httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cliff Woolley" <jwool...@wlu.edu>
Subject Re: Multimodal authentication
Date Sun, 02 Jan 2000 18:03:39 GMT
>>> Doug Luce <doug@newhttpd.con.com> 01/02/00 12:06AM >>>
>I couldn't find any existing mechanism within Apache to allow
cross-modal
>fallback or anything similar (although some modules allow for
fallback
>semantics within their own mode).  It also doesn't seem like it's
>something that a module can be coded up to handle, unless you go
through a
>lot of crap with separate config files for the authentication and
create a
>module that does module processing (submodules?).

If you want what I think you want, it seems to me that a much easier
way to handle this is through Authoritative settings in each of your
auth modules, rather than changing the Apache core.  This works quite
well with, as an example, mod_auth and mod_auth_nds used together. 
Using that as example, let's say you want most people to authenticate
with their NDS username/password, but you have a handful of people that
need access that don't and shouldn't have NDS accounts.  So you give
them access via .htpasswd-style entries for mod_auth.  Change the
default within mod_auth.c to new->auth_authoritative = 0; instead of =1,
and make sure that mod_auth_nds is ABOVE mod_auth in your
Configuration.tmpl before you run configure on Apache.  Then you can
combine directives for mod_auth and mod_auth_nds in the same .htaccess
file very easily, such as:

AuthName "A Protected Place"
AuthType Basic
AuthUserFile    /path/to/.htpasswd
AuthNDSUserFile /path/to/.ndsusers

require valid-user

(where AuthNDSUserFile is just a list of NDS accounts that are allowed
access to this directory).

You should be able to use this same idea for your situation, except
maybe for the use of mod_auth_inst instead of mod_auth.  (Is there such
a thing as "not authoritative" for mod_auth_inst?  I've never used it. 
Add that feature as a first step if it's not already there.)  Or, it
could just be that mod_auth's default of "authoritative" is getting in
your way, depending on the order in which you compiled in your auth
modules.  Take a look at it from this perspective instead, and you'll
probably find it much easier.  I tend to like the use of "require
valid-user" in this case because it allows each module to only allow
access if that module knows about that user, but otherwise
non-authoritative modules DECLINE the request and your fall-back module
(probably mod_auth_ldap for you) is the authoritative one which will
always either return OK or AUTH_REQUIRED.

Does this make sense?

Hope it helps...
--Cliff

Cliff Woolley
Central Systems Software Administrator
Washington and Lee University
http://www.wlu.edu/~jwoolley/

Work: (540) 463-8089
Pager: (540) 462-2303

Mime
View raw message