httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Erenkrantz <jus...@erenkrantz.com>
Subject Re: Multiple AAA providers
Date Fri, 04 Mar 2005 07:30:36 GMT
On Thu, Mar 03, 2005 at 08:40:22PM -0600, William A. Rowe, Jr. wrote:
> And attached is the module for comment.  I have no time till this
> weekend if then, so I've got the build system changes and will
> commit if we like.

My question as to how this would interact with the auth providers is still
unanswered.

Remember that the auth providers don't implement the check_user_id hook - only
the auth mechanisms (basic/digest) implement those hooks.  So, this module
acts counter to the entire notion of providers by just blindly re-running the
entire hook process instead.  (check_user_id now becomes recursive - yikes!)
We'd now incur the overhead of the auth mechanism hooks when there is little
need to do so.  Plus, we lose the ability to sanely chain providers as was the
original intent.

I still maintain the better way to do this is to handle it in the provider
modules themselves by leveraging the provider API instead.  

To reiterate, in my mind, the ideal syntax is:

<Location /foo>
  <LDAPProvider ldap1>
      ...config options for mod_authnz_ldap...
  </LDAPProvider>
  <LDAPProvider ldap2>
      ...config options for mod_authnz_ldap...
  </LDAPProvider>
  <DBDProvider my_db>
      ...config options for hypothetical mod_authn_dbd...
  </DBDProvider>

  ...config options for mod_authnz_ldap...

  AuthUserFile conf/foo

  AuthBasicProvider ldap1 ldap2 ldap file my_db
</Location>

This isolates the config directly to the module, and if we so desire, we could
add helper functions which promote re-use of this strategy by other provider
modules as needed.  -- justin

Mime
View raw message