httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Müller Johannes <>
Subject AW: Client authorization against LDAP using client certificates
Date Fri, 04 Jul 2008 13:08:55 GMT
So far so good, but how to handle fallback to basic authentication if the client has no certificate
(SSLVerifyClient optional)?
If we created a new module mod_auth_cert and there is no username from mod_ssl we would like
to call mod_auth_basic.
If i understood you right, i would hook mod_auth_cert before mod_auth_basic and let it react
on AuthType Basic.
If mod_auth_cert then returns DECLINED, mod_auth_basic runs and does basic authentication.

That would work, but i personally don't like it.
If i configure "AuthType Basic" i want to do basic auth, not cert auth.
If i created a new module i would prefer configuring "AuthType Cert" and doing something like
"AuthCertFallback On"


-----Ursprüngliche Nachricht-----
Von: Eric Covener [] 
Gesendet: Freitag, 4. Juli 2008 14:28
Betreff: Re: Client authorization against LDAP using client certificates

On Fri, Jul 4, 2008 at 5:43 AM, Müller Johannes
<> wrote:
> Well, this would require quite big changes to all authentication modules, i guess.
> I think, the better way would be to skip authentication completely in mod_auth_basic
in case the user is set in the request object, because the user is already authenticated somehow
through mod_ssl.

Your solution 2 is not difficult at all, and you don't even really
need to use a new AuthType.  Simply returning OK or DECLINED from your
new modules early ap_hook_check_user_id, and letting authz run as
normal, is sufficient for cert-based auth.

Eric Covener

View raw message