SASL auth like libapache2-mod-authn-sasl
I would like to see lighttpd have SASL auth like libapache2-mod-authn-sasl. In libapache2-mod-authn-sasl you can get apache2.2 to ask the saslauthd for user validation. Saslauthd can then ask pam, and with pam_winbind you can ask AD or samba.
saslauthd does run as root, but it uses a socket, not a port. In order for libapache2-mod-authn-sasl to auth against saslauthd then the user running libapache2-mod-authn-sasl has to be a member of the sasl group because else the user running the webserver can not read/write to/from the socket.
[mod_authn_sasl] SASL auth (new) (fixes #2275)
HTTP Basic authentication using saslauthd
server.modules += ( "mod_auth" )
server.modules += ( "mod_authn_sasl" )
auth.backend = "sasl"
auth.backend.sasl.opts = ( "pwcheck_method" => "saslauthd" ) # default
"SASL auth like libapache2-mod-authn-sasl"
Updated by kevin.sumner over 7 years ago
+1 for this. SASL actually provides a lot of flexibility in terms of authentication and authorization back-ends. It allows for multiple mechanisms, including PAM (which gives a ton more functionality), KRB5, LDAP, SQL, and more. Cyrus SASL is probably the most well known implementation, and probably the implementation to reference; iirc, there are a couple of other SASL implementations as well, albeit less used. SASL is commonly used with mail servers, but many applications use it.
If you want to see exactly what SASL is about, RFC 4422 covers it.
Updated by gstrauss almost 2 years ago
Regarding (long ago) comments:
Can't you do this via a FastCGI authorizer?
Can't authorization be handled by a different FastCGI backend then the response part?
Yes to both, starting with lighttpd 1.4.42 (patches will be pushed to lighttpd git master later this week)
- Status changed from New to Patch Pending
- Target version set to 1.4.48
FastCGI authorizer has been an option since lighttpd 1.4.42 which allows FastCGI authorizer separate from request handler.
lighttpd 1.4.48 will include an experimental new module mod_authn_sasl to allow HTTP Basic authentication via saslauthd.
Also available in: Atom