httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject Re: Conflict in authorization types among various authz modules...
Date Tue, 30 Aug 2005 15:01:28 GMT
   Are there any comments on this?  If not then I would like to make the type name changes
in trunk and then push them back into the 2.2 branch.  I don't consider this a show-stopper
for the 2.1.7-beta candidate but the conflict does need to be resolved before 2.2 is released.

Brad   

>>> On Friday, August 26, 2005 at 9:44:31 am, in message
<430EE449.6720.00AC.0@novell.com>, BNICHOLES@novell.com wrote:
> I am looking for comments from those who helped to implement the
> refactored authentication model and those who helped restructure the
> authentication modules.  
> 
>    One of the problems that I discovered while working on the
> restructuring of the authnz_ldap module was the name space for the
> authorization types.  I found that the 2.0 version of mod_auth_ldap
> implemented authorization types such as "valid-user", "user" and
> "group".  After creating mod_authnz_ldap and restructuring the ldap
> authorization types, I found that using these authorization type names
> conflicted with mod_authz_user and mod_authz_groupfile.  Meaning that if
> mod_authnz_ldap was loaded along side of mod_authz_user or
> mod_authz_groupfile, the authorization module that actually attempted to
> handle authorization was at the mercy of the module load order and in
> most cases was wrong.  In other words, the following configuration would
> not be able to accurately determine which authz module should be
> handling authorization. 
> 
> LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
> LoadModule authz_user_module modules/mod_authz_user.so
> 
> <Directory ...>
> ...
> require user bnicholes
> </Directory>
> 
> To resolve this issue I prefixed the ldap authorization types with
> "ldap-".  
> 
>    Looking through the authorization types for the other authz modules
> I noticed that there are other similar conflicts.
> 
> mod_authz_dbm             file-group, group
> mod_authz_groupfile     file-group, group
> mod_authz_owner         file-group
> 
> I would propose that the following renaming or elimination of types
> should be done before Apache 2.2 is released in order to resolve the
> conflicts
> 
> mod_authz_dbm            dbm-group
> mod_authz_groupfile     group
> mod_authz_owner         file-group
> 
> 
> Comments?
> 
> Brad


Mime
View raw message