Re: Only require satisfaction of one AuthType in 2.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



William A. Rowe, Jr. wrote:
> Sorry - too many JJ's posting, had this confused.
> 
>> On Mon, September 24, 2007 8:44 pm, Joel Johnson wrote:
>>> The problem I'm running into is in designating the authentication as
>>> *optional*. For example, I'd like to setup a wiki at wiki.and have the
>>> contents publicly accessible, but require authentication for edits. I'd like
>>> to first offer Kerberos authentication, but if that fails than still allow
>>> access. The application would then check REMOTE_USER and honor its value
>>> if set, or fallback to internal authentication if desired. This will also
>>> allow me to configure the server such that if a user is local and has Kerberos
>>> credentials they are seamlessly authenticated, but if not than I can have a
>>> login screen authenticating internally against the same source. There are
>>> several different ways that I will use this, but they all rely on optional
>>> authentication support.
>>>
>>> The working exclusively-Kerberos relevant config is simply:
>>> AuthType Kerberos
>>> require valid-user
>>>
>>> I've tried using a "Satisfy any" directive as follows, but the "Allow from
>>> all" seems to take precedence over any other method:
>>> AuthType Kerberos
>>> require valid-user
>>> Allow from all
>>> Satisfy any
> 
> Did you make sure that to the denied resources, you have toggled either
> Deny from All
> or
> Satisfy All
> which should force the authentication?  Beyond this, there's no way to
> 'optionally log in but not really if you don't want to'.

Actually; I have to say I haven't dug into kerbos auth; if it works as
NTLM auth, you actually can prod a client into giving up an auth token
and failover gracefully if none is present.

> I've also considered using a "KrbAuthoritative Off" directive to allow
> checking to fallthrough to the next module, but I can't find an
> authentication module with "accept all" semantics.

Actually that wouldn't be the approach; you are saying "if I can't get
a kerbos login, I'd be happy with /method X/ login instead".  Which is
why this didn't help you.

The only other hint I can offer, if you present a page as 'auth required'
and fail over to a redirect to the auth-not-required page if they don't
pass, but to the auth accepted page if they do pass, this is one way
to differentiate the logged in vs. login not required users.

One a user logs in, most clients continue to present the login credentials
for that session/browser process.

Bill

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux