httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <>
Subject mod_auth_dbm enhancements (fwd)
Date Thu, 30 Jan 1997 00:30:21 GMT

not acked

---------- Forwarded message ----------
Date: Wed, 29 Jan 1997 15:21:42 -0800
From: Brent Holland <>
Subject: mod_auth_dbm enhancements

Apache 1.2b4 - b6

My apache environment necessitates the ability of the mod_auth_dbm
module group file to support either the apache (user key, comma separted
list of groups value) format or the NCSA (group key, space or comma separated
list of users) format.

I implemented this in mod_auth_dbm using a boolean flag directive I call "AuthDBMFormatNCSA".
 When off (the default), mod_auth_dbm works just like
apache, including support for the merged user/group 'telescope' file format.
When on, mod_auth_dbm recognizes a NCSA group dbm file.

In the implementation of the NCSA group dbm format, I had to redefine
somewhat the rules you folks had established for passing authoritative
control to lower auth modules.  The Apache rules, as established
apparently by a 'dirkx' contributor, can be stated as follows:

      Apache format - if a user belongs to any group known to
      the module, whether or not a required group, the group
      file is unconditionally authoritative; however, if a user
      does not belong to any known group, the group file is
      only conditionally authoritative.  (A user known to auth_dbm may
      not appear in the group file if a) the user and group files differ
      and b) the user belongs to no groups)

With an NCSA group file dbm format as I have implemented it, the rules
       Apache/NCSA format - if any required group is known to
       the module, the group file is unconditionally authoritative.
       Group membership in other than a required group denotes a
       conditionally authoritative group file, i.e. pass off control if
       AuthDBMAuthoritative is off.
Although I believe the existing rules to be flawed and my rules to be
more intuitive (and an extension of the user file rules), I kept the
'dirkx' rule when running in Apache group mode for the moment.  I
wouldn't suggest going permanently with different rules on the basis
of the group file format.

Along the way I fixed an existing, apparently undocumented bug:

Multiple 'require group' records not recognized:

when parsing the require lines in  dbm_check_auth(), the access checker
fails to allow for potentially multiple 'require group' records,
checking the groups the known user belongs to only against the group
or groups in the first 'require group' record.  The module will
return AUTH_REQUIRED even though the user may be a member of group listed
in subsequent 'require group' lines.

If you are interested in any or all of the changes I have made
to mod_auth_dbm, please let me know how to formally submit the
entire module to you.

Brent Holland

View raw message