httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Keltz <>
Subject Re: mod_auth_pam 2.2.X
Date Wed, 02 Aug 2006 16:53:30 GMT
Brad Nicholes wrote:
>>>> On 8/2/2006 at 9:01 AM, in message <>,
> Jason Keltz
>> I'm confused by an aspect of the new 
>> 2.2.X authentication scheme which I was hoping someone might be able
> to 
>> help with.  If I want to port the "AuthPAM_Enabled on|off" into the
> new 
>> module, where would it go?  It looks like there should be a 
>> mod_authn_pam which just handles only the pam authentication, and
> then 
>> say, a mod_authz_pamgroup that handles the "require group" directive,
>> but it isn't clear to me where the enable flag belongs?   I looked 
>> through the modules that come with Apache.  The only module that has
> an 
>> enable type flag seems to be the ldap module, yet all of the
> references 
>> to the enable flag are commented out in that code.  I wonder why? 
> Understand that I have not looked at the auth_pam module so I don't
> know exactly what all of the different configuration directives do. 
> However it is highly likely that you do not even need the
> AuthPAM_Enabled directive any more.  Under the new architecture,
> enabling or disabling an authn module is done my simply including it or
> excluding it from the AuthXXXProvider directive.

Actually, that makes a lot of sense.  However, I have another similar 
difficulty.  I had also added my own "AuthPAMEngine" command to 
mod_auth_pam that would only work from the server configuration.  It is 
a very simple flag that could be toggled at the server level.  This way, 
I could allow mod_auth_pam to be used on only specific virtual servers. 
  I enabled it only in our SSL configuration.  Could that also be 
integrated into the mod_authn_pam module?   Is there a better way in 
Apache that permits the web site owner to restrict access to modules 
from within particular virtual servers?

>> Further, how about the AuthFailDelay, and AuthPAM_FallThrough? Would
>> these go into mod_authn_pam as well?  As far as I can see,
> mod_authz_pam 
>> doesn't seem necessary since the basic authentication covers the use
> of 
>> "require user"...
> I would guess that the only thing required is that you create a
> mod_authn_pam authentication module and that an authz_pam module is not
> needed.  Unless you have the need to implement a very specialized type
> of authorization, you can simply rely on the existing authz modules to
> do the work.  However, if you do need a specialized PAM group
> authorization for example, rather than implementing another 'Require
> group xxx' directive, you would need to implement a 'pam-group'
> authorization type.  See mod_authnz_ldap or mod_authz_dbm as examples.

Excellent.. Thanks for that..


View raw message