> Sander Striker wrote:
>
> > IMO this should be split. Auth and authz are
> > completely different things and it would be nice
> > to have different modules to do authentication
> > in a different way, but still utilize the same
> > authorization method.
>
> I'm not sure if splitting them will accomplish this though. From the
> LDAP auth stuff, the authentication phase and the authorisation phase
> are separate, but share common configuration parameters (LDAP bind info,
> for example), so splitting them wouldn't make much sense.
In all the modules the phases are seperate, because they all hook
check_user_id and check_user_access. There is no way however to
determine the group a user is in from check_user_id in a non module
specific way. I would like _that_ to be possible, since now, the
authz part (check_user_access) is doing stuff auth should do: checking
for group membership.
> Also - there isn't a clear line over what constitutes an authentication
> token - again, the LDAP authenticator converts a provided username into
> a DN, which the authorisation phase uses to apply to the require
> directives. If you have to mix up the different modules, you would need
> to make sure they are all talking the same language (so to speak).
Yes, but I don't see that as a problem. Right now, the same is
true for the FakeBasicAuth feature of mod_ssl which provides a one line
DN as the username.
> Regards,
> Graham
Sander
