This file is deprecated, and only partially valid.
These are plans for how this module should be built. The actual aim of this module is to identify user, not to authorise her (authorization is "implicit").
This module looks at a connection's parameters (source port/source IP/timestamp) (these are enough to identify quite stricly the connection) and performs SQL requests to a database containing the attached UID, if any.
As an option, an LDAP request can then be performed, to convert the UID into an actual username.
Provided directives :
AuthNufwAuthoritative On/Off Prevent other authentication modules from authenticating
the user if this fails
AuthNufwEnabled On/Off Set to off to disable use of this module for
some ressources.
AuthNufwTimeWindow integer default : 1 second. Specifies the time window
a connection will be considered to match. Increase on laggy
networks, be aware the higher this value, the
most probable attacks get. Using NTP is obviously not an option
when using this module.
AuthNufwSQLHost IP or name defaults to localhost
AuthNufwSQLPort port nb defaults to 5432 or 3306
AuthNufwSQLDatabase database name defaults to ??
AuthNufwSQLUser database user defaults to ??
AUthNufwSQLPassword database password
AUthNufwSQLSSL* SSL encryption options will be added later.
exported functions :
1 create_auth_nufw_dir_config -> apache function to create config for a dir
there is no special merge, overriding is what we
want.
2 create_auth_nufw_config -> ???
3 auth_nufw_cmds -> the command table, describing above directives
4 auth_nufw_identify_user -> find out whom a connection comes from, from the
SQL database.
5 auth_nufw_dummy_auth -> dummy function, auth is actually checked in
auth_nufw_identify_user. Probably this function
can vanish actually..
6 auth_nufw_child_init -> what to do when a child spawns
7 auth_nufw_child_exit -> what to do when a child dies
subtasks:
1
2
4 a/ check if child already has an open database conn
b/ if not, connect
b1/ if it fails, log an error message and return
b2/ success
c/ build request, taking time into account
d/ perform request
e/ is there zero or one result?
e1/ if not, log some critical message (and return)
e2/ yes
f/ is there zero result?
f1/ yes -> no identification, return
f2/ no -> identification success, fill in the user field (and others?)
5 if needed, set the user as authenticated 6 init a database link (or grab one from the pool ?)
if this fails, log an error
7 close the database link (or hand it back into the pool)