So far so good, but how to handle fallback to basic authentication if the client has no certificate (SSLVerifyClient optional)? If we created a new module mod_auth_cert and there is no username from mod_ssl we would like to call mod_auth_basic. If i understood you right, i would hook mod_auth_cert before mod_auth_basic and let it react on AuthType Basic. If mod_auth_cert then returns DECLINED, mod_auth_basic runs and does basic authentication.
That would work, but i personally don't like it. If i configure "AuthType Basic" i want to do basic auth, not cert auth. If i created a new module i would prefer configuring "AuthType Cert" and doing something like "AuthCertFallback On" Greetings -----Ursprüngliche Nachricht----- Von: Eric Covener [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 4. Juli 2008 14:28 An: [email protected] Betreff: Re: Client authorization against LDAP using client certificates On Fri, Jul 4, 2008 at 5:43 AM, Müller Johannes <[EMAIL PROTECTED]> wrote: > Well, this would require quite big changes to all authentication modules, i > guess. > I think, the better way would be to skip authentication completely in > mod_auth_basic in case the user is set in the request object, because the > user is already authenticated somehow through mod_ssl. Your solution 2 is not difficult at all, and you don't even really need to use a new AuthType. Simply returning OK or DECLINED from your new modules early ap_hook_check_user_id, and letting authz run as normal, is sufficient for cert-based auth. -- Eric Covener [EMAIL PROTECTED]
