httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Russell Howe <>
Subject Re: Multiple AAA providers
Date Fri, 27 May 2005 16:11:35 GMT
Jess Holle wrote:
> In our case it does not depend which is checked first (except perhaps
> for performance) as there will not be any overlap between the
> directories.  For instance, one LDAP might be for corporation X and
> another for one of their partners.  Another example: one might be a
> read-only corporate directory and another might be an application
> writable directory (for pseudo-users, guest accounts, etc).

Same for me here.

We actually have a mixture - ldap search for collective accounts shared
by groups of people (these will go, given time), LDAP search on an
OpenLDAP server (hopefully a redundant pair) and an LDAP search on the
Win2k domain controllers (two of them, if one's not available, fall back
to the other).

JAAS does all the hard work for me in Java though, as regards trying
multiple authentication modules. Apparently they copied the
configuration scheme from PAM, or at least tried to make it PAM-like.

> There was discussion some time back (under the same title as this
> thread) about doing this in a somewhat general fashion so one could have
> multiple LDAP providers, multiple password file providers, etc...
> That would be a great grand unified theory (and I see it as useful) but
> what I care most about is multiple LDAPs.  If we could just have the
> existing mod_auth_ldap handle multiple LDAPs (beyond in a strict
> failover capacity) that would be *huge*.  If we can't get the grand
> unified approach, I'd at least like to see multiple LDAP handling.

Ah, I see what you mean - it would appear that while you can chain
authentication methods, they have to be different methods, taking
different options. Am I getting that right? If so, I can't readily port
my Java authentication scheme to Apache :/

Here is my latest posting to jetty-discuss, talking about the
LoginModule. Hopefully it is enough to give a rough idea of what it does.,5749-5750,5763

Russell Howe

Today's Nemi:

View raw message