httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Covener" <cove...@gmail.com>
Subject Re: [users@httpd] Question about configuring multiple authz modules
Date Thu, 15 Jan 2009 21:40:24 GMT
On Thu, Jan 15, 2009 at 4:17 PM, Dan Poirier <poirier@pobox.com> wrote:
> Require group authorized_users
> Require ldap-attribute employeeType=active
>
> in hopes of requiring users to both belong to the authorized_users group and
> be an active employee, but that won't work.  Whichever module gets invoked
> first will either grant or reject access based solely on its own Require
> statement; the other module never gets to look at the request.

All Require's are "OR"'ed in 2.2.x and earlier. Any single match is
sufficient and nothing else can be expressed.

>
> You can stop the modules from rejecting access immediately by configuring
>
> AuthzGroupFileAuthoritative off
> AuthzLDAPAuthoritative off
>
> but that's not quite right either.  If mod_authz_groupfile gets invoked
> first and the user is in the group, access will be granted immediately, and
> again, the other module doesn't get to check its own Require.  The same
> could happen in the opposite order.  The result will be that we require
> either the right group, or an active employee, but never both; and which one
> depends on the module ordering.

This is even the case when requirements are within the same module.
>
> So, am I right about how this works?  And is there any way to configure
> things so multiple Requires from different authz modules are all required to
> pass in order to grant access?  Or would you have to find some other way
> entirely?

Yes, modules DECLINE if they don't see any of _their_ Require types,
and return HTTP_FORBIDDEN if they see some of the types but don't
match any of them.

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message