httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject Re: Multiple AAA providers
Date Wed, 02 Mar 2005 19:36:14 GMT
Although I agree that this would probably be the best way to go, I don't
think it will be that simple.  Authnz_ldap stores the LDAPurl and other
information (bind user id, bind password, certs, etc) in a per-Dir
structure.  At the very least, authnz_ldap would have to be taught how
to store multiple configurations per-dir.  Other auth modules may have
the same structure.

Brad

>>> wrowe@rowe-clan.net Wednesday, March 02, 2005 11:14:33 AM >>>
Bleh.  Wouldn't it be easier not to rearchitect the whole thing?

What about the core or mod_auth respecting something like;

<Location /protected>

  <AuthConfig>
      AuthFile users1
  </AuthConfig>

  <AuthConfig>
      AuthFile users2
  </AuthConfig>

Simply use the existing scope, inheritance, and so on.  Whenever
multiple AuthConfigs apply to a given scope, iterate them until
satisfied.

I think we can accomplish this with minimal or no changes to any
existing auth module.

I'm concerned that the more complex each auth provider needs to
be, the more probability that there will be logic errors in the
provider.

Bill

At 09:45 AM 3/2/2005, Justin Erenkrantz wrote:
>On Wed, Mar 02, 2005 at 08:24:25AM -0500, Geoffrey Young wrote:
>> while I don't claim to have more than a cursory understanding of
ldap, I
>> would think these cases could be handled by extending the current
situation
>> a bit.  for instance, for the file provider something like
>> 
>> AuthBasicProvider file
>> AuthFileName file1 file2
>> 
>> if AuthFileName were ITERATE mod_authn_file would know that it
should not
>> return AUTH_USER_NOT_FOUND until it has checked all the files
present.  or
>> somesuch off the top of my head.
>
>Correct.  That is the approach that makes the most sense to me.  The
provider
>itself can loop as long as it wants to using its own config syntax.  
>
>However, there is nothing that prohibits one authn module from
registering
>multiple providers dynamically.  Remember that the providers are only
looked
>up at request-time.  So, if mod_auth_ldap were to have a syntax like:
>
>AuthLDAPProvider foo-1 ldap://ldap.example.com/cn=?
>AuthLDAPProvider foo-2 ldap://ldap2.example.com/cn=?
>
>AuthBasicProvider foo-1 foo-2
>
>That would work, as long as mod_auth_ldap calls ap_register_provider x
number
>of times.  -- justin


Mime
View raw message