On Thu, Nov 17, 2016 at 4:36 PM Robert Samuel Newson <[email protected]> wrote:
> Hi Tim, > > Authentication handlers are pluggable once again, and that feature will > appear in our next release (tentatively designated 2.1.0). > Great, I thought I'd read that recently but couldn't put my finger on the post. > We'd definitely merge a patch that added an authentication handler where > the DN was used to look up a user in the normal CouchDB _users database. > This seems doable, at least as a starter project for me to try. The rest - eh, I wanted to see if there is any interest in it. Chaining multiple handlers would introduce a lot of complexity in this one area, but having this kind of integrated authentication adds a lot of security to the app, for people that require it. Thanks for the reply. I'll take a look at the pluggable authentication handlers. -Tim > when we bring LDAP in, things get trickier. I'm sure we'd take a patch to > add an LDAP authentication handler, but there's no precedent for handlers > co-operating with other handlers (LDAP plus client cert). If you're > prepared to do the work, I'm sure this could be figured out, I'm just > saying the authentication system doesn't already support the notion, and we > wouldn't want to make this part of couchdb much fiddlier. > > B. > > > On 17 Nov 2016, at 14:36, Timothy McKernan <[email protected]> > wrote: > > > > Has there been any interest in adding support for two-way SSL > > authentication? More specifically, I'm looking for a way to: > > > > - Verify a client's cert is valid, > > - Check the cert's Certificate Authority(s) against a local store, > > - Query a remote service to verify the cert hasn't been revoked > > (CRL's), > > - Use the client's Distinguished Name to query a remote service (LDAP > > would be fine) to verify the user is authorized to connect, > > - Use the client's Distinguished Name to authenticate the user in > > CouchDb, returning the user ctx. > > > > I've looked at how to add an auth handler in 2.0.0 and read some older > > posts about it. It looks like at least src/chttpd/src/chttpd_auth.erl and > > src/couch/src/couch_httpd_auth.erl need to be edited to use any new > > handlers, is that right? > > > > I think my questions come down to: > > > > - Is there going to be support for two-way SSL auth? > > - If not, is the authentication handler code going to be updated to > > allow new handlers to be plugged in (having the handlers implement a > known > > interface) rather than hand-edit the above code? > > - I my requirements also suggest allowing a chain of handlers to be > > called, so that the details of CouchDb auth vs. CRL verification vs. > LDAP > > can all be called one after the other, only going to the next handler > if > > the previous handler succeeded. > > > > Right now I'm just trying to understand the scope of what's required to > add > > this, especially if it seems I'd be the one doing it. > > > > -Tim > >
