You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jess Holle <je...@ptc.com> on 2005/05/27 17:22:52 UTC
Re: Multiple AAA providers
Is there any remaining/ongoing interest in this development area?
The need to authenticate a single resource against multiple disparate
(non-failover/non-redundant) LDAP servers looms large and I'd like to
think that this would be part of Apache 2.2 soon... [I'd rather not
have to hack this in in a narrow, special-cased, hackish way myself...]
--
Jess Holle
Re: Multiple AAA providers
Posted by Rici Lake <ri...@ricilake.net>.
On 27-May-05, at 10:53 AM, Jess Holle wrote:
> Russell Howe wrote:Jess Holle wrote:
>>
>>> Is there any remaining/ongoing interest in this development area?
>>>
>>> The need to authenticate a single resource against multiple disparate
>>> (non-failover/non-redundant) LDAP servers looms large and I'd like to
>>> think that this would be part of Apache 2.2 soon... [I'd rather not
>>> have to hack this in in a narrow, special-cased, hackish way
>>> myself...]
>>>
>> I have a JAAS LoginModule which I wrote for Jetty that does exactly
>> this
>> (if I understand what you mean, that is :).
>>
>> At work, I have our website authentication first checking OpenLDAP,
>> then
>> falling back to Win2k Active Directory.
>>
>
>
> [By disparate/non-failover/non-redundant, I mean that each LDAP would
> be checked for a given user until that user entry was found (at which
> point no other LDAPs would be checked for the given user regardless of
> the success/failure of the bind). This differs from strictly failover
> LDAPs wherein Apache keeps trying to contact LDAP URLs until it finds
> one that responds (is up) and then just uses that one as "the" LDAP --
> we have that now but it does not help in these use cases.]
>> I want to be able to do the same from Apache, and am pretty tempted to
>> start coding up a module to do it.
>>
>
>
> That would be a great grand unified theory (and I see it as useful)
> but what I care most about is multiple LDAPs. If we could just have
> the existing mod_auth_ldap handle multiple LDAPs (beyond in a strict
> failover capacity) that would be *huge*. If we can't get the grand
> unified approach, I'd at least like to see multiple LDAP handling.
I'm very interested in implementing this myself. To make what I'm doing
more generally useful, I'd like to know what people expect from the
implementation of Require after a multiple LDAP search. Should you be
able to put the ldap server name in a Require? Or are you only
concerned with require valid-user?
Re: Multiple AAA providers
Posted by Russell Howe <ru...@wreckage.org>.
Jess Holle wrote:
> In our case it does not depend which is checked first (except perhaps
> for performance) as there will not be any overlap between the
> directories. For instance, one LDAP might be for corporation X and
> another for one of their partners. Another example: one might be a
> read-only corporate directory and another might be an application
> writable directory (for pseudo-users, guest accounts, etc).
Same for me here.
We actually have a mixture - ldap search for collective accounts shared
by groups of people (these will go, given time), LDAP search on an
OpenLDAP server (hopefully a redundant pair) and an LDAP search on the
Win2k domain controllers (two of them, if one's not available, fall back
to the other).
JAAS does all the hard work for me in Java though, as regards trying
multiple authentication modules. Apparently they copied the
configuration scheme from PAM, or at least tried to make it PAM-like.
> There was discussion some time back (under the same title as this
> thread) about doing this in a somewhat general fashion so one could have
> multiple LDAP providers, multiple password file providers, etc...
>
> That would be a great grand unified theory (and I see it as useful) but
> what I care most about is multiple LDAPs. If we could just have the
> existing mod_auth_ldap handle multiple LDAPs (beyond in a strict
> failover capacity) that would be *huge*. If we can't get the grand
> unified approach, I'd at least like to see multiple LDAP handling.
Ah, I see what you mean - it would appear that while you can chain
authentication methods, they have to be different methods, taking
different options. Am I getting that right? If so, I can't readily port
my Java authentication scheme to Apache :/
Here is my latest posting to jetty-discuss, talking about the
LoginModule. Hopefully it is enough to give a rough idea of what it does.
http://news.gmane.org/navbar.php?group=gmane.comp.java.jetty.general&article=5749&next=5750&prev=5756&newsrc=,5749-5750,5763
--
Russell Howe
russell_howe@wreckage.org
Today's Nemi: http://www.metro.co.uk/img/pix/nemi_may27.jpg
Re: Multiple AAA providers
Posted by Jess Holle <je...@ptc.com>.
Russell Howe wrote:
>Jess Holle wrote:
>
>
>>Is there any remaining/ongoing interest in this development area?
>>
>>The need to authenticate a single resource against multiple disparate
>>(non-failover/non-redundant) LDAP servers looms large and I'd like to
>>think that this would be part of Apache 2.2 soon... [I'd rather not
>>have to hack this in in a narrow, special-cased, hackish way myself...]
>>
>>
>I have a JAAS LoginModule which I wrote for Jetty that does exactly this
>(if I understand what you mean, that is :).
>
>At work, I have our website authentication first checking OpenLDAP, then
>falling back to Win2k Active Directory.
>
>
In our case it does not depend which is checked first (except perhaps
for performance) as there will not be any overlap between the
directories. For instance, one LDAP might be for corporation X and
another for one of their partners. Another example: one might be a
read-only corporate directory and another might be an application
writable directory (for pseudo-users, guest accounts, etc).
[By disparate/non-failover/non-redundant, I mean that each LDAP would be
checked for a given user until that user entry was found (at which point
no other LDAPs would be checked for the given user regardless of the
success/failure of the bind). This differs from strictly failover LDAPs
wherein Apache keeps trying to contact LDAP URLs until it finds one that
responds (is up) and then just uses that one as "the" LDAP -- we have
that now but it does not help in these use cases.]
>I want to be able to do the same from Apache, and am pretty tempted to
>start coding up a module to do it.
>
>
There was discussion some time back (under the same title as this
thread) about doing this in a somewhat general fashion so one could have
multiple LDAP providers, multiple password file providers, etc...
That would be a great grand unified theory (and I see it as useful) but
what I care most about is multiple LDAPs. If we could just have the
existing mod_auth_ldap handle multiple LDAPs (beyond in a strict
failover capacity) that would be *huge*. If we can't get the grand
unified approach, I'd at least like to see multiple LDAP handling.
--
Jess Holle
Re: Multiple AAA providers
Posted by Russell Howe <ru...@wreckage.org>.
Jess Holle wrote:
> Is there any remaining/ongoing interest in this development area?
>
> The need to authenticate a single resource against multiple disparate
> (non-failover/non-redundant) LDAP servers looms large and I'd like to
> think that this would be part of Apache 2.2 soon... [I'd rather not
> have to hack this in in a narrow, special-cased, hackish way myself...]
I have a JAAS LoginModule which I wrote for Jetty that does exactly this
(if I understand what you mean, that is :).
At work, I have our website authentication first checking OpenLDAP, then
falling back to Win2k Active Directory.
I want to be able to do the same from Apache, and am pretty tempted to
start coding up a module to do it.
--
Russell Howe
russell_howe@wreckage.org
Today's Nemi: http://www.metro.co.uk/img/pix/nemi_may27.jpg