> 1) for authentication: depend upon mod_ssl configured with an appropriate > SSLVerifyClient option. [i.e. decline to authenticate a user if no client > cert was passed; be configurable to fail or warn stridently if a client cert > was passed but "SSLVerifyClient optional_no_ca" is in use]
With you here, the big descision is to whether impersonate basic auth or to run before it. > > 2) for authorization: like mod_authnz_ldap, support dn, group [to include > nested group], attribute, and filter require directives disagree here, why/where are you going to query this stuff? Why not just use it in conjunction with LDAP authz? > 3) provide the same flexibility as mod_authnz_ldap with respect to > configuring the LDAP connection and working with various LDAP libraries -1 if it were going into the actual Apache distribution! > 4) be configurable to work with users' existing LDAP schemas without > requiring changes in the directory. sounds reasonable unless you're drawing a contrast with the current LDAP auth modules. > Most of the "prior art" 3rd party modules I've seen out there seem to fall > down in one of more of these respects. > > I'm new to Apache module development, and I recognize that stepping outside > of "basic" and "digest" to create an entire new authorization provider type > might be a lot to bite off. I invite any suggestions or tips--especially if > someone has already "cracked this nut" in an generalizable way. I think "AuthType cert" is reasonable as long as you can demonstrate using the the traditional authz providers. -- Eric Covener cove...@gmail.com
