[users@httpd] New authentication framework in Apache 2.1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

>From what I've read, the authentication API has been rewritten in Apache 2.1. As
there is not many docs at http://mod-auth.sourceforge.net/docs/ (link to
"Changes from 2.0" is broken), I want to know more. One of the things I've been
disappointed with in Apache 1.3 or 2.0 is that authentication backends and
authentication types aren't clearly separated. Note: by auth backends I
understand users/groups referentials (where is users and groups information
stored?).

As an example, let's look at 2.0 authentication modules:

 * mod_auth: offers Basic Auth auth type, using a file-based users and groups
referential.
 * mod_auth_anon: I've never tried that, but it looks like a Basic Auth where
the authorized set of users is hard-coded within an Apache directive. No group
notion.
 * mod_auth_dbm: offered auth type is Basic Auth, users and groups referential:
DBM type database.
 * mod_auth_digest: offers Digest Auth, using a file-based users and groups
refential.
 * mod_auth_ldap: offers Basic Auth, using an LDAP-based users and groups
referential.
 * mod_ssl: offers strong authentication using X509 certificates. No users or
groups referential, only valid (issued by a known CA) certificates are allowed
to access a protected resource.

Some third-party modules:

 * mod_auth_mysql: offers Basic Auth, using a MySQL-based users and groups
referential.
 * mod_auth_sspi: offers NTLM authentication, using a Windows Domain Controller
for the users and groups referential.
 * mod_auth_kerb: offers Kerberos authentication, using a Windows Domain
Controller for the users and groups referential.

I believe each time you want a new combination of auth type and auth backend,
you need to create a new module. What if, for a protected resource, I want to
auth users with X509 certificates and then check if the cn value of the
presented Subject DN exists in the users referential I use, which is stored on
a SQLite database? Or if I want to combine Digest authentication and a
LDAP-based users referential? Is it really to do so possible without developing
new modules?

In case multiple auth types or backends are used, there should be a way to
delegate the authentication phase to another module (the "Authoritative"
thingie most of the modules implement). We should be able to try
AuthType1/AuthBackend1, then AuthType2/AuthBackend1 and finally
AuthType3/AuthBackend2.

Does the new API brings solutions to this? Or can anyone enlight me about the
new features introduced by the auth API in 2.1?

Thanks for your feedback,
-- 
Julien ALLANOS

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux