httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jess Holle <je...@ptc.com>
Subject Re: Multiple AAA providers
Date Wed, 02 Mar 2005 13:52:30 GMT
This is essentially describing Graham's first option -- which is 
workable.  It just requires extra work from each and every auth module 
author -- thus leading to a likelihood of some providing this and others 
not doing so.  It would be good to have a level of consistency.  Though 
my primary concern is with multiple LDAPs, the multiple password file 
case makes good sense, for instance.

--
Jess Holle

Geoffrey Young wrote:

>>This solves the problem for multiple providers, but the problem isn't
>>solved for where the same provider is used twice, for example:
>>
>>- If user is present in file A or file B
>>- If user is present in directory A or directory B
>>    
>>
>
>hmm...
>
>isn't this kind of thing really up to the provider itself?  I would think
>that the provider would need to be intelligent enough to understand when to
>iterate over directories or files and when not to.
>  
>
>>There are two options to this:
>>
>>- Teach each provider how to handle multiple instances of itself (sounds
>>like too much duplication)
>>- Introduce a concept like this:
>>
>><Auth ldap-provider-A>
>>  # LDAP stuff for LDAP server A
>></Auth>
>><Auth ldap-provider-B>
>>  # LDAP stuff for LDAP server B
>></Auth>
>>
>>AuthBasicProvider ldap-provider-A ldap-provider-B
>>    
>>
>while I don't claim to have more than a cursory understanding of ldap, I
>would think these cases could be handled by extending the current situation
>a bit.  for instance, for the file provider something like
>
>AuthBasicProvider file
>AuthFileName file1 file2
>
>if AuthFileName were ITERATE mod_authn_file would know that it should not
>return AUTH_USER_NOT_FOUND until it has checked all the files present.  or
>somesuch off the top of my head.
>
>are there situations specific to ldap that would make some variant of this
>difficult or unacceptable? I'm just trying to get a better feel for why the
>exception you raise isn't an issue for providers to locally figure out
>themselves.
>
>--Geoff
>  
>


Mime
View raw message