Hi Justin - >-- Original Message -- >Reply-To: [EMAIL PROTECTED] >Date: Mon, 26 Aug 2002 23:44:32 -0700 >From: Justin Erenkrantz <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: authentication rewrite > >My point is that I need to add another front end authentication >module (namely within mod_dav). I think it'd be pointless to >duplicate all of the backend work done in mod_auth* so that >mod_dav can authenticate users. The current authentication API >can't work as it combines the front and back-ends. The answer we >give to people is, "cut-and-paste." Ick. Therefore, yes, I think >we have to introduce another level as what we have now is >insufficient.
I understand your point, and I think its a good one. I just wanted to raise a concern (which I still think is important to think about). about a year and a half ago I abstracted the auth stuff in a similar way - In my case, however, I wanted the back ends to have much richer authorization functionality than the current AAA modules. In a 'require group' world, it is very nice to abstract this stuff out so backends can be re-used, and apache specific logic can be centralized - as you have proposed. But it will be harder to plug in backends that try to do more with requirements (of which there really aren't many)- which is probably fine. >In my vision, the LDAP module would have its own directives/options >to specify what it returns. So, I don't think this is a big concern. > >I'd imagine something like: > >AuthProvider ldap >AuthLDAPServer ldap.example.com >AuthLDAPBase o=example.com >AuthLDAPUserSearch (username=%s) >AuthLDAPGroupSearch (groupmember=%s) here's a couple of comments on the implementation: 1) It looks like the 'AuthProvider' does not allow you to stack auth handlers. I would be cool (if not critical :) if it was more of an AddAuthProvider - then the basic auth handler loops through all providers that are added. This way you could configure ldap and anon for a given location. 2) If you do allow stacking of providers like this, you need to also provide the ability to specify which one is authoritative (if any). 3) maybe i'm missing something, but why did you rewrite ap_note_basic_auth_failure and ap_get_basic_auth? assuming there was a reason, maybe a comment in the code would help clarify it. hope this helps. sterling
