Custom Authentication handler for mod_auth_form

Apache would not be able to display a login page by default. When you do a basic authentication, what it does is send a 401 status code back to the browser which pops up the username/password dialogue. Any sort of login page has to have the authentication processing done on the application side.

As an alternative, you may want to look at a authentication federation system such as shibboleth or simplesamlphp. Setting it up can be a pain but once you do, it will do exactly what you want.

It will:

1. Allow you to protect any sites in Apache by specifying shibboleth as the authentication mechanism. It loads a mod_shib apache mod to handle the front-end filtering.
2. It will present the user with a customisable login page
3. You can configure the back-end to authenticate against LDAP.

Hope this helps.

This is awfully abstract, so this will be an abstract answer.

You have two problems here. Authentication and Authorization, which are often abbreviated authn (authentication) and authz (authorization). Authentication is verifying the user is who they say they are, Authorization is allowing them to do stuff based on who they are. AuthN is first, followed by AuthZ.

Seeing as you're a registered user of ServerFault, you've already encountered one method to handle multiple domain AuthN with a single domain AuthZ. It's called OpenID, and is designed to solve the very problem you describe. Users authenticate with an OpenID provider (such as google or yahoo) and relying parties (ServerFault) accept the user as authenticated and provide authorization based on that. ServerFault isn't in the business of dealing with passwords.

The trick here is to separate authn from authz. If you can convince your environment to allow something like that, your job gets a lot easier. You can even use OpenID, since relying parties can restrict the providers they trust.