httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <>
Subject Conflict in authorization types among various authz modules...
Date Fri, 26 Aug 2005 15:44:31 GMT
   I am looking for comments from those who helped to implement the
refactored authentication model and those who helped restructure the
authentication modules.  

   One of the problems that I discovered while working on the
restructuring of the authnz_ldap module was the name space for the
authorization types.  I found that the 2.0 version of mod_auth_ldap
implemented authorization types such as "valid-user", "user" and
"group".  After creating mod_authnz_ldap and restructuring the ldap
authorization types, I found that using these authorization type names
conflicted with mod_authz_user and mod_authz_groupfile.  Meaning that if
mod_authnz_ldap was loaded along side of mod_authz_user or
mod_authz_groupfile, the authorization module that actually attempted to
handle authorization was at the mercy of the module load order and in
most cases was wrong.  In other words, the following configuration would
not be able to accurately determine which authz module should be
handling authorization. 

LoadModule authnz_ldap_module modules/
LoadModule authz_user_module modules/

<Directory ...>
require user bnicholes

To resolve this issue I prefixed the ldap authorization types with

   Looking through the authorization types for the other authz modules
I noticed that there are other similar conflicts.

mod_authz_dbm             file-group, group
mod_authz_groupfile     file-group, group
mod_authz_owner         file-group

I would propose that the following renaming or elimination of types
should be done before Apache 2.2 is released in order to resolve the

mod_authz_dbm            dbm-group
mod_authz_groupfile     group
mod_authz_owner         file-group



View raw message