httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <>
Subject Re: Time for a new AuthType: "cert?"
Date Mon, 01 Mar 2010 17:49:59 GMT
>   1) for authentication:  depend upon mod_ssl configured with an appropriate
> SSLVerifyClient option.  [i.e. decline to authenticate a user if no client
> cert was passed; be configurable to fail or warn stridently if a client cert
> was passed but "SSLVerifyClient optional_no_ca" is in use]

With you here, the big descision is to whether impersonate basic auth
or to run before it.

>   2) for authorization:  like mod_authnz_ldap, support dn, group [to include
> nested group], attribute, and filter require directives

disagree here, why/where are you going to query this stuff?  Why not
just use it in conjunction with LDAP authz?

>   3) provide the same flexibility as mod_authnz_ldap with respect to
> configuring the LDAP connection and working with various LDAP libraries

-1 if it were going into the actual Apache distribution!

>   4) be configurable to work with users' existing LDAP schemas without
> requiring changes in the directory.

sounds reasonable unless you're drawing a contrast with the current
LDAP auth modules.

> Most of the "prior art" 3rd party modules I've seen out there seem to fall
> down in one of more of these respects.
> I'm new to Apache module development, and I recognize that stepping outside
> of "basic" and "digest" to create an entire new authorization provider type
> might be a lot to bite off.  I invite any suggestions or tips--especially if
> someone has already "cracked this nut" in an generalizable way.

I think "AuthType cert" is reasonable as long as you can demonstrate
using the the traditional authz providers.

Eric Covener

View raw message