Hi, i'm trying to revive mod_gnutls and bring it up to date with current
apache module practices, and i'd like to use apache 2.4's mod_auth
framework for user authentication via client-side certificates. i'm
limiting the scope of this question to authentication because i do not
have a good use case for mod_gnutls for authorization at this point.
It seems like mod_gnutls should use:
ap_register_auth_provider(p, AUTHN_PROVIDER_GROUP, …)
but it's not clear how it should be done.
In particular, the authn_provider struct doesn't seem well-suited to
non-password-based authentication mechanisms. Should I avoid that part
of the framework altogether, not call ap_register_auth_provider at all,
and just manually set r-user via ap_hook_check_authn(), or should I be
thinking about this a different way?
Looking at the codebase, it looks to me like the authn_provider makes
some basic assumptions that an authentication provider will verify a
username and a password against some source. This doesn't make sense in
the context of client-certificate-based authentication. There are other
contexts in which a module could provide authentication (verifying a
given identity, or associating an identity with a given request) without
doing the sort of password authentication that the authn_provider struct
seems to assume.
include/mod_auth.h has:
--
typedef enum {
AUTH_DENIED,
AUTH_GRANTED,
AUTH_USER_FOUND,
AUTH_USER_NOT_FOUND,
AUTH_GENERAL_ERROR
} authn_status;
/* [...] */
typedef struct {
/* Given a username and password, expected to return AUTH_GRANTED
* if we can validate this user/password combination.
*/
authn_status (*check_password)(request_rec *r, const char *user,
const char *password);
/* Given a user and realm, expected to return AUTH_USER_FOUND if we
* can find a md5 hash of 'user:realm:password'
*/
authn_status (*get_realm_hash)(request_rec *r, const char *user,
const char *realm, char **rethash);
} authn_provider;
--
Any recommendations for how to best think about password-less
AUTHN_PROVIDER_GROUPs, or pointers to documentation that should clear it
up would be welcome.
Regards,
--dkg
pgpbZBWSVNE_1.pgp
Description: PGP signature