httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <>
Subject Re: AW: Client authorization against LDAP using client certificates
Date Fri, 04 Jul 2008 13:20:26 GMT
Müller Johannes wrote:

> So far so good, but how to handle fallback to basic authentication if the client has
no certificate (SSLVerifyClient optional)?
> If we created a new module mod_auth_cert and there is no username from mod_ssl we would
like to call mod_auth_basic.
> If i understood you right, i would hook mod_auth_cert before mod_auth_basic and let it
react on AuthType Basic.
> If mod_auth_cert then returns DECLINED, mod_auth_basic runs and does basic authentication.
> That would work, but i personally don't like it.
> If i configure "AuthType Basic" i want to do basic auth, not cert auth.
> If i created a new module i would prefer configuring "AuthType Cert" and doing something
like "AuthCertFallback On"

Hmmm... this looks a little bit too cert specific.

Tt would be cool if we could support auth fallback in an arbitrary 
fashion. For example, if a user has a cert, use that as their identity, 
otherwise use their session identity from mod_auth_form, or failing that 
use basic authentication.

If all of them fail, then pick one of them to handle the "access denied" 
part (for example request a basic authentication username and password, 
or let mod_auth_form display a login form, whatever).

You might do something like this:

AuthType certificate, form, basic


View raw message