You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Brian Behlendorf <br...@organic.com> on 1997/11/19 09:31:48 UTC
Mod_auth_external
help, info overload. If someone wants to response, maybe Dirk as he's done
the most creative auth stuff, I would appreciate it. Thanks!
Brian
>From: stephen@ddk.dk
>X-Lotus-FromDomain: DDK
>To: brian@organic.com
>Date: Mon, 17 Nov 1997 08:34:41 +0200
>Subject: Mod_auth_external
>
>
>
>
>
>
>I have been using Nathan Neulinger´s mod_auth_external module for a web
>application, writing my own authenticator to authenticate against a Solid
>SQL server. Doing that i started thinking (a bad habit of mine... ) I sent
>him an email describing some of my thoughts and he responded that I should
>try forwarding it to the Apache maintainers. I hope you fit that category
>or at least would be so kind to forward this mail to the right person.
>
>Here is some of my thoughts :
>
>+) Calling af an external authenticator is a great way og doing
>authentication against more sophisticated sources than just a passwordfile
>-) But the overhead involved in starting up the new process could be
>removed
>-) Every access to a protected directory does an authentication call, an
>SQL authenticator could therefor be more efficient if it was able to do
>caching of the data from the DB-server, but this would require the
>authenticator to be persistent.
>-) The current scheme to do external authentication using mod_auth_external
>doesn´t allow the authenticator to be persistent and therefor it cannot
>maintain connections to databases - the Solid server in my example.
>+) External authentication removes the need for more exotic Apache modules,
>that way the apache source and the httpd is able to be a more "clean" httpd
>- that way removing possible errors.
>+) External authentication removes any need for linking the apache
>executable with different libraries used in the authentication module -
>again this leeds to a more clean and stable binary.
>
>By doing authentacation with an external, dedicated program new
>possibilities arises - all diferent kinds of smart authentication mecanisms
>is made possible :
>
>*) Authentication based on date/time
>*) Authentication based on radius or tacacs
>*) Authentication based on PAM or traditional unix passwd/shadow files
>*) Authentication and registration in an external database
>*) And a lot more...
>
>Doing more resource intensive/security critical authentications on the
>actual host running the httpd can lead to security considerations. Being
>able to do authentication in a distributed way could help improve security.
>And on a network with multiple httpd-hosts one host running the distributed
>approach can lead to network-wide resource savings and to a consistent
>authentication scheme across the network.
>
>My idea for a solution is a socket based two-tier model with an apache
>module calling the authenticator on the same or a different host,
>and then letting that authenticator do whatever clever tings the actual
>implementation requires such as maintaining a connection to a databse
>server, caching information etc.
>
>This will of course need to implement a standarized protocol used in the
>apache->authenticator communication. Such a protocol would have to be
>relative secure, extensible and well-defined. And it could pass different
>data from the httpd to the authenticator susch as remote IP addr and other
>things possible relevant for the authentication process.
>
>
>Please let me know what you think of this. I would like to code it myself,
>but I think it is better with some discussion first istead of developing in
>the wrong direction.
>So I really wan´t to get in contact with the right people on this issue.
>
>
>
>Stephen Aaskov
>DDK - Dansk Data Kommunikation
>
>
>
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"it's a big world, with lots of records to play." - sig brian@organic.com
Re: [Apache] Mod_auth_external
Posted by Nathan Neulinger <nn...@umr.edu>.
I'm not directly maintaining it anymore. Someone else took over that
task, and I forget the address off the top of my head.
I will point out a couple of things.
The original reason I developed mod_auth_external was that I need to
authenticate users to AFS. Because my web servers run on HP-UX, and
Transarc (AFS company) does not provide shared versions of the libraries,
I could make a shared library module to load in. Not that this matters
with Apache, but mod_auth_external was essentially derived from a plug-in
I wrote for Netsite that did the same thing. (Till I came to my senses
and realized that server ran like shit.)
Anyway, this sort of persistent authentication capability could easily be
added to the module as another auth type. If you look at the newer
versions of mod_auth_external, they implement a couple of the auth types
internally. A simple socket based method could be implemented internally
in the module, that would talk to an external process.
