httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <>
Subject Mod_auth_external
Date Wed, 19 Nov 1997 08:31:48 GMT

help, info overload.  If someone wants to response, maybe Dirk as he's done
the most creative auth stuff, I would appreciate it.  Thanks!


>X-Lotus-FromDomain: DDK
>Date: Mon, 17 Nov 1997 08:34:41 +0200
>Subject: Mod_auth_external
>I have been using Nathan Neulinger´s mod_auth_external module for a web
>application, writing my own authenticator to authenticate against a Solid
>SQL server. Doing that i started thinking (a bad habit of mine... ) I sent
>him an email describing some of my thoughts and he responded that I should
>try forwarding it to the Apache maintainers. I hope you fit that category
>or at least would be so kind to forward this mail to the right person.
>Here is some of my thoughts :
>+) Calling af an external authenticator is a great way og doing
>authentication against more sophisticated sources than just a passwordfile
>-) But the overhead involved in starting up the new process could be
>-) Every access to a protected directory does an authentication call, an
>SQL authenticator could therefor be more efficient if it was able to do
>caching of the data from the DB-server, but this would require the
>authenticator to be persistent.
>-) The current scheme to do external authentication using mod_auth_external
>doesn´t  allow the authenticator to be persistent and therefor it cannot
>maintain connections to databases - the Solid server in my example.
>+) External authentication removes the need for more exotic Apache modules,
>that way the apache source and the httpd is able to be a more "clean" httpd
>- that way removing possible errors.
>+) External authentication removes any need for linking the apache
>executable with different libraries used in the authentication module -
>again this leeds to a more clean and stable binary.
>By doing authentacation with an external, dedicated program new
>possibilities arises - all diferent kinds of smart authentication mecanisms
>is made possible :
>*) Authentication based on date/time
>*) Authentication based on radius or tacacs
>*) Authentication based on PAM or traditional unix passwd/shadow files
>*) Authentication and registration in an external database
>*) And a lot more...
>Doing more resource intensive/security critical authentications on the
>actual host running the httpd can lead to security considerations. Being
>able to do authentication in a distributed way could help improve security.
>And on a network with multiple httpd-hosts one host running the distributed
>approach can lead to network-wide resource savings and to a consistent
>authentication scheme across the network.
>My idea for a solution is a socket based two-tier model with an apache
>module calling the authenticator on the same or a different host,
>and then letting that authenticator do whatever clever tings the actual
>implementation requires such as maintaining a connection to a databse
>server, caching information etc.
>This will of course need to implement a standarized protocol used in the
>apache->authenticator communication. Such a protocol would have to be
>relative secure, extensible and well-defined. And it could pass different
>data from the httpd to the authenticator susch as remote IP addr and other
>things possible relevant for the authentication process.
>Please let me know what you think of this. I would like to code it myself,
>but I think it is better with some discussion first istead of developing in
>the wrong direction.
>So I really wan´t to get in contact with the right people on this issue.
>Stephen Aaskov
>DDK - Dansk Data Kommunikation
"it's a big world, with lots of records to play." - sig

View raw message