You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Brad Nicholes <bn...@novell.com> on 2003/01/20 19:37:49 UTC
mod_auth_ldap vs mod_ldap (was: Re: authz / authn and
mod_auth_ldap)
While we are on the subject of splitting auth_ldap, does it still make
sense to have mod_auth_ldap and mod_ldap? Would it make more sense to
combine these two modules. It seems that the split was initially due to
trying to include the ldap connection caching in apr-util. Since that
is no longer the case, shouldn't the connection caching be rolled back
into auth_ldap? It seems like the purpose for having a submodule like
mod_ldap is so that it can be easily replaced. Do we expect someone to
implement another connection caching scheme?
Another messy point is that auth_ldap includes apr_ldap.h which resides
in apr-util/include. Does it make sense to have an apr_ldap.h since
auth_ldap seems to be the only thing that uses it? It just seems like
ldap functionality was never completely split from APR. I am just
wondering if this is something else that should be cleaned up before
moving auth_ldap out of experimental.
Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com
>>> estrade-m@ifrance.com 01/20/03 01:40 AM >>>
Will it be the same for user, or will he had to add more modules when
he will compile his apache ?
I understand it will be the same when he will setup the authentication,
the Directives will be the same, but if the user forget to compile
authn, maybe i will not understand why some directives are working and
not the others.
I understand too it's better to split the code, it will be easier to
read, so good for all developper like me who are coding apache modules.
but the documentation must be uptodate with the split.
Last month, i wanted to setup an ldap authentication, i spent many times
to understand the gap between now and 3 month before when my setup was
working. The auth changed, i had to use basic auth modules instead of
before...
And i took hours to find a directive, to let auth_basic make the
password go to auth_ldap, the directive wasn't on the mod_ldap
documentation, and was lost in the auth_basic help....
So splitting the modules is maybe a good idea, but the right
documentation must folow...
Regards,
Matthieu
Graham Leggett wrote:
> Estrade Matthieu wrote:
>
>> I read the discussion for few messages, i am not an apache
>> developper, so i will speak as a user. IMHO, Splitting into two
>> modules will make auth more complex. actually, it's not really easy
>> to setup, and the documentation is not always up to date.
>
>
> The configuration for users will remain exactly the same as it is now,
> so I don't believe a split will make it any harder for users. It will
> however make the code a lot simpler to read, and hopefully more stable
> as a result.
>
> Regards,
> Graham
_____________________________________________________________________
GRAND JEU SMS : Pour gagner un NOKIA 7650, envoyez le mot IF au 61321
(prix d'un SMS + 0.35 euro). Un SMS vous dira si vous avez gagné.
Règlement : http://www.ifrance.com/_reloc/sign.sms
Re: mod_auth_ldap vs mod_ldap (was: Re: authz / authn and mod_auth_ldap)
Posted by Aaron Bannert <aa...@clove.org>.
On Wednesday, January 22, 2003, at 08:57 AM, Justin Erenkrantz wrote:
> --On Wednesday, January 22, 2003 5:39 PM +0100 Dirk-Willem van Gulik
> <di...@webweaving.org> wrote:
>
>> One 'ultimate' way to proof how much sense it would make is by
>> using it to do simply/do some clever apache/tomcat connection
>> pooling.
>
> For that, you should use apr_reslist_t. IIRC, it was written for
> exactly this purpose. I believe Pier was using it for the now defunct
> mod_jerry, but I don't think mod_jk picked up on it.
>
> I would also bet that the pooling code for LDAP could take advantage
> of apr_reslist_t and remove a lot of code. -- justin
Yup, and I put an example of how to use apr_reslist_t in apr-util's
test directory.
If someone wants to write a patch for ldap to use it, I'd be happy to
review/test it.
-aaron
Re: mod_auth_ldap vs mod_ldap (was: Re: authz / authn and mod_auth_ldap)
Posted by Aaron Bannert <aa...@clove.org>.
On Wednesday, January 22, 2003, at 08:57 AM, Justin Erenkrantz wrote:
> --On Wednesday, January 22, 2003 5:39 PM +0100 Dirk-Willem van Gulik
> <di...@webweaving.org> wrote:
>
>> One 'ultimate' way to proof how much sense it would make is by
>> using it to do simply/do some clever apache/tomcat connection
>> pooling.
>
> For that, you should use apr_reslist_t. IIRC, it was written for
> exactly this purpose. I believe Pier was using it for the now defunct
> mod_jerry, but I don't think mod_jk picked up on it.
>
> I would also bet that the pooling code for LDAP could take advantage
> of apr_reslist_t and remove a lot of code. -- justin
Yup, and I put an example of how to use apr_reslist_t in apr-util's
test directory.
If someone wants to write a patch for ldap to use it, I'd be happy to
review/test it.
-aaron
Re: mod_auth_ldap vs mod_ldap (was: Re: authz / authn and
mod_auth_ldap)
Posted by Justin Erenkrantz <je...@apache.org>.
--On Wednesday, January 22, 2003 5:39 PM +0100 Dirk-Willem van Gulik
<di...@webweaving.org> wrote:
> One 'ultimate' way to proof how much sense it would make is by
> using it to do simply/do some clever apache/tomcat connection
> pooling.
For that, you should use apr_reslist_t. IIRC, it was written for
exactly this purpose. I believe Pier was using it for the now
defunct mod_jerry, but I don't think mod_jk picked up on it.
I would also bet that the pooling code for LDAP could take advantage
of apr_reslist_t and remove a lot of code. -- justin
Re: mod_auth_ldap vs mod_ldap (was: Re: authz / authn and
mod_auth_ldap)
Posted by Justin Erenkrantz <je...@apache.org>.
