You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Julien ALLANOS <ju...@aql.fr> on 2005/09/13 09:26:04 UTC
[users@httpd] New authentication framework in Apache 2.1
Hello,
>From what I've read, the authentication API has been rewritten in Apache 2.1. As
there is not many docs at http://mod-auth.sourceforge.net/docs/ (link to
"Changes from 2.0" is broken), I want to know more. One of the things I've been
disappointed with in Apache 1.3 or 2.0 is that authentication backends and
authentication types aren't clearly separated. Note: by auth backends I
understand users/groups referentials (where is users and groups information
stored?).
As an example, let's look at 2.0 authentication modules:
* mod_auth: offers Basic Auth auth type, using a file-based users and groups
referential.
* mod_auth_anon: I've never tried that, but it looks like a Basic Auth where
the authorized set of users is hard-coded within an Apache directive. No group
notion.
* mod_auth_dbm: offered auth type is Basic Auth, users and groups referential:
DBM type database.
* mod_auth_digest: offers Digest Auth, using a file-based users and groups
refential.
* mod_auth_ldap: offers Basic Auth, using an LDAP-based users and groups
referential.
* mod_ssl: offers strong authentication using X509 certificates. No users or
groups referential, only valid (issued by a known CA) certificates are allowed
to access a protected resource.
Some third-party modules:
* mod_auth_mysql: offers Basic Auth, using a MySQL-based users and groups
referential.
* mod_auth_sspi: offers NTLM authentication, using a Windows Domain Controller
for the users and groups referential.
* mod_auth_kerb: offers Kerberos authentication, using a Windows Domain
Controller for the users and groups referential.
I believe each time you want a new combination of auth type and auth backend,
you need to create a new module. What if, for a protected resource, I want to
auth users with X509 certificates and then check if the cn value of the
presented Subject DN exists in the users referential I use, which is stored on
a SQLite database? Or if I want to combine Digest authentication and a
LDAP-based users referential? Is it really to do so possible without developing
new modules?
In case multiple auth types or backends are used, there should be a way to
delegate the authentication phase to another module (the "Authoritative"
thingie most of the modules implement). We should be able to try
AuthType1/AuthBackend1, then AuthType2/AuthBackend1 and finally
AuthType3/AuthBackend2.
Does the new API brings solutions to this? Or can anyone enlight me about the
new features introduced by the auth API in 2.1?
Thanks for your feedback,
--
Julien ALLANOS
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] New authentication framework in Apache 2.1
Posted by Julien ALLANOS <ju...@aql.fr>.
Quoting Nick Kew <ni...@webthing.com>:
> On Tuesday 13 September 2005 08:26, Julien ALLANOS wrote:
>> Hello,
>>
>> From what I've read, the authentication API has been rewritten in Apache
>> 2.1. As there is not many docs at http://mod-auth.sourceforge.net/docs/
>> (link to "Changes from 2.0" is broken), I want to know more.
>
> Have you written to the maintainers of that page?
Not yet, but I will do.
>> One of the
>> things I've been disappointed with in Apache 1.3 or 2.0 is that
>> authentication backends and authentication types aren't clearly separated.
>
> That's exactly what's been fixed in 2.1+.
>
Great! Thanks Nick for the information.
--
Julien ALLANOS
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] New authentication framework in Apache 2.1
Posted by Nick Kew <ni...@webthing.com>.
On Tuesday 13 September 2005 08:26, Julien ALLANOS wrote:
> Hello,
>
> From what I've read, the authentication API has been rewritten in Apache
> 2.1. As there is not many docs at http://mod-auth.sourceforge.net/docs/
> (link to "Changes from 2.0" is broken), I want to know more.
Have you written to the maintainers of that page?
> One of the
> things I've been disappointed with in Apache 1.3 or 2.0 is that
> authentication backends and authentication types aren't clearly separated.
That's exactly what's been fixed in 2.1+.
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org