On Thu, 06 Jan 2005 22:20:10 +0100 vadim <[EMAIL PROTECTED]> wrote: > Hallo everybody, > > I need a suggestion as a beginner. I am trying to set up apache2 > server with subversion repository under it. I have to authenticate > clients in the following way: > > 1) As first, client may provide a valid SSL certificate. If client > provides certificate, my small perl module goes to LDAP, gets some > information from there using certificate's subject DN, and uses then > this information for authorization perposes by svn. > > 2) If client does not provide a certificate, I have to allow client to > authenticate itself against mod_krb5, and to use clients Kerberos > principal for authorization by svn. > > I actually managed to implement both (1) and (2) in two different > locations, which means that I've got two different subversion URL's, > each implementing its own authentication mechanisms. > > Do you know if there is a possibility to merge both authentication > mechanisms in one URL? Could you give me a hint please how can I allow > subversion cients first to supply a certificate, and if they can not > supply a certificate - to try to authenticate via SPNEGO and as last > option - Kerberos user ID and Password, and all of this in one URL? > > Thanx a lot and best regards, vadim tarassov > -- > vadim <[EMAIL PROTECTED]> >
I think you may have to write a mod_perl authentication module that handles your krb5 authentication, but I could be wrong. I don't think you can stack a mod_perl handler onto a C Apache module, but the basic premise is to stack the handlers like so: PerlAuthenHandler MyHandler::SSL, MyHandler::KRB5 And MyHandler::SSL should return Apache::DECLINED if it was not able to authenticate because no cert was given. MyHandler::KRB5 would then need to return Apache::OK on authentication or Apache::HTTP_UNAUTHORIZED if it was unable to auth the user. --------------------------------- Frank Wiles <[EMAIL PROTECTED]> http://www.wiles.org ---------------------------------