>>> On 8/2/2006 at 10:53 AM, in message <[EMAIL PROTECTED]>, Jason Keltz <[EMAIL PROTECTED]> wrote: > Brad Nicholes wrote: >>>>> On 8/2/2006 at 9:01 AM, in message <[EMAIL PROTECTED]>, >> Jason Keltz >> >> Understand that I have not looked at the auth_pam module so I don't >> know exactly what all of the different configuration directives do.
>> However it is highly likely that you do not even need the >> AuthPAM_Enabled directive any more. Under the new architecture, >> enabling or disabling an authn module is done my simply including it or >> excluding it from the AuthXXXProvider directive. > > Actually, that makes a lot of sense. However, I have another similar > difficulty. I had also added my own "AuthPAMEngine" command to > mod_auth_pam that would only work from the server configuration. It is > a very simple flag that could be toggled at the server level. This way, > I could allow mod_auth_pam to be used on only specific virtual servers. > I enabled it only in our SSL configuration. Could that also be > integrated into the mod_authn_pam module? Is there a better way in > Apache that permits the web site owner to restrict access to modules > from within particular virtual servers? > You could implement an AuthPAMEngine directive in mod_authn_pam but you would have to decide exactly what that means. Keep in mind that under the authnz architecture, every provider listed in a specific AuthnXXXProvider directive will be called and must return some kind of AUTH_XXX code. If a provider is not listed in a particular AuthnXXXProvider directive for a <Directory> or <Location> block, the provider will not be called for that block. So like I mentioned before, enabling or disabling it is simply a matter of including it in the AuthnXXXProvider directive or not. If you did implement an AuthPAMEngine directive, you would need to decide what 'AuthPAMEngine Off' means as far as which auth code should be returned. If you return an AUTH_DENIED then other authn providers that follow your authn_pam provider that are listed in the AuthnXXXProvider directive would be called and allowed to authenticate the user, otherwise the request would be denied. If you returned AUTH_GRANTED then only the authn providers that were listed previous to your authn_pam provider would have been called and authentication would stop at that point and granted. There isn't a DECLINED option anymore. Basically if your PAM provider is never included in any AuthnXXXProvider directive, then it is never called and is just dead code (ie, disabled). Brad
