I’ve wanted to do some things here that require authentication of users on the web. Things like a web based spam filter configuration control and other tweaks, user profiles, chat, a calendar that shares with a Unix desktop that could also work on portable devices, stuff like this requires knowing who the user is with certainty because we don’t want some stranger tweaking your account.
Tonight I finally got Unix authentication to work on the web. This opens up a plethora of security issues because http is a connectionless protocol and hypothetically someone could mash thousands of guesses a second at user accounts without some facilities in place to stop that and I’m still working on those things. But I did get the thing fundamentally working. It does so without exposing the shadow password to the web server.
The documentation for mod_authnz_external is entirely broken in that it does not work in a <Directory> context as suggested by the instructions but does work with <Location>. Not that it matters because actually I’m going to use a form based authentication when all is said and done because I don’t want the browsers caching peoples passwords or to have to beat the daemon to death calling it for each page request.