Multimodal authentication

[Doug Luce <do...@newhttpd.con.com>]

I have a need for two authentication types to be functioning together
within specific directories.  Specifically, I need to allow LDAP
authentication and authorization (according to filters) along with the
ability for an additional, non-LDAP username/password to grant read access
to a directory.  (There's an assumption here that the information the user
types in will show up in just one of the authentication domains.)

I have an .htaccess like this:

  AuthName Demo
  AuthType basic

  AuthInstUser someuser
  AuthInstPass secretp

  LDAPAuth On
  LDAPServer "ldap://localhost:389/"
  LDAPuseridAttr uid
  LDAPBase "o=AII, c=US"

  require group cn=group1, cn=doug, o=aii, c=us
  require user someuser  

AuthInstUser/Pass are commands for mod_auth_inst.c, a real simple
authentication module that just lets you specify a username/password combo
directly in the .htaccess.  That's a separate module from the LDAP auth
module I'm also using.

The idea here is that any user with an LDAP entry that is in the cn=group1
group can get in, as can anyone who types the "someuser/secretp" combo.

I couldn't find any existing mechanism within Apache to allow cross-modal
fallback or anything similar (although some modules allow for fallback
semantics within their own mode).  It also doesn't seem like it's
something that a module can be coded up to handle, unless you go through a
lot of crap with separate config files for the authentication and create a
module that does module processing (submodules?).
 
To get this to work, I made these modifications (to 1.3):

1) Alter ap_check_user_id() and ap_check_auth() (in src/http_config.c) to
go through the handlers until one of them returns an OK.  If nothing
returns okay, handle two additional cases: if all modules return DECLINE,
return DECLINE, if one or more modules signal an error (such as
AUTH_REQUIRED), return the last error seen.

2) Modify the authentication modules.  During the authenticate phase, if a
module was successful in authenticate a user, note that.  During the
auth_check phase, only go through the auth checking logic if the module
was responsible for authentication.

It seems that some modules assume that they are going to do the checking
no matter who authenticated: mod_auth does this.  The authinst module I'm
using takes advantage of this fact and lets mod_auth do the requirements
checking.  I'm not sure that this is the way it should work.  Since
different authentication domains may have different ideas of how to
provide access (LDAP, for instance, lets you do authorization on an LDAP
filter), it seems better to have each module check authorization, but only
if they were responsible for the authentication.

This seems to work well enough, although I think I'd prefer having the
authorization/authentication cut up into sections, one for each
authentication type.  I'd also like to see additional logic for setting a
precedence and an easy way to turn this functionality on/off on a
per-directory basis.

Has anyone else dealt with this situation before?  What did you end up
doing?

While these hacks work for me, I'm guessing that they'd be a controversial
add to the Apache core.  Maybe there's a better way?

Doug