Bug 55178

Summary: [PATCH] mod_authnz_ldap SASL authentication support
Product: Apache httpd-2 Reporter: Lubomir Rintel <lkundrak>
Component: mod_auth_ldapAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal CC: dhawes, grawity
Priority: P2 Keywords: PatchAvailable
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: mod_authn_ldap: Allow authentication with SASL
mod_authn_ldap: Allow specifying SASL interaction

Description Lubomir Rintel 2013-07-01 20:25:51 UTC 
Created attachment 30516 [details]
mod_authn_ldap: Allow authentication with SASL

There is not SASL support in mod_authnz_ldap and mod_ldap respectively.

The attachments (apply to development trunk) add SASL support to the extent Kerberos authentication via GSSAPI mechanism can used. They are accompanied by documentation (though I've sadly not been able to extend French language version documentation for the modules):

* mod_authn_ldap: Allow authentication with SASL

The first patch adds a directive to specify the SASL mechanism. This alone is not enough for much practical use (apart from anonymous binds, or credentials supplied via other means, such as pre-initialized Kerberos credentials cache), but lays foundation for sane extending. It would be easy to e.g. add PLAIN authentication without hardcoding it, as is done in bug #51757.

* mod_authn_ldap: Allow specifying SASL interaction

This allows for running a command when SASL interaction is required to obtain credentials. The actual conversation is very mechanism dependent (bug #51757 is a good example how could it be extended for PLAIN mechanism), this just delegates the work to a command. An example in documentation shows how to use this to obtain Kerberos TGT to initialize credentials cache for GSSAPI mechanism to succeed.
Comment 1 Lubomir Rintel 2013-07-01 20:26:12 UTC 
Created attachment 30517 [details]
mod_authn_ldap: Allow specifying SASL interaction