httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: Multiple AAA providers
Date Wed, 02 Mar 2005 18:14:33 GMT
Bleh.  Wouldn't it be easier not to rearchitect the whole thing?

What about the core or mod_auth respecting something like;

<Location /protected>

  <AuthConfig>
      AuthFile users1
  </AuthConfig>

  <AuthConfig>
      AuthFile users2
  </AuthConfig>

Simply use the existing scope, inheritance, and so on.  Whenever
multiple AuthConfigs apply to a given scope, iterate them until
satisfied.

I think we can accomplish this with minimal or no changes to any
existing auth module.

I'm concerned that the more complex each auth provider needs to
be, the more probability that there will be logic errors in the
provider.

Bill

At 09:45 AM 3/2/2005, Justin Erenkrantz wrote:
>On Wed, Mar 02, 2005 at 08:24:25AM -0500, Geoffrey Young wrote:
>> while I don't claim to have more than a cursory understanding of ldap, I
>> would think these cases could be handled by extending the current situation
>> a bit.  for instance, for the file provider something like
>> 
>> AuthBasicProvider file
>> AuthFileName file1 file2
>> 
>> if AuthFileName were ITERATE mod_authn_file would know that it should not
>> return AUTH_USER_NOT_FOUND until it has checked all the files present.  or
>> somesuch off the top of my head.
>
>Correct.  That is the approach that makes the most sense to me.  The provider
>itself can loop as long as it wants to using its own config syntax.  
>
>However, there is nothing that prohibits one authn module from registering
>multiple providers dynamically.  Remember that the providers are only looked
>up at request-time.  So, if mod_auth_ldap were to have a syntax like:
>
>AuthLDAPProvider foo-1 ldap://ldap.example.com/cn=?
>AuthLDAPProvider foo-2 ldap://ldap2.example.com/cn=?
>
>AuthBasicProvider foo-1 foo-2
>
>That would work, as long as mod_auth_ldap calls ap_register_provider x number
>of times.  -- justin


Mime
View raw message