SASL auth like libapache2-mod-authn-sasl
I would like to see lighttpd have SASL auth like libapache2-mod-authn-sasl. In libapache2-mod-authn-sasl you can get apache2.2 to ask the saslauthd for user validation. Saslauthd can then ask pam, and with pam_winbind you can ask AD or samba.
saslauthd does run as root, but it uses a socket, not a port. In order for libapache2-mod-authn-sasl to auth against saslauthd then the user running libapache2-mod-authn-sasl has to be a member of the sasl group because else the user running the webserver can not read/write to/from the socket.
#1 Updated by kevin.sumner over 6 years ago
+1 for this. SASL actually provides a lot of flexibility in terms of authentication and authorization back-ends. It allows for multiple mechanisms, including PAM (which gives a ton more functionality), KRB5, LDAP, SQL, and more. Cyrus SASL is probably the most well known implementation, and probably the implementation to reference; iirc, there are a couple of other SASL implementations as well, albeit less used. SASL is commonly used with mail servers, but many applications use it.
If you want to see exactly what SASL is about, RFC 4422 covers it.
Regarding (long ago) comments:
Can't you do this via a FastCGI authorizer?
Can't authorization be handled by a different FastCGI backend then the response part?
Yes to both, starting with lighttpd 1.4.42 (patches will be pushed to lighttpd git master later this week)
Also available in: Atom