Re: ability to restrict scope of require directive to a single module
Ooops! I wanted to say I was NOT using authoritative mode! In this case, I want to be able to restrict a require to only one auth module. Xavier john wrote: > > >-- Original Message -- > >Reply-To: [EMAIL PROTECTED] > >Date: Tue, 15 Oct 2002 18:27:18 +0200 > >From: Xavier MACHENAUD <[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED] > >Subject: ability to restrict scope of require directive to a single module > Hi, > > > >I'm facing the following problem : > >I'm using 2 auth modules in authoritative mode (if one fail, try the other > >one). > > This is your problem here. if both are in authoritative mode, it means > (in your words) : if one fail, DONT try the other one. You need to load > them both, and make the second one authoritative. The problem here is twofold: > 1) there is no way to order auth modules so if you're authoritative module > happens to run first, the other modules will NEVER get a chance to try > 2) if there is no 'authoritative' module and auth fails (i.e. all modules > return declined) apache core returns INTERNAL SERVER ERROR. instead > of UNAUTHORIZED. > > Until either one of the previous things change, the only workaround is to > make the last auth module called the authoritative one that way both > their authorize methods will get invoked. > > sterling
ability to restrict scope of require directive to a single module
Hi, I'm facing the following problem : I'm using 2 auth modules in authoritative mode (if one fail, try the other one). I have one authorization check (using a require directive) for the first module and another one for the other module. My problem is that the second directive as a syntax that is valid for the first module and will prevent authorization with the first module. He is an example of what I mean : Users are authenticated using basic auth against my ldap server. Authorized users are : 1) all non contractors users 2) plus a list of authorized-contractors (not managed in the LDAP server) AuthTypeBasic AuthName"access restricted" AuthLDAPURL require ldap-filter !(employeeType=contractor) AuthLDAPAuthoritative off AuthUserFile.htpasswd AuthGroupFile .htgroup require group authorized-contractors The problem with this is that the 'require group' is a valid directive for the auth_ldap module and will prevent the rule 1) to succeed. That way I'm solving this is by patching the mod_auth module by telling him to support both 'require group' and 'require mod_auth_group' directives. In this case, the following configuration is doing what I wanted : AuthTypeBasic AuthName"access restricted" AuthLDAPURL require ldap-filter !(employeeType=contractor) AuthLDAPAuthoritative off AuthUserFile.htpasswd AuthGroupFile .htgroup require mod_auth_group authorized-contractors I'm wondering if it's not a good idea for any auth modules to support 2 names for any "require" options: the common name (group) and a unique name (_group). In this case, it could help implementing a strict OR between require directives when using authoritative mode. Any thoughts? Xavier