For example, you could configure in the conf file something like
AuthExternal myserv my.auth.host:port
AuthMethod myself internet-socket
*or*
AuthExternal myserv /path
AuthMethod myself unix-socket
Then all that would be necessary would be to define the communication scheme.
-- Nathan
On Wed, Nov 19, 1997 at 12:31:48AM -0800, Brian Behlendorf wrote:
>
> help, info overload. If someone wants to response, maybe Dirk as he's done
> the most creative auth stuff, I would appreciate it. Thanks!
>
> Brian
>
> >From: stephen@ddk.dk
> >X-Lotus-FromDomain: DDK
> >To: brian@organic.com
> >Date: Mon, 17 Nov 1997 08:34:41 +0200
> >Subject: Mod_auth_external
> >
> >
> >
> >
> >
> >
> >I have been using Nathan Neulinger´s mod_auth_external module for a web
> >application, writing my own authenticator to authenticate against a Solid
> >SQL server. Doing that i started thinking (a bad habit of mine... ) I sent
> >him an email describing some of my thoughts and he responded that I should
> >try forwarding it to the Apache maintainers. I hope you fit that category
> >or at least would be so kind to forward this mail to the right person.
> >
> >Here is some of my thoughts :
> >
> >+) Calling af an external authenticator is a great way og doing
> >authentication against more sophisticated sources than just a passwordfile
> >-) But the overhead involved in starting up the new process could be
> >removed
> >-) Every access to a protected directory does an authentication call, an
> >SQL authenticator could therefor be more efficient if it was able to do
> >caching of the data from the DB-server, but this would require the
> >authenticator to be persistent.
> >-) The current scheme to do external authentication using mod_auth_external
> >doesn´t allow the authenticator to be persistent and therefor it cannot
> >maintain connections to databases - the Solid server in my example.
> >+) External authentication removes the need for more exotic Apache modules,
> >that way the apache source and the httpd is able to be a more "clean" httpd
> >- that way removing possible errors.
> >+) External authentication removes any need for linking the apache
> >executable with different libraries used in the authentication module -
> >again this leeds to a more clean and stable binary.
> >
> >By doing authentacation with an external, dedicated program new
> >possibilities arises - all diferent kinds of smart authentication mecanisms
> >is made possible :
> >
> >*) Authentication based on date/time
> >*) Authentication based on radius or tacacs
> >*) Authentication based on PAM or traditional unix passwd/shadow files
> >*) Authentication and registration in an external database
> >*) And a lot more...
> >
> >Doing more resource intensive/security critical authentications on the
> >actual host running the httpd can lead to security considerations. Being
> >able to do authentication in a distributed way could help improve security.
> >And on a network with multiple httpd-hosts one host running the distributed
> >approach can lead to network-wide resource savings and to a consistent
> >authentication scheme across the network.
> >
> >My idea for a solution is a socket based two-tier model with an apache
> >module calling the authenticator on the same or a different host,
> >and then letting that authenticator do whatever clever tings the actual
> >implementation requires such as maintaining a connection to a databse
> >server, caching information etc.
> >
> >This will of course need to implement a standarized protocol used in the
> >apache->authenticator communication. Such a protocol would have to be
> >relative secure, extensible and well-defined. And it could pass different
> >data from the httpd to the authenticator susch as remote IP addr and other
> >things possible relevant for the authentication process.
> >
> >
> >Please let me know what you think of this. I would like to code it myself,
> >but I think it is better with some discussion first istead of developing in
> >the wrong direction.
> >So I really wan´t to get in contact with the right people on this issue.
> >
> >
> >
> >Stephen Aaskov
> >DDK - Dansk Data Kommunikation
> >
> >
> >
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> "it's a big world, with lots of records to play." - sig brian@organic.com
------------------------------------------------------------
Nathan Neulinger EMail: nneul@umr.edu
University of Missouri - Rolla Phone: (573) 341-4841
Computing Services Fax: (573) 341-4216