Re: Beginner needs suggestion!

[prev] [thread] [next] [Date index for 2005/01/06]

From: Frank Wiles
Subject: Re: Beginner needs suggestion!
Date: 21:27 on 06 Jan 2005
On Thu, 06 Jan 2005 22:20:10 +0100
vadim <vadim.tarassov@xxxxxxxxxxx.xx> wrote:

> Hallo everybody,
> 
> I need a suggestion as a beginner. I am trying to set up apache2
> server with subversion repository under it. I have to authenticate
> clients in the following way:
> 
> 1) As first, client may provide a valid SSL certificate. If client
> provides certificate, my small perl module goes to LDAP, gets some
> information from there using certificate's subject DN, and uses then
> this information for authorization perposes by svn.
> 
> 2) If client does not provide a certificate, I have to allow client to
> authenticate itself against mod_krb5, and to use clients Kerberos
> principal for authorization by svn.
> 
> I actually managed to implement both (1) and (2) in two different
> locations, which means that I've got two different subversion URL's,
> each implementing its own authentication mechanisms. 
> 
> Do you know if there is a possibility to merge both authentication
> mechanisms in one URL? Could you give me a hint please how can I allow
> subversion cients first to supply a certificate, and if they can not
> supply a certificate - to try to authenticate via SPNEGO and as last
> option - Kerberos user ID and Password, and all of this in one URL?
> 
> Thanx a lot and best regards, vadim tarassov
> -- 
> vadim <vadim.tarassov@xxxxxxxxxxx.xx>
> 

  I think you may have to write a mod_perl authentication module 
  that handles your krb5 authentication, but I could be wrong.  I don't
  think you can stack a mod_perl handler onto a C Apache module, but the
  basic premise is to stack the handlers like so: 

  PerlAuthenHandler MyHandler::SSL, MyHandler::KRB5

  And MyHandler::SSL should return Apache::DECLINED if it was not able
  to authenticate because no cert was given.  MyHandler::KRB5 would 
  then need to return Apache::OK on authentication or
  Apache::HTTP_UNAUTHORIZED if it was unable to auth the user. 

 ---------------------------------
   Frank Wiles <frank@xxxxx.xxx>
   http://www.wiles.org
 ---------------------------------

Beginner needs suggestion!
vadim 21:20 on 06 Jan 2005

Re: Beginner needs suggestion!
Perrin Harkins 21:26 on 06 Jan 2005

Re: Beginner needs suggestion!
Frank Wiles 21:27 on 06 Jan 2005

Generated at 12:16 on 16 Jan 2005 by mariachi v0.52