Return-Path: 
 <dev-return-68446-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 53365 invoked from network); 29 May 2010 20:32:42 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 29 May 2010 20:32:42 -0000
Received: (qmail 60242 invoked by uid 500); 29 May 2010 20:32:41 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 60179 invoked by uid 500); 29 May 2010 20:32:41 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 60171 invoked by uid 99); 29 May 2010 20:32:41 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 29 May 2010 20:32:41 +0000
X-ASF-Spam-Status: No, hits=-0.8 required=10.0
	tests=AWL,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of covener@gmail.com designates
 209.85.212.173 as permitted sender)
Received: from [209.85.212.173] (HELO mail-px0-f173.google.com)
 (209.85.212.173)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 29 May 2010 20:32:35 +0000
Received: by pxi2 with SMTP id 2so1717302pxi.18
        for <dev@httpd.apache.org>; Sat, 29 May 2010 13:32:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:received:date:message-id
         :subject:from:to:content-type;
        bh=qO+vWH7sa2XClVpOiH3sARjhPZ30JRVhwgDRJXxBEcs=;
        b=saU8mRq0HcoJVIoPg/ev2jCevWSrBxye+nGvhLiv6nPOK5ZA0mqM3LU5WShiIOKYYB
         ZuBKcZ+7mupAT8vrr05isGhcNrdQnTOE1UvMks06T/LVt/27mvOXT4ohTW50bMSKe/hy
         PaHMmsnseImjKb3ygUQLzVvvUKvzeYpA5VJ7s=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type;
        b=TTrE0fyRRxJtGf/hGplDRWj6XAJuRLrCLijaqQxIsL3mSSLyEA2RNe52O5eyqxXL4L
         b8yexTVEZxNb+w+G7DMihBYnamZqxMYeD0YwlJX3p/z8farFB7tuxRi+nmQqjn6kNaJz
         xAY88huUCYbFXtifaRkbXo1f1Ojn922ByYcYQ=
MIME-Version: 1.0
Received: by 10.142.120.2 with SMTP id s2mr1522293wfc.324.1275165134853; Sat,
	29 May 2010 13:32:14 -0700 (PDT)
Received: by 10.142.224.5 with HTTP; Sat, 29 May 2010 13:32:14 -0700 (PDT)
Date: Sat, 29 May 2010 16:32:14 -0400
Message-ID: <AANLkTinrDr5pt9kon-Dc6_TBKSlFerc0iqZwNCOANFiD@mail.gmail.com>
Subject: thoughts on authnz_ldap stashing the basic auth password in
	per-request conf?
From: Eric Covener <covener@gmail.com>
To: dev@httpd.apache.org
Content-Type: text/plain; charset=ISO-8859-1

Would it be too offensive if mod_authnz_ldap stashed away the users
basic auth password in its own per-request config after it
successfully authenticates, then used it later during authorization?
It is floating around base64'ed anyway, but it still sounds unsavory.

There are some cases where at authorization time, if LDAP was also the
authentication source, the users credentials could be used against the
backend instead of hard-coded server credentials (this non-anoynmous,
no-hard-coded BindDN/BindPassword config is requested every now and
again)

-- 
Eric Covener
covener@gmail.com