httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Covener" <cove...@gmail.com>
Subject Re: authnz_ldap in 2.2.x
Date Thu, 30 Aug 2007 01:51:32 GMT
On 8/29/07, Brad Nicholes <bnicholes@novell.com> wrote:
> > To clarify; I understand not duplicating valid-user, but the other
> > authz modules know to decline when they haven't seen a single
> > requirement they grok, which allows mod_authz_user to authorize the
> > request in the case of "Require valid-user".   I don't think the
> > coupling is a factor there.
>
>
> No, all of the authz modules should be working the same.  They
> all have an AuthzXXXAuthoritative directive which defaults to
> ON.  The problem with 2.0 and 2.2 is that if you load multiple
> authz modules and try to use multiple require statements, you
> have no guarantee as to which authz handler will get called
> first.  So it might look like  authz_XXX module is DECLINEing
> and allowing authz_user's "Require valid-user" to handle the
> authorization, when in fact the authz_XXX handler was never
> called at all.


In 2.2.x If authz_XXX are one of dbm, owner, or groupfile they track
the list of requires and decline if they don't see any they're
responsible for -- this isn't a crap shoot of module ordering in this
case.

$ grep \!required *.c
mod_authz_dbm.c:    if (!required_group || !conf->authoritative) {
mod_authz_groupfile.c:    if (!required_group || !conf->authoritative) {
mod_authz_owner.c:    if (!required_owner || !conf->authoritative) {
mod_authz_user.c:    if (!required_user) {

That roughly leaves authz_host, authz_default, and authnz_ldap.
authz_host has a built-in default based on Order, and authz_default
doesn't have any Requires to check -- leaving authnz_ldap as the odd
man out.


-- 
Eric Covener
covener@gmail.com

Mime
View raw message