Feature #2275
closedSASL auth like libapache2-mod-authn-sasl
Description
I would like to see lighttpd have SASL auth like libapache2-mod-authn-sasl. In libapache2-mod-authn-sasl you can get apache2.2 to ask the saslauthd for user validation. Saslauthd can then ask pam, and with pam_winbind you can ask AD or samba.
saslauthd does run as root, but it uses a socket, not a port. In order for libapache2-mod-authn-sasl to auth against saslauthd then the user running libapache2-mod-authn-sasl has to be a member of the sasl group because else the user running the webserver can not read/write to/from the socket.
Updated by kevin.sumner over 13 years ago
+1 for this. SASL actually provides a lot of flexibility in terms of authentication and authorization back-ends. It allows for multiple mechanisms, including PAM (which gives a ton more functionality), KRB5, LDAP, SQL, and more. Cyrus SASL is probably the most well known implementation, and probably the implementation to reference; iirc, there are a couple of other SASL implementations as well, albeit less used. SASL is commonly used with mail servers, but many applications use it.
If you want to see exactly what SASL is about, RFC 4422 covers it.
Updated by darix about 13 years ago
if we ever do a sasl backend for mod_auth it will mostlikely be using dovecot. cyrus-sasl is just pita.
Updated by Olaf-van-der-Spek about 13 years ago
Can't you do this via a FastCGI authorizer?
Updated by Olaf-van-der-Spek about 13 years ago
darix wrote:
sure you can. but sometimes it is pita.
Why?
Updated by darix about 13 years ago
because you might have to patch applications that otherwise rely on the server having done basic auth.
Updated by Olaf-van-der-Spek about 13 years ago
Can't authorization be handled by a different FastCGI backend then the response part?
Updated by stbuehler about 13 years ago
No, not supported right now.
For example there are some open questions regarding post content - which backend should get it? both, only one?...
Updated by Olaf-van-der-Spek about 13 years ago
The responder certainly needs it. The authorizer probably doesn't. So a first implementation might send it only to the responder.
Updated by stbuehler about 13 years ago
so you don't think the auhorizer might need the login data from a form?
and no, i will not implement it in 1.x.
Updated by Olaf-van-der-Spek about 13 years ago
I didn't know any of the auth stuff supported form input. Doesn't the FastCGI spec say something about this?
Updated by gstrauss over 7 years ago
https://fast-cgi.github.io/spec#roles notes that the Responder and Filter roles receives request body on FCGI_STDIN stream. The spec says that the Authorizer role receives FCGI_PARAMS stream, and does not mention FCGI_STDIN stream for the Authorizer role.
Updated by gstrauss over 7 years ago
Regarding (long ago) comments:
Can't you do this via a FastCGI authorizer?
and
Can't authorization be handled by a different FastCGI backend then the response part?
Yes to both, starting with lighttpd 1.4.42 (patches will be pushed to lighttpd git master later this week)
Updated by gstrauss over 6 years ago
- Status changed from New to Patch Pending
- Target version set to 1.4.48
FastCGI authorizer has been an option since lighttpd 1.4.42 which allows FastCGI authorizer separate from request handler.
lighttpd 1.4.48 will include an experimental new module mod_authn_sasl to allow HTTP Basic authentication via saslauthd.
Updated by gstrauss over 6 years ago
- Status changed from Patch Pending to Fixed
- % Done changed from 0 to 100
Applied in changeset d61714dd0de1acd75ffe3dab7dc109a73926a49a.
Also available in: Atom