httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas, Peter" <ptho...@HPTI.com>
Subject Time for a new AuthType: "cert?"
Date Mon, 01 Mar 2010 17:06:07 GMT
I have been trying for some time to come up with a generalizable
solution from the "stock" mod_authnz_ldap that works in a environment
with X.509 certificate-based authentication and LDAP-based
authorization.  Unfortunately, mod_authnz_ldap was written in such a way
that it seems extremely difficult to authorize a user against an LDAP
directory if they were not first authenticated against the directory.
I've managed to cobble together a solution--only to find that the
additional attributes are not queried during authorivation--or if they
are, they are not populated into the AUTHENTICATE_* subprocess
environment variables.

I really want to make as much use of mod_auth_ldap as possible rather
than managing my own LDAP connection pool and cache.  The hacks that
I've had to do to make this work suggest to me that I don't want to
overload mod_auth_basic, but what is really appropriate is a new
authorization provider--notionally call it "cert" or "cert-ldap."

This provider should:

  1) for authentication:  depend upon mod_ssl configured with an
appropriate SSLVerifyClient option.  [i.e. decline to authenticate a
user if no client cert was passed; be configurable to fail or warn
stridently if a client cert was passed but "SSLVerifyClient
optional_no_ca" is in use]
  2) for authorization:  like mod_authnz_ldap, support dn, group [to
include nested group], attribute, and filter require directives
  3) provide the same flexibility as mod_authnz_ldap with respect to
configuring the LDAP connection and working with various LDAP libraries
  4) be configurable to work with users' existing LDAP schemas without
requiring changes in the directory.

Most of the "prior art" 3rd party modules I've seen out there seem to
fall down in one of more of these respects.

I'm new to Apache module development, and I recognize that stepping
outside of "basic" and "digest" to create an entire new authorization
provider type might be a lot to bite off.  I invite any suggestions or
tips--especially if someone has already "cracked this nut" in an
generalizable way.
 <<Thomas, Peter L. (pthomas@HPTI.com).vcf>> 

Mime
  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message