--On Wednesday, January 22, 2003 5:39 PM +0100 Dirk-Willem van Gulik
<di...@webweaving.org> wrote:
> One 'ultimate' way to proof how much sense it would make is by
> using it to do simply/do some clever apache/tomcat connection
> pooling.
For that, you should use apr_reslist_t. IIRC, it was written for
exactly this purpose. I believe Pier was using it for the now
defunct mod_jerry, but I don't think mod_jk picked up on it.
I would also bet that the pooling code for LDAP could take advantage
of apr_reslist_t and remove a lot of code. -- justin
Re: mod_auth_ldap vs mod_ldap (was: Re: authz / authn and mod_auth_ldap)
Posted by Dirk-Willem van Gulik <di...@webweaving.org>.
> In fact, I thought that was the original plan. I recall that some
> people weren't too comfortable with the pooling code in APR-util.
> But, I still think it makes sense... -- justin
One 'ultimate' way to proof how much sense it would make is by using it to
do simply/do some clever apache/tomcat connection pooling.
Dw.
Re: mod_auth_ldap vs mod_ldap (was: Re: authz / authn and mod_auth_ldap)
Posted by Dirk-Willem van Gulik <di...@webweaving.org>.
> In fact, I thought that was the original plan. I recall that some
> people weren't too comfortable with the pooling code in APR-util.
> But, I still think it makes sense... -- justin
One 'ultimate' way to proof how much sense it would make is by using it to
do simply/do some clever apache/tomcat connection pooling.
Dw.
Re: mod_auth_ldap vs mod_ldap (was: Re: authz / authn
and mod_auth_ldap)
Posted by Justin Erenkrantz <je...@apache.org>.
--On Wednesday, January 22, 2003 8:54 AM +0200 Graham Leggett
<mi...@sharp.fm> wrote:
> mod_ldap is a connection pool and query cache, and can be reused by
> other apache modules that require ldap, such as a potential
> DAV-ldap module, or a proxy_ldap module, so no - I'd say a
> combination would be a bad idea.
I've got to think that perhaps that connection pooling and query
caching code is a better fit in apr-util than in httpd. I don't see
a reason why that must be in httpd. If we had it in apr-util, it'd
be easier for APR apps to write solid LDAP code.
In fact, I thought that was the original plan. I recall that some
people weren't too comfortable with the pooling code in APR-util.
But, I still think it makes sense... -- justin
Re: mod_auth_ldap vs mod_ldap (was: Re: authz / authn
and mod_auth_ldap)
Posted by Justin Erenkrantz <je...@apache.org>.
--On Wednesday, January 22, 2003 8:54 AM +0200 Graham Leggett
<mi...@sharp.fm> wrote:
> mod_ldap is a connection pool and query cache, and can be reused by
> other apache modules that require ldap, such as a potential
> DAV-ldap module, or a proxy_ldap module, so no - I'd say a
> combination would be a bad idea.
I've got to think that perhaps that connection pooling and query
caching code is a better fit in apr-util than in httpd. I don't see
a reason why that must be in httpd. If we had it in apr-util, it'd
be easier for APR apps to write solid LDAP code.
In fact, I thought that was the original plan. I recall that some
people weren't too comfortable with the pooling code in APR-util.
But, I still think it makes sense... -- justin
Re: mod_auth_ldap vs mod_ldap (was: Re: authz / authn and mod_auth_ldap)
Posted by Dirk-Willem van Gulik <di...@webweaving.org>.
On Wed, 22 Jan 2003, Graham Leggett wrote:
> mod_ldap is a connection pool and query cache, and can be reused by
> other apache modules that require ldap, such as a potential DAV-ldap
> module, or a proxy_ldap module, so no - I'd say a combination would be a
> bad idea.
>
> In addition, combining mod_ldap into mod_auth_ldap makes it hard to
> split auth_ldap into authn and authz.
+1 to that; (though perhaps mod_ldap needs to be called libldap) - ldap is
useful for a lot of other things as well; including integration into
systems like RSASecurID, SiteMinder and even some extensions to our own
SSL module. So please keep it neutral.
Dw
Re: mod_auth_ldap vs mod_ldap (was: Re: authz / authn and mod_auth_ldap)
Posted by Graham Leggett <mi...@sharp.fm>.
Brad Nicholes wrote:
> While we are on the subject of splitting auth_ldap, does it still make
> sense to have mod_auth_ldap and mod_ldap? Would it make more sense to
> combine these two modules. It seems that the split was initially due to
> trying to include the ldap connection caching in apr-util. Since that
> is no longer the case, shouldn't the connection caching be rolled back
> into auth_ldap? It seems like the purpose for having a submodule like
> mod_ldap is so that it can be easily replaced. Do we expect someone to
> implement another connection caching scheme?
mod_ldap is a connection pool and query cache, and can be reused by
other apache modules that require ldap, such as a potential DAV-ldap
module, or a proxy_ldap module, so no - I'd say a combination would be a
bad idea.
In addition, combining mod_ldap into mod_auth_ldap makes it hard to
split auth_ldap into authn and authz.
> Another messy point is that auth_ldap includes apr_ldap.h which resides
> in apr-util/include. Does it make sense to have an apr_ldap.h since
> auth_ldap seems to be the only thing that uses it? It just seems like
> ldap functionality was never completely split from APR.
The LDAP functionality in APR is done to link in LDAP libraries on
different platforms, and to provide missing LDAP functionality where
necessary (eg Windows). This is why it's in APR.
> I am just
> wondering if this is something else that should be cleaned up before
> moving auth_ldap out of experimental.
I think the structure of the files is fine as it is now - the criterion
for moving it out of experiemental should be when the code has proved to
be stable enough on a wide set of platforms, and there are no
outstanding showstopper bugs.
Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm "There's a moon
over Bourbon Street
tonight..."