httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dirk.vanGulik" <>
Subject Another one for the FAQ
Date Sat, 21 Jun 1997 10:31:46 GMT
I've been going to a three days worth of email support for
mod_auth_msql, anon, etc, so here is another repeating
one for the FAQ.


<LI><A NAME="checkuser">
      <STRONG>My authentifcation gives me a server error?</STRONG>
  Under normal circumstances, the apache access control modules
  will pass unrecognized userid-s on to the next access control
  module in line. Only if the userid is recorgnized, the password
  is validated and a Ok/Denied is given.
  However if the last access module in line also 'declines' the
  validation request (because it has never heard of the user-id
  or because it is not configured) the http_request handler will 
  give one of the following, confusing, errors:
    <li> <code>check access</code>
    <li> <code>check user.  No user file? </code>
    <li> <code>check access.  No groups file? </code>
  This does not mean that you have to add a 'AuthUserFile /dev/null'
  line as some magazines suggest !
  The solution is to ensure that at least the last module is authoritative
  and <b>CONFIGURED</b>. By default <code>mod_auth</code> is authoritative
  and will give an OK/Denied, but only if it is configured with the proper
  AuthUserFile. Likewise if a valid group is required.
  A typical situation for this error is when you are using the mod_auth_dbm,
  mod_auth_msql, mod_auth_mysql, mod_auth_anon or mod_auth_cookie on their own. 
  These are by default <b>not</b> authoritative, and this will pass the buck on

  to the (non-existent) next authentification module when the user ID is not in 
  their respective database. Just add the appropriate 'XXXAuthoritative yes' line
  to the configuration.
  In general it is a good idea (though not terribly efficient) to have the file 
  based mod_auth a module of last resort. This allows you to access the web
  server with a few special passwords even if the databases are down or corrupted.
  This does cost a file-open/seek/close for each request in a protected area.



View raw message