Re: auth_rewrite authenticate.c user_auth_hash_pointer usage

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 14 Jan 2001 02:24:12 +0100

Robert Collins wrote:

> I dislike that too.. but it makes the framework more complex for
> little gain. A given user is only likely to be in the cache with
> different schemes if they are using different software in a short
> timespan (and ntlm is unlikely to cross over with basic or
> digest - so it will be very rare to have that occur). I don't think
> it's going to be that common.

Well, imagine that one wants to replace the username hash by a splay
tree or some other more dynamic structure..

The current design depends on the layout of the hash implementation,
digging into hash internal fields (the next pointer) to be able to
locate search for the scheme specific auth_user. Most people assume that
when you have a hash there is one single entry per key.

Third, it is not too unexpected to see basic and ntlm share the same
userdatabase. In such cases it would be good if the auth_user was shared
so IP-checks and such things also was shared (else a IE user could share
his account with a friend using Netscape, without triggering the IP
check).

> To do that I think several things should happen first: some of
> the auth_user items are used in each scheme. The layout of data
> needs to be tuned so no auth_user_t data is altered by schemes.

The auth_user should only contain information specific to that user,
irregardless of scheme.
  * user name
  * IP
  * last reference
  * what else that is independent of sheme

none of these should be altered by schemes.

> The AUTH_DIGEST/AUTH_BASIC/AUTH_NTLM defines need to be optimised
> out for the module Id or a pointer to the scheme_list entry.

Using a pointer is trivial, and you already have a scheme registry,
doesn't you?

> Then
> a couple of support functions at the framework level to allow
> schemes to say "I have user joe" and get linked in. Then some very
> very very careful testing to make sure we never cross over from
> one scheme to another while handling a request.

The cross-over issue you already have to worry about, only at a slightly
different place (auth_user, instead of auth_user->scheme).

/Henrik
Received on Sat Jan 13 2001 - 18:32:21 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:18 MST