Bug 55178 - [PATCH] mod_authnz_ldap SASL authentication support
Summary: [PATCH] mod_authnz_ldap SASL authentication support
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_auth_ldap (show other bugs)
Version: 2.5-HEAD
Hardware: PC Linux
: P2 normal with 3 votes (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: PatchAvailable
Depends on:
Blocks:
 
Reported: 2013-07-01 20:25 UTC by Lubomir Rintel
Modified: 2021-02-02 11:49 UTC (History)
2 users (show)



Attachments
mod_authn_ldap: Allow authentication with SASL (33.03 KB, patch)
2013-07-01 20:25 UTC, Lubomir Rintel
Details | Diff
mod_authn_ldap: Allow specifying SASL interaction (32.12 KB, patch)
2013-07-01 20:26 UTC, Lubomir Rintel
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Lubomir Rintel 2013-07-01 20:25:51 UTC
Created attachment 30516 [details]
mod_authn_ldap: Allow authentication with SASL

There is not SASL support in mod_authnz_ldap and mod_ldap respectively.

The attachments (apply to development trunk) add SASL support to the extent Kerberos authentication via GSSAPI mechanism can used. They are accompanied by documentation (though I've sadly not been able to extend French language version documentation for the modules):

* mod_authn_ldap: Allow authentication with SASL

The first patch adds a directive to specify the SASL mechanism. This alone is not enough for much practical use (apart from anonymous binds, or credentials supplied via other means, such as pre-initialized Kerberos credentials cache), but lays foundation for sane extending. It would be easy to e.g. add PLAIN authentication without hardcoding it, as is done in bug #51757.

* mod_authn_ldap: Allow specifying SASL interaction

This allows for running a command when SASL interaction is required to obtain credentials. The actual conversation is very mechanism dependent (bug #51757 is a good example how could it be extended for PLAIN mechanism), this just delegates the work to a command. An example in documentation shows how to use this to obtain Kerberos TGT to initialize credentials cache for GSSAPI mechanism to succeed.
Comment 1 Lubomir Rintel 2013-07-01 20:26:12 UTC
Created attachment 30517 [details]
mod_authn_ldap: Allow specifying SASL interaction