httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <>
Subject Re: mod_auth_pam 2.2.X
Date Wed, 02 Aug 2006 19:08:37 GMT
>>> On 8/2/2006 at 10:53 AM, in message <>,
Keltz <> wrote:
> Brad Nicholes wrote:
>>>>> On 8/2/2006 at 9:01 AM, in message
>> Jason Keltz
>> Understand that I have not looked at the auth_pam module so I don't
>> know exactly what all of the different configuration directives do.

>> However it is highly likely that you do not even need the
>> AuthPAM_Enabled directive any more.  Under the new architecture,
>> enabling or disabling an authn module is done my simply including it
>> excluding it from the AuthXXXProvider directive.
> Actually, that makes a lot of sense.  However, I have another similar

> difficulty.  I had also added my own "AuthPAMEngine" command to 
> mod_auth_pam that would only work from the server configuration.  It
> a very simple flag that could be toggled at the server level.  This
> I could allow mod_auth_pam to be used on only specific virtual
>   I enabled it only in our SSL configuration.  Could that also be 
> integrated into the mod_authn_pam module?   Is there a better way in

> Apache that permits the web site owner to restrict access to modules

> from within particular virtual servers?

You could implement an AuthPAMEngine directive in mod_authn_pam but you
would have to decide exactly what that means.  Keep in mind that under
the authnz architecture, every provider listed in a specific
AuthnXXXProvider directive will be called and must return some kind of
AUTH_XXX code.   If a provider is not listed in a particular
AuthnXXXProvider directive for a <Directory> or <Location> block, the
provider will not be called for that block.  So like I mentioned before,
enabling or disabling it is simply a matter of including it in the
AuthnXXXProvider directive or not.  If you did implement an
AuthPAMEngine directive, you would need to decide what 'AuthPAMEngine
Off' means as far as which auth code should be returned.  If you return
an AUTH_DENIED then other authn providers that follow your authn_pam
provider that are listed in the AuthnXXXProvider directive would be
called and allowed to authenticate the user, otherwise the request would
be denied.  If you returned AUTH_GRANTED then only the authn providers
that were listed previous to your authn_pam provider would have been
called and authentication would stop at that point and granted.  There
isn't a DECLINED option anymore.  Basically if your PAM provider is
never included in any AuthnXXXProvider directive, then it is never
called and is just dead code (ie, disabled).


View raw message