httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <>
Subject Re: [Fwd: Re: svn commit: r466865 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_authn_dbd.xml modules/aaa/mod_auth.h modules/aaa/mod_authn_dbd.c modules/aaa/mod_authnz_ldap.c]
Date Sun, 29 Oct 2006 15:09:42 GMT

On 10/29/2006 03:47 PM, Graham Leggett wrote:
> Ruediger Pluem wrote:
>> Yes, this is correct. It is set by AuthDBDUserPWQuery.
>>> What sql statement would correspond with "USER_" above?
>> The one set by AuthDBDUserRealmQuery. It is used inside
>> authn_dbd_realm
>> OK, USER_ might the wrong word, but we definitely have two possible
>> different
>> queries with possible the same field names which are put in the same
>> environment
>> namespace.
> My understanding of the code is that either the realm query will get
> run, or the password query will get run - otherwise we would be checking
> the password twice.

Ok, this is true. I have not checked that before. password query is for basic auth and
realm query is for digest auth. I don't think that they get used in the same request

> AUTHENTICATE_ entries are only added to the environment for the second
> and subsequent columns in each query.
> If two sql queries are being done, then the admin need only add the
> extra columns to one of the queries.
> If this is ever a problem, the admin can simply give the second query
> different column names to the first, assuming there are two queries at all.

Yes, but the rows selected could be different and thus the contents of the fields,
but as stated above it is very very unlikely that both queries are run for the
same request, so this does not matter.

> The point behind the AUTHENTICATE_ is that it is the same as that of
> mod_authnz_ldap. If you put the sql ones in different namespaces, then
> it seriously reduces the usefulness of putting this info in the
> environment, as users of this information now have to care which module
> did the authz and authn.

This is clear. I was just worried that we overwrite the contents of one of the
AUTHENTICATE_ variables we just written a stage before, but as this is not the
case there is no point in having different namespaces and thus reducing usefulness.



View raw message