Maybe let's concentrate on non-third-party modules. Basically there is mod_auth_basic and mod_auth_digest on the top level followed by their providers on the second level. In my opinion mod_auth_cert is another possibilty to authenticate users on the same level as basic and digest, because it has nothing to do with basic and digest authentication in principle. Therefore i would prefer a third AuthType named Cert or something to keep httpd's authentication model clean.
To support more than one authentication method at a time we would have to do fallback like "AuthType Cert, Basic". I really share this opinion. And finally, to use the same provider independent of the configured AuthType, we would have to rename the AuthBasicProvider and AuthDigestProvider directives. In the end it would look like this: AuthType Cert, Basic AuthProvider ldap AuthLDAP... -----Ursprüngliche Nachricht----- Von: Graham Leggett [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 4. Juli 2008 15:20 An: [email protected] Betreff: Re: AW: Client authorization against LDAP using client certificates Müller Johannes wrote: > So far so good, but how to handle fallback to basic authentication if the > client has no certificate (SSLVerifyClient optional)? > If we created a new module mod_auth_cert and there is no username from > mod_ssl we would like to call mod_auth_basic. > If i understood you right, i would hook mod_auth_cert before mod_auth_basic > and let it react on AuthType Basic. > If mod_auth_cert then returns DECLINED, mod_auth_basic runs and does basic > authentication. > > That would work, but i personally don't like it. > If i configure "AuthType Basic" i want to do basic auth, not cert auth. > If i created a new module i would prefer configuring "AuthType Cert" and > doing something like "AuthCertFallback On" Hmmm... this looks a little bit too cert specific. Tt would be cool if we could support auth fallback in an arbitrary fashion. For example, if a user has a cert, use that as their identity, otherwise use their session identity from mod_auth_form, or failing that use basic authentication. If all of them fail, then pick one of them to handle the "access denied" part (for example request a basic authentication username and password, or let mod_auth_form display a login form, whatever). You might do something like this: AuthType certificate, form, basic Regards, Graham --
