httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Johnson <...@indietorrent.org>
Subject Re: [users@httpd] Apache authentication - require group AND (not OR) user
Date Wed, 15 Aug 2012 16:19:53 GMT


On 8/14/2012 6:14 PM, hughw@sonic.net wrote:
> You can have multiple 'require' lines to allow multiple groups and/or
> users. So
> 
> require group programmers
> require group secretaries
> require user joe
> 
> "Require"s are OR-ed together, so anyone meeting a single criteria will
> get allowed in, provided they enter the correct password of course. So
> your check for "user is joe & he's in group clients" can be reduced to
> "user is joe" because joe eventually has to enter joe's password. (you
> certainly don't have two 'joe' entries in the password list, do you?)
> There is no concept of the challenge asking "what group are you in?",
> only "give me your login and password, I'll check the group file if needed".
> 
> And your example lists the same file for AuthDBMUserFile and
> AuthDBMGroupFile; you need to have two separate files.
> 
> hugh
> 
> 
> 
> On Tue 14/08/12 14:30 , Ben Johnson ben@indietorrent.org sent:
> 
>     Hello,
> 
>     I've scoured the Internet for examples of how to implement logical
>     operators where the "require" directive is concerned.
> 
>     The dearth of documentation and discussion regarding this subject leads
>     me to believe that it has not been implemented, or was implemented at
>     one time and then removed.
> 
>     This is the most thorough discussion I can find on the subject, which
>     dead-ends:
>     http://www.mombu.com/programming/linux/t-apache-22-both-require-user-and-require-group-739013.html
>     <<a
>     href=>">http://www.mombu.com/programming/linux/t-apache-22-both-require-user-and-require-group-739013.html
> 
>     My location block, which, at present, only allows one group
>     ("programmers"), looks something like this:
> 
> 
>     AuthType Basic
>     AuthName "SVN Repository"
>     AuthBasicProvider dbm
>     AuthDBMType DB
>     AuthDBMUserFile "/var/www/apache-users"
>     AuthDBMGroupFile "/var/www/apache-users"
>     require group programmers
>     DAV svn
>     AuthzSVNAccessFile /var/www/projects/svn-access-control.cfg
>     SVNPath /var/www/svn/project
> 
> 
>     Ideally, I wish to do something like the following (I'm using
>     pseudo-code here, because it's probably easier to understand than plain
>     English):
> 
>     if ($group === 'programmers' || ($group === 'clients && $user ===
>     'joe')) {
>     //Allow access.
>     }
>     else {
>     //Deny access.
>     }
> 
>     Is this possible? Or do I need to give-up on controlling authentication
>     at this level and instead focus on authorization within
>     "svn-access-control.cfg"?
> 
>     Thanks for any help!
> 
>     -Ben
> 
>     ---------------------------------------------------------------------
>     To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>     <mailto:users-unsubscribe@httpd.apache.org>
>     For additional commands, e-mail: users-help@httpd.apache.org
>     <mailto:users-help@httpd.apache.org>
> 
> 

Thanks for the response, Hugh. Are these two approaches equivalent,
functionally?

-------------------------------
require group programmers
require group secretaries

--- versus ---

require group programmers secretaries
-------------------------------

I see your point about about reducing the "user+group" requirement to
just "user", which as you suggested, requires that users be unique (this
seems like a reasonable and necessary requirement). And no, I don't have
two "joe" entries in the password file.

Regarding the second point, are you sure that it is not possible to use
the same DBM file for both users and groups? The documentation seems to
indicate that this is not only possible, but is the preferred method in
many cases:

http://httpd.apache.org/docs/2.2/mod/mod_authz_dbm.html#authdbmgroupfile

In any event, I have made a slight modification to the location block,
but the result is the same: users who are not in the required group, and
whose usernames do not match the required user directive, are granted
access.

<Location /svn/project>
AuthType Basic
AuthName "SVN Repository"
AuthBasicProvider dbm
AuthDBMType DB
AuthDBMUserFile "/var/www/apache-users"
AuthDBMGroupFile "/var/www/apache-users"
require group programmers
require user joe
DAV svn
AuthzSVNAccessFile /var/www/projects/svn-access-control.cfg
SVNPath /var/www/svn/project
</Location>

I am beginning to wonder if the directives contained in the
AuthzSVNAccessFile are overriding those in the above location block.

In what order are these directives processed? I assumed (perhaps
naively) that the location block directives would be processed first,
and the AuthzSVNAccessFile processed only if one of the "require"
directives is met.

Thanks again,

-Ben

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message