httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Doug Luce <>
Subject Re: Multimodal authentication
Date Sun, 02 Jan 2000 19:19:27 GMT
If all modules return DECLINE instead of an error, don't you end up with
an error being transmitted to the browser, and a line like "configuration
error: couldn't check user.  No user file?" in your error log?  Wouldn't
it be better to have a message like "Nobody wants to authenticate you"
be sent?

This also doesn't map onto the semantics of "If I didn't authenticate this
user, I shouldn't check their access."  mod_auth, even in
non-authoritative mode, will try to validate access anyway.  Of course, if
it fails, it DECLINES and lets the next module have a try.  But if another
module authenticates a user, and applies different access logic to their
group membership, mod_auth might be stomping on some toes (or vice versa,
causing problems controlling precedence through module order in
Configuration.tmpl).  While I don't think this would be a problem in my
specific case, I don't think this is good in general.

There's two problems here: a module trying to check access on a user it
didn't authenticate, and the standard require statements being interpreted
by different modules.  The first can be solved by having modules keep
track of whether they performed authentication, and only doing the
access_check if so.  The second can be addressed by removing the the
cross-module interpretation of require statements.  Instead, have modules
register new commands to set their access parameters (like "LDAPrequire
group ...").



On Sun, 2 Jan 2000, Cliff Woolley wrote:

> >>> Doug Luce <> 01/02/00 12:06AM >>>
> >I couldn't find any existing mechanism within Apache to allow
> cross-modal
> >fallback or anything similar (although some modules allow for
> fallback
> >semantics within their own mode).  It also doesn't seem like it's
> >something that a module can be coded up to handle, unless you go
> through a
> >lot of crap with separate config files for the authentication and
> create a
> >module that does module processing (submodules?).
> If you want what I think you want, it seems to me that a much easier
> way to handle this is through Authoritative settings in each of your
> auth modules, rather than changing the Apache core.  This works quite
> well with, as an example, mod_auth and mod_auth_nds used together. 
> Using that as example, let's say you want most people to authenticate
> with their NDS username/password, but you have a handful of people that
> need access that don't and shouldn't have NDS accounts.  So you give
> them access via .htpasswd-style entries for mod_auth.  Change the
> default within mod_auth.c to new->auth_authoritative = 0; instead of =1,
> and make sure that mod_auth_nds is ABOVE mod_auth in your
> Configuration.tmpl before you run configure on Apache.  Then you can
> combine directives for mod_auth and mod_auth_nds in the same .htaccess
> file very easily, such as:
> AuthName "A Protected Place"
> AuthType Basic
> AuthUserFile    /path/to/.htpasswd
> AuthNDSUserFile /path/to/.ndsusers
> require valid-user
> (where AuthNDSUserFile is just a list of NDS accounts that are allowed
> access to this directory).
> You should be able to use this same idea for your situation, except
> maybe for the use of mod_auth_inst instead of mod_auth.  (Is there such
> a thing as "not authoritative" for mod_auth_inst?  I've never used it. 
> Add that feature as a first step if it's not already there.)  Or, it
> could just be that mod_auth's default of "authoritative" is getting in
> your way, depending on the order in which you compiled in your auth
> modules.  Take a look at it from this perspective instead, and you'll
> probably find it much easier.  I tend to like the use of "require
> valid-user" in this case because it allows each module to only allow
> access if that module knows about that user, but otherwise
> non-authoritative modules DECLINE the request and your fall-back module
> (probably mod_auth_ldap for you) is the authoritative one which will
> always either return OK or AUTH_REQUIRED.
> Does this make sense?
> Hope it helps...
> --Cliff
> Cliff Woolley
> Central Systems Software Administrator
> Washington and Lee University
> Work: (540) 463-8089
> Pager: (540) 462-2303

View raw message