httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Graham Leggett" <minf...@sharp.fm>
Subject Re: Multiple AAA providers
Date Wed, 02 Mar 2005 14:10:35 GMT
Geoffrey Young said:

> isn't this kind of thing really up to the provider itself?  I would think
> that the provider would need to be intelligent enough to understand when
> to
> iterate over directories or files and when not to.

The end goal is to simplify the providers so that you do not have to teach
each one how to handle multiple sources. The problem with implementing
multiple sources in one provider is that the end users assumes that the
same is possible in other providers, and is surprised when they find out
the hard way it's not.

> while I don't claim to have more than a cursory understanding of ldap, I
> would think these cases could be handled by extending the current
> situation
> a bit.  for instance, for the file provider something like
>
> AuthBasicProvider file
> AuthFileName file1 file2
>
> if AuthFileName were ITERATE mod_authn_file would know that it should not
> return AUTH_USER_NOT_FOUND until it has checked all the files present.  or
> somesuch off the top of my head.
>
> are there situations specific to ldap that would make some variant of this
> difficult or unacceptable? I'm just trying to get a better feel for why
> the
> exception you raise isn't an issue for providers to locally figure out
> themselves.

The problem is that LDAP auth is set up using many directives ("system"
user to bind to the directory as, password, the search details to find the
user record, possible SSL directives per LDAP server).

While the file case fits neatly into the AuthFileName directive, this
doesn't fit into any other auth provider where there are multiple
arguments.

To fill out the example of the "Auth" container to better illustrate what
I mean, you might have this:

<Auth ldap-acc-activedirectory>
  require ldap-group cn=Accounting,ou=Groups,ou=XXX
  AuthLDAPBindDN cn=Mail,dc=XXX
  AuthLDAPBindPassword blah1
  LDAPTrustedMode SSL
  AuthLDAPURL ldaps://xxx.co.za/dc=xxx,dc=co,dc=za?uid?sub
  AuthLDAPRemoteUserIsDN on
</Auth>
<Auth ldap-eng-activedirectory>
  require ldap-group cn=Engineering,ou=Groups,ou=YYY
  AuthLDAPBindDN cn=Mail,dc=YYY
  AuthLDAPBindPassword blah2
  LDAPTrustedMode SSL
  AuthLDAPURL ldaps://yyy.co.za/dc=yyy,dc=co,dc=za?uid?sub
  AuthLDAPRemoteUserIsDN on
</Auth>

AuthBasicProvider ldap-acc-activedirectory ldap-eng-activedirectory

Regards,
Graham
--


Mime
View raw message