-------------------------
| mod_securid 2.0 beta1 |
-------------------------

This is a beta release. Looking for the current stable release of mod_securid?
Then look at http://www.deny-all.com/mod_securid/.
This version of mod_securid introduces a major change in the way communications
with ACE servers are handled. It is released to the community with the hope that
we will receive comments and bug reports, allowing us to release a new stable
release of mod_securid 2.0 very soon.
It is currently being tested and it appears to work so far under Linux and
Solaris 2.8. It was compiled with version 5.0.2 of the ACE client library.
It makes use of the new API and thus will not work with older version of
the library, though it should be possible to have it work with version 4 after
some small changes.

To build it, untar the Ace client SDK in the source directory, update the
first lines of the makefile and run "make".

Support:
--------
Should you need some help with mod_securid, either subscribe to the
mod-securid-general mailing list on Sourceforge
(see http://sourceforge.net/mail/?group_id=22299) or send a mail to
mod.securid@deny-all.com.

mod_securid 2.0 technical details:
----------------------------------

During the module initialization phase, mod_securid spawns a child process
using the fork() system call for each virtual server. These forked childs then
exec() a new program which is meant to manage communications with an ACE server.
Thus, all authentication steps are now dealt with by the same (multi-threaded)
process, even if the HTTP requests are received by several Apache processes.
When each child is spawned, a minimal environment is created, with VAR_ACE
set as required by the configuration directive httpd.conf AuthSecurID_VarAce.
This directive can be set up once for each virtual server defined in the
httpd.conf file. It is not a per directory configuration option.

Each of these child processes owns a UNIX domain BSD socket which Apache
processes use to send authentication requests. The child works much like
a proxy and it forwards the authentication requests to the ACE server and
returns the authentication results to Apache.

The messages exchanged between Apache and the SecurID authentication proxies
allow to perform the following actions:
-check a username, passcode pair
-send next code
-set a new pin, be it user- or system-generated

The SecurID proxy processes return ACE client libraries error codes to Apache,
thus allowing mod_securid to deal with these as suitable.


New directives:
----------------

Two new directives have been added.
- AuthSecurID_SockDir allows to choose where the UNIX domain sockets used to
communicate between Apache and the SecurID authentication proxy processes are
stored.
- AuthSecurID_Proxy is used to set the path to the SecurID proxy executable.
It defaults to "(ServerRoot)/libexec/securid_proxy".


                    Erwan Legrand, Deny All Security Solutions, Wed Sep  4 2002 
