Author: Graham Leggett Date: To: dev Subject: Re: AW: Client authorization against LDAP using client certificates
Müller Johannes wrote:
> So far so good, but how to handle fallback to basic authentication if the client has no certificate (SSLVerifyClient optional)?
> If we created a new module mod_auth_cert and there is no username from mod_ssl we would like to call mod_auth_basic.
> If i understood you right, i would hook mod_auth_cert before mod_auth_basic and let it react on AuthType Basic.
> If mod_auth_cert then returns DECLINED, mod_auth_basic runs and does basic authentication.
>
> That would work, but i personally don't like it.
> If i configure "AuthType Basic" i want to do basic auth, not cert auth.
> If i created a new module i would prefer configuring "AuthType Cert" and doing something like "AuthCertFallback On"
Hmmm... this looks a little bit too cert specific.
Tt would be cool if we could support auth fallback in an arbitrary
fashion. For example, if a user has a cert, use that as their identity,
otherwise use their session identity from mod_auth_form, or failing that
use basic authentication.
If all of them fail, then pick one of them to handle the "access denied"
part (for example request a basic authentication username and password,
or let mod_auth_form display a login form, whatever).
