httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Johnson <...@indietorrent.org>
Subject Re: [users@httpd] Apache authentication - require group AND (not OR) user
Date Thu, 23 Aug 2012 17:12:20 GMT


On 8/22/2012 3:48 PM, Ben Johnson wrote:
> 
> 
> On 8/22/2012 2:39 PM, Eric Covener wrote:
>>> http://www.svnforum.org/threads/37237-AuthzSVNAccessFile-Require-ldap-group
>>
>> That thread predates the authorization containers from 2.4 recommended
>> in this thread.   Maybe there are plans for AuthzSVN to interoperate,
>> or maybe it already does.
> 
> Thanks, Eric. Your attention to detail is much appreciated.
> 
> I didn't notice that these containers were introduced in a version later
> than the one I'm using (I'm using 2.2.14 and they were introduced in
> 2.3). No wonder they didn't work as expected. Shame on me.
> 
> I'll set-up a VM with the required version and see if it makes a difference.
> 
> And, of course, I'll report my findings to the list.
> 
> If in the meantime somebody reads this and believes that
> interoperability between the two modules was introduced with 2.3 or
> later, please do speak-up. :)
> 
> Thanks again,
> 
> -Ben

I need a stop-gap solution until I have a chance to test the new
authorization containers in Apache >= 2.3 and see if they "play nicely"
with AuthzSVN.

So, it's back to using simply "Require valid-user" in the
<Location></Location> block and handling everything else in the
AuthzSVNAccessFile.

One "problem" I've noticed is that when a user who does not have any
access to the repository via the AuthzSVNAccessFile, but who does meet
"Require valid-user" requirement, attempts to access this <Location>,
Apache gets stuck in a redirect loop, logging the following with each
request until the user-agent (browser) puts a stop to it:

Access denied: 'user' GET repo:/

The Apache configuration directives are:

--------------------
<Location /svn/repo>
AuthType Basic
AuthName "SVN Repository"
AuthBasicProvider dbm
AuthDBMType DB
AuthDBMUserFile "/var/www/apache-users"
AuthDBMGroupFile "/var/www/apache-users"
Require valid-user
DAV svn
AuthzSVNAccessFile /var/www/projects/svn-access-control-v2.cfg
SVNPath /var/www/svn/repo
</Location>
--------------------

The AuthzSVNAccessFile contents are:

--------------------
[groups]
admins = joe
programmers = john, sam, sally
clients = larry

[/]
@admins = rw
@programmers = r
@clients = r
--------------------

If I authenticate as "joe", for example, I am able to navigate the
repository without issue.

But, if I authenticate as a user does not appear anywhere in the
AuthzSVNAccessFile, I am hit with the infinite redirect loop.

Am I doing something silly? Or is this a known issue (perhaps one that's
been fixed)?

Thanks for any help!

-Ben

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message