httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject Re: mod_auth_pam 2.2.X
Date Wed, 02 Aug 2006 16:35:04 GMT
>>> On 8/2/2006 at 9:01 AM, in message <44D0BE57.9040901@cse.yorku.ca>,
Jason Keltz
<jas@cse.yorku.ca> wrote:
> I apologize in advance if this is not the right forum for this type
of 
> question -- if so, please accept my apology and let me know where I 
> might address this problem...
> 
> -----
> 
> The currently available version of mod_auth_pam for Apache 2.0.X
series 
> does not work with the new Apache 2.2.X authentication scheme when 
> combined with basic authentication since mod_auth_pam doesn't
register a 
> provider.  Surprisingly enough, I can't find any references on the
web 
> to people trying to use mod_auth_pam with Apache 2.2.X which
surprises 
> me.  I was looking at how I might attempt to patch the current module
to 
> work with 2.2.X.  I can't seem to find much documentation on the new

> "aaa" scheme in 2.2.X, but it doesn't look overly complicated to do
when 
> I look at say, mod_authn_file.  

You are right, there isn't much development documentation which covers
converting an older auth module to the new authnz architecture.  The
best bet is to take the existing modules as examples.

>I'm confused by an aspect of the new 
> 2.2.X authentication scheme which I was hoping someone might be able
to 
> help with.  If I want to port the "AuthPAM_Enabled on|off" into the
new 
> module, where would it go?  It looks like there should be a 
> mod_authn_pam which just handles only the pam authentication, and
then 
> say, a mod_authz_pamgroup that handles the "require group" directive,

> but it isn't clear to me where the enable flag belongs?   I looked 
> through the modules that come with Apache.  The only module that has
an 
> enable type flag seems to be the ldap module, yet all of the
references 
> to the enable flag are commented out in that code.  I wonder why? 

Understand that I have not looked at the auth_pam module so I don't
know exactly what all of the different configuration directives do. 
However it is highly likely that you do not even need the
AuthPAM_Enabled directive any more.  Under the new architecture,
enabling or disabling an authn module is done my simply including it or
excluding it from the AuthXXXProvider directive.


> Further, how about the AuthFailDelay, and AuthPAM_FallThrough? Would

> these go into mod_authn_pam as well?  As far as I can see,
mod_authz_pam 
> doesn't seem necessary since the basic authentication covers the use
of 
> "require user"...

I would guess that the only thing required is that you create a
mod_authn_pam authentication module and that an authz_pam module is not
needed.  Unless you have the need to implement a very specialized type
of authorization, you can simply rely on the existing authz modules to
do the work.  However, if you do need a specialized PAM group
authorization for example, rather than implementing another 'Require
group xxx' directive, you would need to implement a 'pam-group'
authorization type.  See mod_authnz_ldap or mod_authz_dbm as examples.


Brad

Mime
View raw message