On Sat, Nov 26, 2005 at 10:56:23AM -0700, Brad Nicholes wrote:
> Speaking of authz rewrite, currently the directives 'authtype',
> 'authname' and 'require' are all implemented in the core module. This
> just doesn't seem like the right place for them so I am considering
> moving the directives to mod_authz_host.
Just a thought (sorry if this has been suggested before): perhaps you could
borrow some ideas from PAM. In PAM, each authentication module takes a turn,
and its results can be marked as "sufficient" or "required". Using this
model, "Satisfy All" could be
Require valid-user required
Allow from 192.168.1 required
whilst "Satisfy Any" could be
Require valid-user sufficient
Allow from 192.168.1 sufficient
Deny from all
although the choice of keywords could be made a lot clearer,especially
"require .. required"! IMO, "require..." and "allow..." are really just
'authorise by user' and 'authorise by host ip' respectively, so two cases of
more or less the same thing.
Also, I don't see why a single authorisation module couldn't be invoked more
than once:
Allow from 192.168.1 sufficient
Allow from 192.168.4 sufficient
Deny from 192.168 sufficient
Allow from all
would mean "deny from all 192.168 addresses except 192.168.1 and 192.168.4".
A formulation like the above is something that I personally would find a lot
easier to understand than the "order allow,deny" or "order deny,allow" stuff
required now, which I have to look up *every* time I use it to make sure I
get it the right way round :-)
Another model to look at would be Exim ACLs. Essentially, each ACL condition
can give an accept (2xx), reject (5xx) or defer (4xx) response. Then you
build up ACLs such as
accept condition1
condition2
condition3
(if all of condition1, condition2 and condition3 are true then the ACL
terminates with an 'accept' condition. If any defer, then the ACL defers.
Otherwise continue to the next ACL entry)
reject condition1
condition2
(if both of condition1 and condition2 are true then the ACL terminates with
a 'reject' condition)
Regards,
Brian.
