[Mod-auth-devel] mod_authn_dbi

[Axel G. <ag...@pr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



moin,

i spent a few hours working on mod_authn_dbi today,
but it seems the "mangle username" feature will not
be possible without changing apaches authn-interface.
i can change the value of the username string, but i
cannot change the string itself, so the new username could
only be as long as the old one.

for this to work, apache would have to change the prototype
from

authn_status (*check_password)(request_rec *r, const char *user,
                              const char *password);

to

authn_status (*check_password)(request_rec *r, const char **user,
                               const char *password);

i wonder if it would be worth asking on apache-devel since the
answer would probably be "no". on the other hand, this still
is a developer version. hmmm....

maybe a cleaner way would be to create a mod_map_username....

well, we'll see...


i had a look through the TODO file and have a few comments:


> 1.0.0
>      - Testimonials / Who is using it - put it on the website?

well, that would really be interesting. i google for mod_authn_dbi every
once in a while, but nothing really interesting turns up although it got
mentioned in an article of a german linux magazine.
(http://www.linuxenterprise.de).

well, people will probably start using it once apache-2.2 is out.


>      - Some Sort of Official Security Audit
>      - Benchmarks?
>           - vs File, DBM and No Authentication?
>           - High Load Throughput?
>           - with mod_authn_cache?
>           - Classic MySQL, PgSQL, SQLite.. etc?

>      - Create Patches to use 2.1 Authentication on 2.0.XX Releases?

that would be a really nice features...but probably also a lot
of work...


>      - Update Documentation (README Specificly needs to be reworked)

i will try to add some documentation into it.

>      - Test on all supported libdbi databases.
>      - Test on 32bit, 64bit, little/big endian machines (might be a
little exterme)
>           - Linux x86
>           - FreeBSD 5 x86 [chip]
>           - Linux SPARC [chip]
>           - AMD64?
>           - Linux MIPS [chip]
>           - PPC?

i can test it on solaris/sparc and maybe get someone to test it
on IRIX.

>      - Create Binary Releases (rpm and deb?)
>           * For now perhaps just create /debian/ and RPM .specs files,
>             pending a 2.1/2.2 -release of Apache?
>      - Get into Package Systems: (post 1.0?)
>           * requires httpd 2.1 or 2.2 -release?
>           - Debian
>           - FreeBSD
>           - Gentoo
>           - Lunar

do you know which of these distributions include libdbi?

> 0.9.0
>      - Include HTML/XML Documentation in Releases?
>           - Bigger Files...

yes, including the docs into the tarball would be useful.
not all the places where this will be used have internet
access as an http-client.

i think putting a text-version of the doc-website into release tarballs
would be a good idea.


>      - Use APXS for Makefiles [chip]
>      - Remove extra files from CVS (autoconf/make stuff we don't need)
>[chip]
>      - Have external people look for security issues (Prep for 1.0)
>      - Create "security-issues" contact address (for whole auth project?)

in general, yes. but what domain would this address be under?
do we want modauth.org?
some pgp-key for security related stuff should also be available.

i will create a ho...@so... pgp-key and publish the keyid
on the website for now.
maybe you could do the same.

until we have decided this a note on the homepage saying "for security
related issues, contact the develpers directly by email" should be ok.


and we should start signing the releases with gpg.

i would also like to have some way to sign the sources as
they go into cvs, although this is probably not going to
be easy to do in a useful way..

do you have a pgp key?


>      - Mangle usernames [axel]

postponed.

>      - More SQL Variables [axel]

mainly done..

>      - Support mod_dbi_pool [chip?]

>      - Merge In Cyan changes to Mainline? [chip]
>          * These Officaly Might break how the Digest RFC Works...

what do those changes do?

>      - Send Announcements:
>          - SourceForge
>          - FreshMeat [chip]
>          - modules.apache.org [chip]
>          - Other?


i would also like to change the  dbi_result_get_* functions
into  dbi_result_bind_*.

the semantics of dbi_result_get_string are sort of broken.
on error, it returns the string "ERROR" (which is also
not documented), so you have no way to tell an error from
a field containing "ERROR". :(



tty, axel



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFACYaRHAHtNfez9GYRAuE6AJ0fVX1o/BbUzmqF+VAvdlZC+H3RcACfTvQf
ZbP0Rrc+MrHwtbs2J1+hWTQ=
=6CHu
-----END PGP SIGNATURE-----