Brad Nicholes wrote:
On 8/2/2006 at 9:01 AM, in message <[EMAIL PROTECTED]>,
Jason Keltz
I'm confused by an aspect of the new
2.2.X authentication scheme which I was hoping someone might be able
to
help with. If I want to port the "AuthPAM_Enabled on|off" into the
new
module, where would it go? It looks like there should be a
mod_authn_pam which just handles only the pam authentication, and
then
say, a mod_authz_pamgroup that handles the "require group" directive,
but it isn't clear to me where the enable flag belongs? I looked
through the modules that come with Apache. The only module that has
an
enable type flag seems to be the ldap module, yet all of the
references
to the enable flag are commented out in that code. I wonder why?
Understand that I have not looked at the auth_pam module so I don't
know exactly what all of the different configuration directives do.
However it is highly likely that you do not even need the
AuthPAM_Enabled directive any more. Under the new architecture,
enabling or disabling an authn module is done my simply including it or
excluding it from the AuthXXXProvider directive.
Actually, that makes a lot of sense. However, I have another similar
difficulty. I had also added my own "AuthPAMEngine" command to
mod_auth_pam that would only work from the server configuration. It is
a very simple flag that could be toggled at the server level. This way,
I could allow mod_auth_pam to be used on only specific virtual servers.
I enabled it only in our SSL configuration. Could that also be
integrated into the mod_authn_pam module? Is there a better way in
Apache that permits the web site owner to restrict access to modules
from within particular virtual servers?
Further, how about the AuthFailDelay, and AuthPAM_FallThrough? Would
these go into mod_authn_pam as well? As far as I can see,
mod_authz_pam
doesn't seem necessary since the basic authentication covers the use
of
"require user"...
I would guess that the only thing required is that you create a
mod_authn_pam authentication module and that an authz_pam module is not
needed. Unless you have the need to implement a very specialized type
of authorization, you can simply rely on the existing authz modules to
do the work. However, if you do need a specialized PAM group
authorization for example, rather than implementing another 'Require
group xxx' directive, you would need to implement a 'pam-group'
authorization type. See mod_authnz_ldap or mod_authz_dbm as examples.
Excellent.. Thanks for that..
Jason.
