httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dan Poirier <poir...@pobox.com>
Subject [users@httpd] Question about configuring multiple authz modules
Date Thu, 15 Jan 2009 21:17:22 GMT
I'm trying to understand how all the parts of 
authentication/authorization in Apache 2.2 fit together, and have run 
into something that doesn't seem quite right to me.  I'm wondering if 
I'm correct about how it works.  I've been looking at the doc, as well 
as reading request.c.

Suppose you have more than one authz module, for example, 
mod_authz_groupfile and mod_authnz_ldap, that you want to use to control 
access.  You might configure

Require group authorized_users
Require ldap-attribute employeeType=active

in hopes of requiring users to both belong to the authorized_users group 
and be an active employee, but that won't work.  Whichever module gets 
invoked first will either grant or reject access based solely on its own 
Require statement; the other module never gets to look at the request.

You can stop the modules from rejecting access immediately by configuring

AuthzGroupFileAuthoritative off
AuthzLDAPAuthoritative off

but that's not quite right either.  If mod_authz_groupfile gets invoked 
first and the user is in the group, access will be granted immediately, 
and again, the other module doesn't get to check its own Require.  The 
same could happen in the opposite order.  The result will be that we 
require either the right group, or an active employee, but never both; 
and which one depends on the module ordering.

So, am I right about how this works?  And is there any way to configure 
things so multiple Requires from different authz modules are all 
required to pass in order to grant access?  Or would you have to find 
some other way entirely?

Thanks,
Dan




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message