httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Müller Johannes <>
Subject AW: AW: Client authorization against LDAP using client certificates
Date Fri, 04 Jul 2008 13:43:01 GMT
Maybe let's concentrate on non-third-party modules.
Basically there is mod_auth_basic and mod_auth_digest on the top level followed by their providers
on the second level.
In my opinion mod_auth_cert is another possibilty to authenticate users on the same level
as basic and digest, because it has nothing to do with basic and digest authentication in
Therefore i would prefer a third AuthType named Cert or something to keep httpd's authentication
model clean.

To support more than one authentication method at a time we would have to do fallback like
"AuthType Cert, Basic".
I really share this opinion.

And finally, to use the same provider independent of the configured AuthType, we would have
to rename the AuthBasicProvider and AuthDigestProvider directives.
In the end it would look like this:

AuthType Cert, Basic
AuthProvider ldap

-----Ursprüngliche Nachricht-----
Von: Graham Leggett [] 
Gesendet: Freitag, 4. Juli 2008 15:20
Betreff: Re: AW: Client authorization against LDAP using client certificates

Müller Johannes wrote:

> So far so good, but how to handle fallback to basic authentication if the client has
no certificate (SSLVerifyClient optional)?
> If we created a new module mod_auth_cert and there is no username from mod_ssl we would
like to call mod_auth_basic.
> If i understood you right, i would hook mod_auth_cert before mod_auth_basic and let it
react on AuthType Basic.
> If mod_auth_cert then returns DECLINED, mod_auth_basic runs and does basic authentication.
> That would work, but i personally don't like it.
> If i configure "AuthType Basic" i want to do basic auth, not cert auth.
> If i created a new module i would prefer configuring "AuthType Cert" and doing something
like "AuthCertFallback On"

Hmmm... this looks a little bit too cert specific.

Tt would be cool if we could support auth fallback in an arbitrary 
fashion. For example, if a user has a cert, use that as their identity, 
otherwise use their session identity from mod_auth_form, or failing that 
use basic authentication.

If all of them fail, then pick one of them to handle the "access denied" 
part (for example request a basic authentication username and password, 
or let mod_auth_form display a login form, whatever).

You might do something like this:

AuthType certificate, form, basic


View raw message