Return-Path: 
 <dev-return-54422-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 34735 invoked from network); 2 Aug 2006 19:09:19 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 2 Aug 2006 19:09:19 -0000
Received: (qmail 53590 invoked by uid 500); 2 Aug 2006 19:09:15 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 53541 invoked by uid 500); 2 Aug 2006 19:09:15 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 53530 invoked by uid 99); 2 Aug 2006 19:09:15 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Aug 2006 12:09:15 -0700
X-ASF-Spam-Status: No, hits=0.5 required=10.0
	tests=DNS_FROM_RFC_ABUSE
X-Spam-Check-By: apache.org
Received-SPF: pass (asf.osuosl.org: local policy)
Received: from [137.65.81.169] (HELO sinclair.provo.novell.com)
 (137.65.81.169)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Aug 2006 12:09:14 -0700
Received: from INET-PRV-MTA by sinclair.provo.novell.com
	with Novell_GroupWise; Wed, 02 Aug 2006 13:08:46 -0600
Message-Id: <44D0A449.6720.00AC.0@novell.com>
X-Mailer: Novell GroupWise Internet Agent 7.0.1 
Date: Wed, 02 Aug 2006 13:08:37 -0600
From: "Brad Nicholes" <BNICHOLES@novell.com>
To: <dev@httpd.apache.org>
Subject: Re: mod_auth_pam 2.2.X
References: <44D0BE57.9040901@cse.yorku.ca>
 <44D0804B.6720.00AC.0@novell.com> <44D0D88A.9050200@cse.yorku.ca>
In-Reply-To: <44D0D88A.9050200@cse.yorku.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

>>> On 8/2/2006 at 10:53 AM, in message <44D0D88A.9050200@cse.yorku.ca>,
Jason
Keltz <jas@cse.yorku.ca> wrote:
> Brad Nicholes wrote:
>>>>> On 8/2/2006 at 9:01 AM, in message
<44D0BE57.9040901@cse.yorku.ca>,
>> Jason Keltz
>> 
>> Understand that I have not looked at the auth_pam module so I don't
>> know exactly what all of the different configuration directives do.

>> However it is highly likely that you do not even need the
>> AuthPAM_Enabled directive any more.  Under the new architecture,
>> enabling or disabling an authn module is done my simply including it
or
>> excluding it from the AuthXXXProvider directive.
> 
> Actually, that makes a lot of sense.  However, I have another similar

> difficulty.  I had also added my own "AuthPAMEngine" command to 
> mod_auth_pam that would only work from the server configuration.  It
is 
> a very simple flag that could be toggled at the server level.  This
way, 
> I could allow mod_auth_pam to be used on only specific virtual
servers. 
>   I enabled it only in our SSL configuration.  Could that also be 
> integrated into the mod_authn_pam module?   Is there a better way in

> Apache that permits the web site owner to restrict access to modules

> from within particular virtual servers?
> 

You could implement an AuthPAMEngine directive in mod_authn_pam but you
would have to decide exactly what that means.  Keep in mind that under
the authnz architecture, every provider listed in a specific
AuthnXXXProvider directive will be called and must return some kind of
AUTH_XXX code.   If a provider is not listed in a particular
AuthnXXXProvider directive for a <Directory> or <Location> block, the
provider will not be called for that block.  So like I mentioned before,
enabling or disabling it is simply a matter of including it in the
AuthnXXXProvider directive or not.  If you did implement an
AuthPAMEngine directive, you would need to decide what 'AuthPAMEngine
Off' means as far as which auth code should be returned.  If you return
an AUTH_DENIED then other authn providers that follow your authn_pam
provider that are listed in the AuthnXXXProvider directive would be
called and allowed to authenticate the user, otherwise the request would
be denied.  If you returned AUTH_GRANTED then only the authn providers
that were listed previous to your authn_pam provider would have been
called and authentication would stop at that point and granted.  There
isn't a DECLINED option anymore.  Basically if your PAM provider is
never included in any AuthnXXXProvider directive, then it is never
called and is just dead code (ie, disabled).

Brad