> -----Ursprüngliche Nachricht----- > Von: Müller Johannes > Gesendet: Freitag, 4. Juli 2008 15:09 > An: [email protected] > Betreff: AW: Client authorization against LDAP using client > certificates > > So far so good, but how to handle fallback to basic > authentication if the client has no certificate > (SSLVerifyClient optional)? > If we created a new module mod_auth_cert and there is no > username from mod_ssl we would like to call mod_auth_basic. > If i understood you right, i would hook mod_auth_cert before > mod_auth_basic and let it react on AuthType Basic. > If mod_auth_cert then returns DECLINED, mod_auth_basic runs > and does basic authentication. > > That would work, but i personally don't like it. > If i configure "AuthType Basic" i want to do basic auth, not > cert auth. > If i created a new module i would prefer configuring > "AuthType Cert" and doing something like "AuthCertFallback On"
You can do it this way and make your module non authoritative by returning DECLINED. See http://httpd.apache.org/docs/2.2/en/mod/mod_auth_basic.html#authbasicauthoritative http://httpd.apache.org/docs/2.2/en/mod/mod_authnz_ldap.html#authzldapauthoritative You can make this configurable by creating something like a AuthCertAuthoritative directive in you module. And based on its value you return either DECLINED or DONE. Regards Rüdiger
