You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by vadim <va...@swissonline.ch> on 2005/01/06 22:20:10 UTC
Beginner needs suggestion!
Hallo everybody,
I need a suggestion as a beginner. I am trying to set up apache2 server
with subversion repository under it. I have to authenticate clients in
the following way:
1) As first, client may provide a valid SSL certificate. If client
provides certificate, my small perl module goes to LDAP, gets some
information from there using certificate's subject DN, and uses then
this information for authorization perposes by svn.
2) If client does not provide a certificate, I have to allow client to
authenticate itself against mod_krb5, and to use clients Kerberos
principal for authorization by svn.
I actually managed to implement both (1) and (2) in two different
locations, which means that I've got two different subversion URL's,
each implementing its own authentication mechanisms.
Do you know if there is a possibility to merge both authentication
mechanisms in one URL? Could you give me a hint please how can I allow
subversion cients first to supply a certificate, and if they can not
supply a certificate - to try to authenticate via SPNEGO and as last
option - Kerberos user ID and Password, and all of this in one URL?
Thanx a lot and best regards, vadim tarassov
--
vadim <va...@swissonline.ch>
Re: Beginner needs suggestion!
Posted by Perrin Harkins <pe...@elem.com>.
It sounds like you're looking for apache help. This is not a general
apache help mailing list. This list is only for mod_perl users. For
general apache help, look here:
http://httpd.apache.org/lists.html#http-users
- Perrin
Re: Beginner needs suggestion!
Posted by Frank Wiles <fr...@wiles.org>.
On Thu, 06 Jan 2005 22:20:10 +0100
vadim <va...@swissonline.ch> wrote:
> Hallo everybody,
>
> I need a suggestion as a beginner. I am trying to set up apache2
> server with subversion repository under it. I have to authenticate
> clients in the following way:
>
> 1) As first, client may provide a valid SSL certificate. If client
> provides certificate, my small perl module goes to LDAP, gets some
> information from there using certificate's subject DN, and uses then
> this information for authorization perposes by svn.
>
> 2) If client does not provide a certificate, I have to allow client to
> authenticate itself against mod_krb5, and to use clients Kerberos
> principal for authorization by svn.
>
> I actually managed to implement both (1) and (2) in two different
> locations, which means that I've got two different subversion URL's,
> each implementing its own authentication mechanisms.
>
> Do you know if there is a possibility to merge both authentication
> mechanisms in one URL? Could you give me a hint please how can I allow
> subversion cients first to supply a certificate, and if they can not
> supply a certificate - to try to authenticate via SPNEGO and as last
> option - Kerberos user ID and Password, and all of this in one URL?
>
> Thanx a lot and best regards, vadim tarassov
> --
> vadim <va...@swissonline.ch>
>
I think you may have to write a mod_perl authentication module
that handles your krb5 authentication, but I could be wrong. I don't
think you can stack a mod_perl handler onto a C Apache module, but the
basic premise is to stack the handlers like so:
PerlAuthenHandler MyHandler::SSL, MyHandler::KRB5
And MyHandler::SSL should return Apache::DECLINED if it was not able
to authenticate because no cert was given. MyHandler::KRB5 would
then need to return Apache::OK on authentication or
Apache::HTTP_UNAUTHORIZED if it was unable to auth the user.
---------------------------------
Frank Wiles <fr...@wiles.org>
http://www.wiles.org
---------------------------------