httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Patrick L. Nolan" <...@razzle.Stanford.EDU>
Subject [users@httpd] Two levels of authentication
Date Tue, 19 Aug 2003 22:31:30 GMT
I'm trying to do something that I haven't seen in any of the 
examples or in anything I have found in Google.  This is with
Apache 2.0.40 on Linux.

We have a web site with a few hundred users who authorize
through mod_auth_mysql.  That's been running for years, through
many versions of Apache.  There's a small, elite group with
their own realm.  Recently I set that up with basic authorization.
The passwords in the elite realm are different from the ones in
the larger realm.  Now the elite users are annoyed that they have 
to re-authorize when they move out of their elite area to the
main area.

It seems reasonable that the main realm should be able to recognize 
both its own credentials and the ones issued in the elite realm.  
I set up something like this:

<Directory /home/www/htdocs/elite>
Options Indexes FollowSymLinks
AuthName "Private area for elite users"
AuthType Basic
AuthUserFile /home/www/htdocs/elite/htpasswd
AuthGroupFile /home/www/htdocs/elite/htgroups
order deny,allow
require group elite

<Directory /home/www/htdocs/ordinary>
Options Indexes FollowSymLinks
AuthName "The area for the ordinary folks"
AuthMySQLHost localhost
AuthMySQLUser userid
AuthMySQLPassword password
AuthMySQLDB database
AuthMySQLUserTable table
AuthMySQLGroupField groups
AuthMySQLNameField userid
AuthMySQLPasswordField passwd
AuthMySQLCryptedPasswords on
AuthMySQLAuthoritative off
AuthMySQLKeepAlive on
order deny,allow
deny from all
require group ordinary

AuthType basic
AuthUserFile /home/www/htdocs/elite/htpasswd
AuthGroupFile /home/www/htdocs/elite/htgroups
require group elite
satisfy any

The first set of lines, for the elite area, is quite orthodox.
It works OK.  In the second set, for the ordinary area, the
MySQL part works well.  I added the stuff at the end, basically
copying the elite setup and adding "satisfy any".  I thought it
would do the job.  It doesn't seem to do anything.

Apparently I don't understand these things well enough.  An elite 
user can log into either area with the appropriate password.
However, when passing from one to the other, it is necessary to
re-authenticate.  In particular, when going to the ordinary area,
it doesn't seem to remember that "require group elite" is already

Is there some way to do this?

*   Patrick L. Nolan                                          *
*   W. W. Hansen Experimental Physics Laboratory (HEPL)       * 
*   Stanford University                                       *

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message