httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <>
Subject Re: authentication rewrite
Date Wed, 28 Aug 2002 09:21:00 GMT
On Wed, Aug 28, 2002 at 01:59:29AM -0700, Justin Erenkrantz wrote:
> On Tue, Aug 27, 2002 at 05:25:25PM -0700, Greg Stein wrote:
> > It would seem that changes to the directives would be easy, and we could
> > also deprecate older directives. In all cases, we'd change our .conf files
> > and the doc, issue warnings for old usage, and then just "wait a while"
> > before removing old support.
> The real problem is with mod_auth_dbm.  Part of the problem is that
> mod_auth_dbm is dependent on the new mod_auth_basic.  I guess we
> could force mod_auth_dbm to build mod_auth_basic via config.m4 magic.
> (mod_auth would be removed entirely, so that might be iffy too.)

Yes, the build part could be done relatively easily. Tossing mod_auth
wouldn't be too bad, as that would affect just one line in a user's config,
and the "failure mode" would be obvious. The server would hit the LoadModule
and punt right there. Delete that line and off you go...

> Yet, I'm not clear how we could trick mod_auth_basic to use DBM
> unless they add "AuthProvider dbm" to mimic the old mod_auth_dbm
> code.  (The catch is that mod_auth_basic should use 'file' as the
> default provider to mimic the no longer present mod_auth.)

Hmm. Crap. I'm looking at mod_auth_dbm.c. Damn... it appears that *both*
mod_auth and mod_auth_dbm define the AuthUserFile and AuthGroupFile
directives. Beats the crap outta me how that happens to work.

And then it would appear that both of them run. And the ordering is
arbitrary between the two (both are MIDDLE hooks). If a file and a dbm
happen to define the same user, then it is "random" which you'll auth
against (in terms of the password).

It would seem that the default is to run both, unless somebody sets an
"authoritative" flag. In that case, you run just one.

> Hmm.  One thought would be to implement the multiple provider
> scheme John mentioned and always do file/dbm unless said so.  But,
> ick, that might catch people by surprise and I'm not sure if that
> is really possible as mod_auth_dbm and mod_auth used to share the
> same config syntax (ick!), so I'm unclear what would happen when
> both would try to interpret things.  Ick, ick, ick.
> Thoughts?  -- justin

I think it might be doable. Note that the "AuthAuthoritative" and
"AuthDBMAuthoritative" would be deprecated. To make something
"authoritative", you just don't include the other providers:

AuthProvider file dbm  # file first, then dbm
AuthProvider file      # file is "authoritative"
AuthProvider dbm       # dbm is "authoritative"

The answer seems to be "in there somewhere". The problem is untangling the
mess that we have now. Thankfully, post-entanglement will be a nice place to
be :-)


Greg Stein,

View raw message