lot of complexity in this one area, but having
this kind of integrated authentication adds a lot of security to the app,
for people that require it.

Thanks for the reply. I'll take a look at the pluggable authentication
handlers.

-Tim


> when we bring LDAP in, things get trickier. I'm sure we'd take a patch to
> add an LDAP authentication handler, but there's no precedent for handlers
> co-operating with other handlers (LDAP plus client cert). If you're
> prepared to do the work, I'm sure this could be figured out, I'm just
> saying the authentication system doesn't already support the notion, and we
> wouldn't want to make this part of couchdb much fiddlier.
>
> B.
>
> > On 17 Nov 2016, at 14:36, Timothy McKernan <timbitsandbytes@gmail.com>
> wrote:
> >
> > Has there been any interest in adding support for two-way SSL
> > authentication? More specifically, I'm looking for a way to:
> >
> >   - Verify a client's cert is valid,
> >      - Check the cert's Certificate Authority(s) against a local store,
> >      - Query a remote service to verify the cert hasn't been revoked
> >      (CRL's),
> >   - Use the client's Distinguished Name to query a remote service (LDAP
> >   would be fine) to verify the user is authorized to connect,
> >   - Use the client's Distinguished Name to authenticate the user in
> >   CouchDb, returning the user ctx.
> >
> > I've looked at how to add an auth handler in 2.0.0 and read some older
> > posts about it. It looks like at least src/chttpd/src/chttpd_auth.erl and
> > src/couch/src/couch_httpd_auth.erl need to be edited to use any new
> > handlers, is that right?
> >
> > I think my questions come down to:
> >
> >   - Is there going to be support for two-way SSL auth?
> >   - If not, is the authentication handler code going to be updated to
> >   allow new handlers to be plugged in (having the handlers implement a
> known
> >   interface) rather than hand-edit the above code?
> >   - I my requirements also suggest allowing a chain of handlers to be
> >   called, so that the details of CouchDb auth vs. CRL verification vs.
> LDAP
> >   can all be called one after the other, only going to the next handler
> if
> >   the previous handler succeeded.
> >
> > Right now I'm just trying to understand the scope of what's required to
> add
> > this, especially if it seems I'd be the one doing it.
> >
> > -Tim
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message