httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j...@sterls.com
Subject Re: authentication rewrite
Date Tue, 27 Aug 2002 14:12:43 GMT
Hi Justin -

>-- Original Message --
>Reply-To: dev@httpd.apache.org
>Date: Mon, 26 Aug 2002 23:44:32 -0700
>From: Justin Erenkrantz <jerenkrantz@apache.org>
>To: dev@httpd.apache.org
>Subject: Re: authentication rewrite
>
>My point is that I need to add another front end authentication
>module (namely within mod_dav).  I think it'd be pointless to
>duplicate all of the backend work done in mod_auth* so that
>mod_dav can authenticate users.  The current authentication API
>can't work as it combines the front and back-ends.  The answer we
>give to people is, "cut-and-paste."  Ick.  Therefore, yes, I think
>we have to introduce another level as what we have now is
>insufficient.

I understand your point, and I think its a good one.  I just wanted to raise
a concern (which I still think is important to think about).  about a year
and a half ago I abstracted the auth stuff in a similar way - In my case,
however, I wanted the back ends to have much richer authorization functionality
than the current AAA modules.  In a 'require group' world, it is very nice
to abstract this stuff out so backends can be re-used, and apache specific
logic can be centralized - as you have proposed.  But it will be harder
to plug in backends that try to do more with requirements (of which there
really aren't many)- which is probably fine.

>In my vision, the LDAP module would have its own directives/options
>to specify what it returns.  So, I don't think this is a big concern.
>
>I'd imagine something like:
>
>AuthProvider ldap
>AuthLDAPServer ldap.example.com
>AuthLDAPBase o=example.com
>AuthLDAPUserSearch (username=%s)
>AuthLDAPGroupSearch (groupmember=%s)

here's a couple of comments on the implementation:

1) It looks like the 'AuthProvider' does not allow you to stack auth handlers.
 I would be cool (if not critical :) if it was more of an AddAuthProvider
- then the basic auth handler loops through all providers that are added.
 This way you could configure ldap and anon for a given location.

2) If you do allow stacking of providers like this, you need to also provide
the ability to specify which one is authoritative (if any).

3) maybe i'm missing something, but why did you rewrite ap_note_basic_auth_failure
and ap_get_basic_auth?  assuming there was a reason, maybe a comment in
the code would help clarify it.

hope this helps.

sterling


Mime
View raw message