httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Covener" <cove...@gmail.com>
Subject Re: authnz_ldap in 2.2.x
Date Thu, 30 Aug 2007 22:36:14 GMT
On 8/30/07, Brad Nicholes <BNICHOLES@novell.com> wrote:
> >>> On 8/29/2007 at 7:51 PM, in message
> <1404e5910708291851x5840a4cemd81caaedb41d18d5@mail.gmail.com>, "Eric Covener"
> <covener@gmail.com> wrote:
> >
> > In 2.2.x If authz_XXX are one of dbm, owner, or groupfile they track
> > the list of requires and decline if they don't see any they're
> > responsible for -- this isn't a crap shoot of module ordering in this
> > case.
> >
> > $ grep \!required *.c
> > mod_authz_dbm.c:    if (!required_group || !conf->authoritative) {
> > mod_authz_groupfile.c:    if (!required_group || !conf->authoritative) {
> > mod_authz_owner.c:    if (!required_owner || !conf->authoritative) {
> > mod_authz_user.c:    if (!required_user) {
> >
> > That roughly leaves authz_host, authz_default, and authnz_ldap.
> > authz_host has a built-in default based on Order, and authz_default
> > doesn't have any Requires to check -- leaving authnz_ldap as the odd
> > man out.
> >
>
> True, so that brings up the question of what does AuthzXXXAuthoritative really mean?
 Does it mean that if set to ON, this module is authoritatively responsible for authorization
and if it can't (whatever the reason including no require statement), then authorization fails?
 Or does it mean that the module is only authoritatively responsible for authorization if
a matching require statement exists?  According to what you are saying as well as what the
code is currently saying in the other authz modules, the latter is true.  And if that is really
the definition of AuthzXXXAuthoritative, then it appears that authnz_ldap needs to be fixed.
>
> Brad
>

For the ones in the list above it seems to roughly be:

if an authz_XXX require is satisfied, return OK
If authz_XXX is authoritative, and any authz_XXX require directives
were present, return HTTP_UNAUTHORIZED
else return DECLINED

Any clue from a development process POV how I'd propose such a thing
for "backport" since it doesn't apply to trunk?  I was also hoping
some more people might weigh in on the behavior change for
mod_authnz_ldap in a stable release.

-- 
Eric Covener
covener@gmail.com

Mime
View raw message