Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 43814 invoked from network); 15 Jan 2009 21:18:07 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 15 Jan 2009 21:18:07 -0000 Received: (qmail 59968 invoked by uid 500); 15 Jan 2009 21:17:57 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 59951 invoked by uid 500); 15 Jan 2009 21:17:57 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 59942 invoked by uid 99); 15 Jan 2009 21:17:57 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Jan 2009 13:17:57 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of poirier@pobox.com designates 207.106.133.19 as permitted sender) Received: from [207.106.133.19] (HELO sasl.smtp.pobox.com) (207.106.133.19) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Jan 2009 21:17:49 +0000 Received: from localhost.localdomain (unknown [127.0.0.1]) by a-sasl-fastnet.sasl.smtp.pobox.com (Postfix) with ESMTP id BA2FB90DA6; Thu, 15 Jan 2009 16:17:24 -0500 (EST) Received: from [10.28.4.18] (unknown [76.182.90.71]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-sasl-fastnet.sasl.smtp.pobox.com (Postfix) with ESMTPSA id 5CE6E90DA5; Thu, 15 Jan 2009 16:17:23 -0500 (EST) Message-ID: <496FA7E2.9080100@pobox.com> Date: Thu, 15 Jan 2009 16:17:22 -0500 From: Dan Poirier User-Agent: Thunderbird 2.0.0.18 (X11/20081125) MIME-Version: 1.0 To: users@httpd.apache.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Pobox-Relay-ID: E787372A-E349-11DD-90DB-5720C92D7133-25076293!a-sasl-fastnet.pobox.com X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] Question about configuring multiple authz modules I'm trying to understand how all the parts of authentication/authorization in Apache 2.2 fit together, and have run into something that doesn't seem quite right to me. I'm wondering if I'm correct about how it works. I've been looking at the doc, as well as reading request.c. Suppose you have more than one authz module, for example, mod_authz_groupfile and mod_authnz_ldap, that you want to use to control access. You might configure Require group authorized_users Require ldap-attribute employeeType=active in hopes of requiring users to both belong to the authorized_users group and be an active employee, but that won't work. Whichever module gets invoked first will either grant or reject access based solely on its own Require statement; the other module never gets to look at the request. You can stop the modules from rejecting access immediately by configuring AuthzGroupFileAuthoritative off AuthzLDAPAuthoritative off but that's not quite right either. If mod_authz_groupfile gets invoked first and the user is in the group, access will be granted immediately, and again, the other module doesn't get to check its own Require. The same could happen in the opposite order. The result will be that we require either the right group, or an active employee, but never both; and which one depends on the module ordering. So, am I right about how this works? And is there any way to configure things so multiple Requires from different authz modules are all required to pass in order to grant access? Or would you have to find some other way entirely? Thanks, Dan --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org