Re: ability to restrict scope of require directive to a single module
Ooops! I wanted to say I was NOT using authoritative mode! In this case, I want to be able to restrict a require to only one auth module. Xavier john wrote: -- Original Message -- Reply-To: [EMAIL PROTECTED] Date: Tue, 15 Oct 2002 18:27:18 +0200 From: Xavier MACHENAUD [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: ability to restrict scope of require directive to a single module Hi, I'm facing the following problem : I'm using 2 auth modules in authoritative mode (if one fail, try the other one). This is your problem here. if both are in authoritative mode, it means (in your words) : if one fail, DONT try the other one. You need to load them both, and make the second one authoritative. The problem here is twofold: 1) there is no way to order auth modules so if you're authoritative module happens to run first, the other modules will NEVER get a chance to try 2) if there is no 'authoritative' module and auth fails (i.e. all modules return declined) apache core returns INTERNAL SERVER ERROR. instead of UNAUTHORIZED. Until either one of the previous things change, the only workaround is to make the last auth module called the authoritative one that way both their authorize methods will get invoked. sterling
Re: ability to restrict scope of require directive to a single module
My answer below still explains your situation. There is not way to 'restrict' requires. Each module has access to the SAME requires for a given location. If no modules are authoritative, you probably will get INTERNAL_SERVER_ERRORS for all unauthorized requests, right? sterling On Wednesday, October 16, 2002, at 02:47 AM, Xavier MACHENAUD wrote: Ooops! I wanted to say I was NOT using authoritative mode! In this case, I want to be able to restrict a require to only one auth module. Xavier john wrote: -- Original Message -- Reply-To: [EMAIL PROTECTED] Date: Tue, 15 Oct 2002 18:27:18 +0200 From: Xavier MACHENAUD [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: ability to restrict scope of require directive to a single module Hi, I'm facing the following problem : I'm using 2 auth modules in authoritative mode (if one fail, try the other one). This is your problem here. if both are in authoritative mode, it means (in your words) : if one fail, DONT try the other one. You need to load them both, and make the second one authoritative. The problem here is twofold: 1) there is no way to order auth modules so if you're authoritative module happens to run first, the other modules will NEVER get a chance to try 2) if there is no 'authoritative' module and auth fails (i.e. all modules return declined) apache core returns INTERNAL SERVER ERROR. instead of UNAUTHORIZED. Until either one of the previous things change, the only workaround is to make the last auth module called the authoritative one that way both their authorize methods will get invoked. sterling
ability to restrict scope of require directive to a single module
Hi, I'm facing the following problem : I'm using 2 auth modules in authoritative mode (if one fail, try the other one). I have one authorization check (using a require directive) for the first module and another one for the other module. My problem is that the second directive as a syntax that is valid for the first module and will prevent authorization with the first module. He is an example of what I mean : Users are authenticated using basic auth against my ldap server. Authorized users are : 1) all non contractors users 2) plus a list of authorized-contractors (not managed in the LDAP server) AuthTypeBasic AuthNameaccess restricted AuthLDAPURL ldap URL require ldap-filter !(employeeType=contractor) AuthLDAPAuthoritative off AuthUserFile.htpasswd AuthGroupFile .htgroup require group authorized-contractors The problem with this is that the 'require group' is a valid directive for the auth_ldap module and will prevent the rule 1) to succeed. That way I'm solving this is by patching the mod_auth module by telling him to support both 'require group' and 'require mod_auth_group' directives. In this case, the following configuration is doing what I wanted : AuthTypeBasic AuthNameaccess restricted AuthLDAPURL ldap URL require ldap-filter !(employeeType=contractor) AuthLDAPAuthoritative off AuthUserFile.htpasswd AuthGroupFile .htgroup require mod_auth_group authorized-contractors I'm wondering if it's not a good idea for any auth modules to support 2 names for any require options: the common name (group) and a unique name (module_name_group). In this case, it could help implementing a strict OR between require directives when using authoritative mode. Any thoughts? Xavier
RE: ability to restrict scope of require directive to a single module
-- Original Message -- Reply-To: [EMAIL PROTECTED] Date: Tue, 15 Oct 2002 18:27:18 +0200 From: Xavier MACHENAUD [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: ability to restrict scope of require directive to a single module Hi, I'm facing the following problem : I'm using 2 auth modules in authoritative mode (if one fail, try the other one). This is your problem here. if both are in authoritative mode, it means (in your words) : if one fail, DONT try the other one. You need to load them both, and make the second one authoritative. The problem here is twofold: 1) there is no way to order auth modules so if you're authoritative module happens to run first, the other modules will NEVER get a chance to try 2) if there is no 'authoritative' module and auth fails (i.e. all modules return declined) apache core returns INTERNAL SERVER ERROR. instead of UNAUTHORIZED. Until either one of the previous things change, the only workaround is to make the last auth module called the authoritative one that way both their authorize methods will get invoked. sterling