httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ryan Morgan <>
Subject Re: [PATCH] mod_authnz_ldap and satisfy all
Date Wed, 07 Sep 2005 23:47:10 GMT

Making this generic is a good idea, though you are correct in  
asserting it
cannot be done without a major re-factoring.  Even then the authz  
would need to be modified to respect the satisfy flag when multiple  
are given for a single authz module.

The requirement I'm trying to fulfill is multiple group requires  
within ldap.
I figured making it generic within ldap using satisfy would be a good  
though this seems to be blowing up into a much bigger issue.

Perhaps it would be easier if 'require ldap-group' could have  
multiple groups
listed on a single require line?  Something similar to ldap- 
attribute? Or maybe
just move the satisfy flag to an ldap specific directive like  
to remove any confusion on what it does?

On Sep 7, 2005, at 9:02 AM, Brad Nicholes wrote:

>   +1 in concept as well but it seems that this should be  
> implemented at
> some lower level so that we don't have to touch each authz module to
> teach them how to deal with the satisfy directive.
> The problem is that the auth_checker hook is defined as
> AP_IMPLEMENT_HOOK_RUN_FIRST meaning that each registered hook will be
> called in turn until something other than DECLINE is returned.  If
> something other than DECLINE is returned then the appropriate action
> takes place.  Either authorization succeeds or fails with a specific
> error.  Satisfy All would need to change the behavior of the hook so
> that each registered hook is called in turn as long as OK or  
> returned.  Then if something other than OK or DECLINE is returned, the
> authorization fails.  This would probably require defining a new  
> type of
> hook that would be defined as AP_IMPLEMENT_HOOK_RUN_ALL.
> At this point I am not sure how to make that happen without  
> drastically
> altering the way authorization is currently configured and works.
> Currently Satisfy All | Any is very specific in how it is implemented
> inside of ap_process_request_internal().  It's purpose is to satisfy
> access control vs. (authentication and authorization).  This would  
> also
> need to be changed or use something other than the Satisfy directive.
> Brad
>>>> On Monday, September 05, 2005 at 4:15:56 am, in message
> <>, wrote:
>> Ryan Morgan wrote:
>>>    require ldap-group cn=Engineering,ou=Groups,o=SomeCompany,c=US
>>>    require ldap-group cn=QA,ou=Groups,o=SomeCompany,c=US
>>>    satisfy all
>>> Could someone provide feedback on whether this is a feature that
> could be
>>> added to the ldap module?
>> Definitely a +1 in concept. Do the other authz modules handle satisfy
>> all in the same way?
>> A quick eyeball of the patch shows up some C++ comments - can you
>> convert them to C comments?
>> Regards,
>> Graham
>> --

View raw message