You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Eric Covener <co...@gmail.com> on 2009/07/13 23:31:22 UTC
AuthBasicProvider failover and mod_authnz_ldap
PR#47521 points out that when mod_authnz_ldap has some fatal LDAP
connectivity error, it doesn't allow other AuthBasicProviders to have
a shot at checking the userid.
It seems like the normal use case for two providers is when there are
two disjoint user repositories, and we only move on to search the
second when the user of interest isn't found in the first.
For LDAP, should we treat a failure to even search the database this
same way, allowing it to move onto other providers
(AUTH_USER_NOT_FOUND vs. AUTH_GENERAL_ERROR)? It seems to me that the
LDAP backends often have poor reliability and lots of use cases would
want the 2nd provider for emergencies, at little expense (hypothetical
attacker that took out your LDAP servers, and compromised e.g.
AuthUserFile).
Thoughts?
--
Eric Covener
covener@gmail.com
Re: AuthBasicProvider failover and mod_authnz_ldap
Posted by Graham Leggett <mi...@sharp.fm>.
Plüm, Rüdiger, VF-Group wrote:
> Haven't thought this through but from a first glance it makes sense that
> the next provider can continue if the first one had a fatal error.
+1.
Regards,
Graham
--
RE: AuthBasicProvider failover and mod_authnz_ldap
Posted by "Plüm, Rüdiger, VF-Group" <ru...@vodafone.com>.
> -----Original Message-----
> From: Eric Covener
> Sent: Montag, 13. Juli 2009 23:31
> To: dev@httpd.apache.org
> Subject: AuthBasicProvider failover and mod_authnz_ldap
>
> PR#47521 points out that when mod_authnz_ldap has some fatal LDAP
> connectivity error, it doesn't allow other AuthBasicProviders to have
> a shot at checking the userid.
>
> It seems like the normal use case for two providers is when there are
> two disjoint user repositories, and we only move on to search the
> second when the user of interest isn't found in the first.
>
> For LDAP, should we treat a failure to even search the database this
> same way, allowing it to move onto other providers
> (AUTH_USER_NOT_FOUND vs. AUTH_GENERAL_ERROR)? It seems to me that the
> LDAP backends often have poor reliability and lots of use cases would
> want the 2nd provider for emergencies, at little expense (hypothetical
> attacker that took out your LDAP servers, and compromised e.g.
> AuthUserFile).
>
> Thoughts?
Haven't thought this through but from a first glance it makes sense that
the next provider can continue if the first one had a fatal error.
Regards
Rüdiger
Re: AuthBasicProvider failover and mod_authnz_ldap
Posted by Eric Covener <co...@gmail.com>.
On Wed, Jul 15, 2009 at 10:58 AM, Brad Nicholes<BN...@novell.com> wrote:
> The question here is given this context, should AUTH_GENERAL_ERROR == AUTH_USER_NOT_FOUND? Given this context, the answer is probably yes.
> However are there any cases dealing with authn_alias where the answer should be no?
To care about this path, you have to have multiple providers with some
overlap of userids. Tough to say how someone could both want the
duplicate IDs but would not want the 2nd provider to have a chance.
Change in default to trunk and figure out how to make it configurable
w/o using the word Authoritative?
--
Eric Covener
covener@gmail.com
RE: AuthBasicProvider failover and mod_authnz_ldap
Posted by "Plüm, Rüdiger, VF-Group" <ru...@vodafone.com>.
> -----Original Message-----
> From: Brad Nicholes
> Sent: Mittwoch, 15. Juli 2009 16:58
> To: dev@httpd.apache.org
> Subject: Re: AuthBasicProvider failover and mod_authnz_ldap
> authn_alias where the answer should be no? The second issue
> is what should authnz_ldap do? Authnz_ldap has already been
> coded for redundancy if it is configured for it. If there is
> a problem in this case, then it is a bug that should be looked at.
>
I guess this case was less about a second ldap server should the first
fail (this can be done with Authnz_ldap as you mention) but about
a different auth provider should the Ldap provider fail.
Regards
Rüdiger
Re: AuthBasicProvider failover and mod_authnz_ldap
Posted by Brad Nicholes <BN...@novell.com>.
>>> On 7/13/2009 at 3:31 PM, in message
<14...@mail.gmail.com>, Eric Covener
<co...@gmail.com> wrote:
> PR#47521 points out that when mod_authnz_ldap has some fatal LDAP
> connectivity error, it doesn't allow other AuthBasicProviders to have
> a shot at checking the userid.
>
> It seems like the normal use case for two providers is when there are
> two disjoint user repositories, and we only move on to search the
> second when the user of interest isn't found in the first.
>
> For LDAP, should we treat a failure to even search the database this
> same way, allowing it to move onto other providers
> (AUTH_USER_NOT_FOUND vs. AUTH_GENERAL_ERROR)? It seems to me that the
> LDAP backends often have poor reliability and lots of use cases would
> want the 2nd provider for emergencies, at little expense (hypothetical
> attacker that took out your LDAP servers, and compromised e.g.
> AuthUserFile).
>
> Thoughts?
There are actually two issues to consider in the context of PR#47521. The first issue is what should mod_authn_alias do if it gets an AUTH_GENERAL_ERROR vs AUTH_USER_NOT_FOUND. Apparently, according to the bug, mod_authn_alias just stops which is probably what the intention was when I coded it (years ago in another lifetime ;) . The question here is given this context, should AUTH_GENERAL_ERROR == AUTH_USER_NOT_FOUND? Given this context, the answer is probably yes. However are there any cases dealing with authn_alias where the answer should be no? The second issue is what should authnz_ldap do? Authnz_ldap has already been coded for redundancy if it is configured for it. If there is a problem in this case, then it is a bug that should be looked at.
Brad