httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject Re: Client authorization against LDAP using client certificates
Date Fri, 04 Jul 2008 13:18:49 GMT
 

> -----Ursprüngliche Nachricht-----
> Von: Müller Johannes 
> Gesendet: Freitag, 4. Juli 2008 15:09
> An: dev@httpd.apache.org
> Betreff: AW: Client authorization against LDAP using client 
> certificates
> 
> So far so good, but how to handle fallback to basic 
> authentication if the client has no certificate 
> (SSLVerifyClient optional)?
> If we created a new module mod_auth_cert and there is no 
> username from mod_ssl we would like to call mod_auth_basic.
> If i understood you right, i would hook mod_auth_cert before 
> mod_auth_basic and let it react on AuthType Basic.
> If mod_auth_cert then returns DECLINED, mod_auth_basic runs 
> and does basic authentication.
> 
> That would work, but i personally don't like it.
> If i configure "AuthType Basic" i want to do basic auth, not 
> cert auth.
> If i created a new module i would prefer configuring 
> "AuthType Cert" and doing something like "AuthCertFallback On"

You can do it this way and make your module non authoritative by
returning DECLINED.
See

http://httpd.apache.org/docs/2.2/en/mod/mod_auth_basic.html#authbasicauthoritative
http://httpd.apache.org/docs/2.2/en/mod/mod_authnz_ldap.html#authzldapauthoritative

You can make this configurable by creating something like a 
AuthCertAuthoritative directive in you module. And based on its value you return
either DECLINED or DONE.

Regards

Rüdiger


Mime
View raw message