Project

General

Profile

Feature #2275

SASL auth like libapache2-mod-authn-sasl

Added by jonb over 6 years ago. Updated 9 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
mod_auth
Target version:
-
Start date:
2010-11-19
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:
No

Description

I would like to see lighttpd have SASL auth like libapache2-mod-authn-sasl. In libapache2-mod-authn-sasl you can get apache2.2 to ask the saslauthd for user validation. Saslauthd can then ask pam, and with pam_winbind you can ask AD or samba.

saslauthd does run as root, but it uses a socket, not a port. In order for libapache2-mod-authn-sasl to auth against saslauthd then the user running libapache2-mod-authn-sasl has to be a member of the sasl group because else the user running the webserver can not read/write to/from the socket.

History

#1 Updated by kevin.sumner over 6 years ago

+1 for this. SASL actually provides a lot of flexibility in terms of authentication and authorization back-ends. It allows for multiple mechanisms, including PAM (which gives a ton more functionality), KRB5, LDAP, SQL, and more. Cyrus SASL is probably the most well known implementation, and probably the implementation to reference; iirc, there are a couple of other SASL implementations as well, albeit less used. SASL is commonly used with mail servers, but many applications use it.

If you want to see exactly what SASL is about, RFC 4422 covers it.

#2 Updated by darix over 6 years ago

if we ever do a sasl backend for mod_auth it will mostlikely be using dovecot. cyrus-sasl is just pita.

#3 Updated by Olaf-van-der-Spek over 6 years ago

Can't you do this via a FastCGI authorizer?

#4 Updated by darix over 6 years ago

sure you can. but sometimes it is pita.

#5 Updated by Olaf-van-der-Spek over 6 years ago

darix wrote:

sure you can. but sometimes it is pita.

Why?

#6 Updated by darix over 6 years ago

because you might have to patch applications that otherwise rely on the server having done basic auth.

#7 Updated by Olaf-van-der-Spek over 6 years ago

Can't authorization be handled by a different FastCGI backend then the response part?

#8 Updated by stbuehler over 6 years ago

No, not supported right now.

For example there are some open questions regarding post content - which backend should get it? both, only one?...

#9 Updated by Olaf-van-der-Spek over 6 years ago

The responder certainly needs it. The authorizer probably doesn't. So a first implementation might send it only to the responder.

#10 Updated by stbuehler over 6 years ago

so you don't think the auhorizer might need the login data from a form?

and no, i will not implement it in 1.x.

#11 Updated by Olaf-van-der-Spek over 6 years ago

I didn't know any of the auth stuff supported form input. Doesn't the FastCGI spec say something about this?

#12 Updated by gstrauss 10 months ago

https://fast-cgi.github.io/spec#roles notes that the Responder and Filter roles receives request body on FCGI_STDIN stream. The spec says that the Authorizer role receives FCGI_PARAMS stream, and does not mention FCGI_STDIN stream for the Authorizer role.

#13 Updated by gstrauss 9 months ago

Regarding (long ago) comments:

Can't you do this via a FastCGI authorizer?

and

Can't authorization be handled by a different FastCGI backend then the response part?

Yes to both, starting with lighttpd 1.4.42 (patches will be pushed to lighttpd git master later this week)

Also available in: Atom