Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 40152 invoked from network); 7 Sep 2005 16:03:05 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 7 Sep 2005 16:03:05 -0000 Received: (qmail 46464 invoked by uid 500); 7 Sep 2005 16:03:00 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 46398 invoked by uid 500); 7 Sep 2005 16:03:00 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 46369 invoked by uid 99); 7 Sep 2005 16:02:59 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Sep 2005 09:02:59 -0700 X-ASF-Spam-Status: No, hits=0.4 required=10.0 tests=DNS_FROM_RFC_ABUSE X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [137.65.81.172] (HELO lucius.provo.novell.com) (137.65.81.172) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Sep 2005 09:03:12 -0700 Received: from INET-PRV1-MTA by lucius.provo.novell.com with Novell_GroupWise; Wed, 07 Sep 2005 10:02:57 -0600 Message-Id: <431EBA81.6720.00AC.0@novell.com> X-Mailer: Novell GroupWise Internet Agent 7.0 Date: Wed, 07 Sep 2005 10:02:44 -0600 From: "Brad Nicholes" To: , Subject: Re: [PATCH] mod_authnz_ldap and satisfy all References: <364AACA5-D646-4AF4-B0A5-B08A8A862FD8@pobox.com> <431C1ADC.1060900@sharp.fm> In-Reply-To: <431C1ADC.1060900@sharp.fm> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 500/1000/N +1 in concept as well but it seems that this should be implemented at some lower level so that we don't have to touch each authz module to teach them how to deal with the satisfy directive. The problem is that the auth_checker hook is defined as AP_IMPLEMENT_HOOK_RUN_FIRST meaning that each registered hook will be called in turn until something other than DECLINE is returned. If something other than DECLINE is returned then the appropriate action takes place. Either authorization succeeds or fails with a specific error. Satisfy All would need to change the behavior of the hook so that each registered hook is called in turn as long as OK or DECLINE is returned. Then if something other than OK or DECLINE is returned, the authorization fails. This would probably require defining a new type of hook that would be defined as AP_IMPLEMENT_HOOK_RUN_ALL. At this point I am not sure how to make that happen without drastically altering the way authorization is currently configured and works. Currently Satisfy All | Any is very specific in how it is implemented inside of ap_process_request_internal(). It's purpose is to satisfy access control vs. (authentication and authorization). This would also need to be changed or use something other than the Satisfy directive. Brad >>> On Monday, September 05, 2005 at 4:15:56 am, in message <431C1ADC.1060900@sharp.fm>, minfrin@sharp.fm wrote: > Ryan Morgan wrote: > >> require ldap-group cn=Engineering,ou=Groups,o=SomeCompany,c=US >> require ldap-group cn=QA,ou=Groups,o=SomeCompany,c=US >> satisfy all > >> Could someone provide feedback on whether this is a feature that could be >> added to the ldap module? > > Definitely a +1 in concept. Do the other authz modules handle satisfy > all in the same way? > > A quick eyeball of the patch shows up some C++ comments - can you > convert them to C comments? > > Regards, > Graham > --