Here is the second attempt which actually works. It still needs some cleanup and auth_digest has not been accounted for yet, but it does let you define and call multiple alias providers that can be referenced from multiple locations. I would like to add it to modules/aaa if there are no objections.
The configuration syntax is as follows:
LoadModule authn_alias_module modules/authnalias.nlm
<IfModule mod_authn_alias.c>
<AuthnProviderAlias ldap ldap-alias1>
AuthLDAPBindDN cn=youruser,o=ctx
AuthLDAPBindPassword yourpassword
AuthLDAPURL ldap://ldap.host/o=ctx
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-other-alias>
AuthLDAPBindDN cn=yourotheruser,o=ctx
AuthLDAPBindPassword yourotherpassword
AuthLDAPURL ldap://other.ldap.host/o=ctx
</AuthnProviderAlias>
Alias /secure /webpages/secure
<Directory /webpages/secure>
Order deny,allow
Allow from all
AuthBasicProvider ldap-other-alias ldap-alias1
AuthType Basic
AuthName LDAP_Protected_Place
AuthzLDAPAuthoritative off
require valid-user
</Directory>
</IfModule>
Brad
>>> [EMAIL PROTECTED] Tuesday, May 17, 2005 10:27:14 AM >>>
Here is an attempt at providing this functionality through a separate module
called mod_authn_alias. It follows the syntax outlined in the previous message
thread http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=110995646219340&w=2
. However, I have run into a road block. In order to make this work,
mod_authn_alias needs to be able to retrieve the aliased per_dir configuration
and merge it into the current per_dir configuration before calling the real
check_password() provider function. I'm just not sure how to make this happen
given the amount of information that mod_authn_alias has at the point when the
merge_per_dir_config needs to happen.
Any ideas?
Brad
>>> [EMAIL PROTECTED] Friday, April 29, 2005 9:16:44 AM >>>
Has there been any further motion on the multiple AAA provider issue in 2.1?
Our customers really need to be able to directly authenticate against
multiple LDAPs (again, this is not a failover case -- the contents of
each LDAP are distinct and non-overlapping).
I *suspect* we're not the only ones who need multiple AAA data sources
of a single type, especially LDAP.
--
Jess Holle
mod_authn_alias.c
Description: Binary data
Index: modules/aaa/mod_auth_basic.c
===================================================================
--- modules/aaa/mod_auth_basic.c (revision 169705)
+++ modules/aaa/mod_auth_basic.c (working copy)
@@ -237,8 +237,12 @@
provider = current_provider->provider;
}
+ apr_table_setn(r->notes, AUTHN_PROVIDER_NAME_NOTE,
current_provider->provider_name);
+
auth_result = provider->check_password(r, sent_user, sent_pw);
+ apr_table_unset(r->notes, AUTHN_PROVIDER_NAME_NOTE);
+
/* Something occured. Stop checking. */
if (auth_result != AUTH_USER_NOT_FOUND) {
break;
Index: modules/aaa/config.m4
===================================================================
--- modules/aaa/config.m4 (revision 169705)
+++ modules/aaa/config.m4 (working copy)
@@ -17,6 +17,9 @@
dnl keep the bad guys out.
APACHE_MODULE(authn_default, authentication backstopper, , , yes)
+dnl Provider alias module.
+APACHE_MODULE(authn_alias, auth provider alias, , , yes)
+
dnl Authorization modules: modules which verify a certain property such as
dnl membership of a group, value of the IP address against a list of pre
dnl configured directives (e.g. require, allow) or against an external file
Index: modules/aaa/mod_auth.h
===================================================================
--- modules/aaa/mod_auth.h (revision 169705)
+++ modules/aaa/mod_auth.h (working copy)
@@ -30,6 +30,7 @@
#define AUTHN_DEFAULT_PROVIDER "file"
#define AUTHZ_GROUP_NOTE "authz_group_note"
+#define AUTHN_PROVIDER_NAME_NOTE "authn_provider_name"
typedef enum {
AUTH_DENIED,
Index: modules/aaa/NWGNUmakefile
===================================================================
--- modules/aaa/NWGNUmakefile (revision 169705)
+++ modules/aaa/NWGNUmakefile (working copy)
@@ -155,6 +155,7 @@
$(OBJDIR)/authbasc.nlm \
$(OBJDIR)/authdigt.nlm \
$(OBJDIR)/authnano.nlm \
+ $(OBJDIR)/authnalias.nlm \
$(OBJDIR)/authndbm.nlm \
$(OBJDIR)/authndef.nlm \
$(OBJDIR)/authnfil.nlm \
