Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Date: Mon, 7 Jul 2003 15:20:44 -0400
Message-ID: <3EDCE81900014AAE@mta9.wss.scd.yahoo.com>
In-Reply-To: <Pine.GSO.4.55.0307071123100.424@sjgcs1.stsj.seagate.com>
From: "John K. Sterling" <john@sterls.com>
To: users@httpd.apache.org
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [users@httpd] Multiple auth sources

>-- Original Message --
>From: SAQIB <saqib@seagate.com>
>
>I dont think this is possible. Even if it was it would be a security
>issues. A long while back I was looking into this, but didnt pursue due
to
>possible security issues.

how is this a security issue?  the way i read the question he simply want=
s
to have a couple of auth modules have a chance to authenticate for a give=
n
location.  

Apache definitely does not make this easy, but it is theoretically possib=
le
by figuring out which auth module runs last (either in the module definit=
ion,
or based on the order they are loaded) and set it to 'Authoritative on'
(most auth modules have this ability).  Then set all of the other auth mo=
dules
to 'Authoritative off'.  

By convention most auth modules support the authoritative concept.  So th=
e
ones that have 'Authoritative off' return DECLINED if they fail (not unau=
thorized)
allowing other auth modules to get the opportunity to try as well - then
the last one (which is set to 'Authoritative on' returns unauthorized if
it fails too.

hope this helps.

sterling


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org