httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Barry Scott <barry.sc...@onelan.co.uk>
Subject Re: mod_fcgid - cannot get authorizer process to be started
Date Tue, 29 Sep 2009 16:51:18 GMT
Barry Scott wrote:
> Jeff Trawick wrote:
>> On Tue, Sep 29, 2009 at 11:26 AM, Barry Scott 
>> <barry.scott@onelan.co.uk <mailto:barry.scott@onelan.co.uk>> wrote:
>>
>>     Jeff Trawick wrote:
>>
>>         On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott
>>         <barry.scott@onelan.co.uk <mailto:barry.scott@onelan.co.uk>
>>         <mailto:barry.scott@onelan.co.uk
>>         <mailto:barry.scott@onelan.co.uk>>> wrote:
>>
>>            The mod_fcgid page says to ask on dev I assume that this 
>> is the
>>            right place to ask.
>>
>>            I'm using mod_fcgid from svn with HTTPD 2.2.
>>
>>            I want to use a fast CGI authorizer to allow me to control
>>         access
>>            based on my rules.
>>            The authorizer needs to be a long running process - never
>>         exits.
>>
>>            I know that the fcgid code is noticing the directive
>>         because I can
>>            change the filename
>>            and see the error message from the sources.
>>
>>            But I'm at a lose as to the required to get this
>>         configuration to
>>            actually call my code.
>>            mod_fcgid is not starting up the authorizer process.
>>
>>            I have the following fcgid specific lines in my httpd.conf
>>         file:
>>
>>            ---- httpd.conf ----
>>            ...
>>            LoadModule fcgid_module modules/mod_fcgid.so
>>            ...
>>
>>            Listen *:9000
>>            <VirtualHost *:9000>
>>             <Location />
>>                 Order allow,deny
>>                 Allow from all
>>                 AuthType Digest
>>
>>
>>         Did you really mean Digest authentication instead of Basic
>>         authentication?
>>
>>         mod_fcgid only supports Basic, AFAICT.
>>
>>            /* Get the user password */
>>            if ((res = ap_get_basic_auth_pw(r, &password)) != OK)
>>                return res;
>>
>>
>>     I don't want to be an authenticator, I want to be a authorizer.
>>     Authorizer has no need of passwords right.
>>
>>
>> whoops :(
>>
>> yes
>>
>> your "require valid-user" implies that you don't need authorization; 
>> try "require valid-group" instead
>
> I want the users password checked and to only proceed if it is valid.
> I also want to run the fcgi Authorizer to check that the URL being
> access is allowed according to the logic in my Authorizer code.
>
> To that end I have the following:
>
>    <Location />
>        Order allow,deny
>        Allow from all
>
>        # Use digest auth to check the username/password pair
>        AuthType Digest
>        AuthName "Manager System"
>        # no one gets in without a valid username/password pair
>        Require valid-user
>
>        # Use these files to find the passwd and group information
>        AuthGroupFile /home/bscott/Work/httpd-fcgid-test/auth/http.group
>        AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd
>
>        # Run the Authorizer.sh to veto URL based on the username
>        FastCgiAuthorizer 
> /home/bscott/wc/svn/NTB-Next/onelan/DSM/Sources/WebUserInterface/bin/Authorizer.sh 
>
>    </Location>
>
> What triggers HTTPD to call the Authorizer.sh code?
> Surely not the commands that control authentication checks?
>
> I cannot find Require valid-group defined in the 2.2 docs.
>
> Do you mean I need to add:
>
>              Require group nosuchgroup

This does not work...
>
> And that will cause the mod_authn_user (or what ever module) to try
> and match nosuchgroup. When it fails my Authenicator will be run
> to see if it can handle that directive?
>
> Isn't this module crying out for a directive like:
>
>            Require fcgid-authenticater-user-is-valid
>
> Barry
>
>

Barry


Mime
View raw message