httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [users@httpd] Authorization Failed: require directives present and no Authoritative handler
Date Fri, 24 Oct 2008 06:38:23 GMT
Matthew Devine wrote:
> So I'm trying to build an Environment for Apache that will authenticate with
> mod_auth_kerb.  Basically I have a Windows 2003 Active Directory server
> acting as my KDC and Apache running in a Windows machine that's part of the
> domain.  When I try to connect to the site, it appears like it does all the
> correct authentication but Apache is giving me an access error and I haven't
> been able to track down why yet.
> 
> I posted this in the mod_auth_kerb mailing list but I wasn't sure if this
> was actually a mod_auth_kerb error as I'm not getting an error message from
> the module but a general error from Apache itself.  Any help would be
> greatly appreciated.
> 
> Apache Error Log
> [Thu Oct 23 15:36:27 2008] [debug] mod_auth_kerb.c(1322): [client
> 192.168.1.140] Verifying client data using KRB5 GSS-API
> [Thu Oct 23 15:36:27 2008] [debug] mod_auth_kerb.c(1338): [client
> 192.168.1.140] Verification returned code 0
> [Thu Oct 23 15:36:27 2008] [debug] mod_auth_kerb.c(1356): [client
> 192.168.1.140] GSS-API token of length 161 bytes will be sent back
> [Thu Oct 23 15:36:27 2008] [error] [client 192.168.1.140] access to /private
> failed, reason: require directives present and no Authoritative handler.
> 
> Matt
> 
Just a shot in the dark really, but going from the message above :
Are you not missing an authz handler ?
The "require" directive (like "require valid-user") is related to the 
Authorization phase, which normally follows the Authentication phase.
If you have a "require" without an authorization handler, the message 
above would be logical.

Maybe more painstakingly detailed :
The Authentication that you do with Kerberos works fine, and it delivers 
a validated user-id.  That's nice to have.
Now by saying "require blabla", you are *also* (in addition) putting a 
"security constraint" on the access to that Directory/Location.  That 
should be verified by an Authorization handler, which checks if that 
user-id you got before is there, or if it is one of a list, or if that 
user is member of a group, etc..
But you don't have such a handler configured maybe, so Apache complains 
that you say "require" without anything to verify it.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message