On 8/14/2012 6:14 PM, hu...@sonic.net wrote: > You can have multiple 'require' lines to allow multiple groups and/or > users. So > > require group programmers > require group secretaries > require user joe > > "Require"s are OR-ed together, so anyone meeting a single criteria will > get allowed in, provided they enter the correct password of course. So > your check for "user is joe & he's in group clients" can be reduced to > "user is joe" because joe eventually has to enter joe's password. (you > certainly don't have two 'joe' entries in the password list, do you?) > There is no concept of the challenge asking "what group are you in?", > only "give me your login and password, I'll check the group file if needed". > > And your example lists the same file for AuthDBMUserFile and > AuthDBMGroupFile; you need to have two separate files. > > hugh > > > > On Tue 14/08/12 14:30 , Ben Johnson b...@indietorrent.org sent: > > Hello, > > I've scoured the Internet for examples of how to implement logical > operators where the "require" directive is concerned. > > The dearth of documentation and discussion regarding this subject leads > me to believe that it has not been implemented, or was implemented at > one time and then removed. > > This is the most thorough discussion I can find on the subject, which > dead-ends: > > http://www.mombu.com/programming/linux/t-apache-22-both-require-user-and-require-group-739013.html > <<a > > href=>">http://www.mombu.com/programming/linux/t-apache-22-both-require-user-and-require-group-739013.html > > My location block, which, at present, only allows one group > ("programmers"), looks something like this: > > > AuthType Basic > AuthName "SVN Repository" > AuthBasicProvider dbm > AuthDBMType DB > AuthDBMUserFile "/var/www/apache-users" > AuthDBMGroupFile "/var/www/apache-users" > require group programmers > DAV svn > AuthzSVNAccessFile /var/www/projects/svn-access-control.cfg > SVNPath /var/www/svn/project > > > Ideally, I wish to do something like the following (I'm using > pseudo-code here, because it's probably easier to understand than plain > English): > > if ($group === 'programmers' || ($group === 'clients && $user === > 'joe')) { > //Allow access. > } > else { > //Deny access. > } > > Is this possible? Or do I need to give-up on controlling authentication > at this level and instead focus on authorization within > "svn-access-control.cfg"? > > Thanks for any help! > > -Ben > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > <mailto:users-unsubscr...@httpd.apache.org> > For additional commands, e-mail: users-h...@httpd.apache.org > <mailto:users-h...@httpd.apache.org> > >
Thanks for the response, Hugh. Are these two approaches equivalent, functionally? ------------------------------- require group programmers require group secretaries --- versus --- require group programmers secretaries ------------------------------- I see your point about about reducing the "user+group" requirement to just "user", which as you suggested, requires that users be unique (this seems like a reasonable and necessary requirement). And no, I don't have two "joe" entries in the password file. Regarding the second point, are you sure that it is not possible to use the same DBM file for both users and groups? The documentation seems to indicate that this is not only possible, but is the preferred method in many cases: http://httpd.apache.org/docs/2.2/mod/mod_authz_dbm.html#authdbmgroupfile In any event, I have made a slight modification to the location block, but the result is the same: users who are not in the required group, and whose usernames do not match the required user directive, are granted access. <Location /svn/project> AuthType Basic AuthName "SVN Repository" AuthBasicProvider dbm AuthDBMType DB AuthDBMUserFile "/var/www/apache-users" AuthDBMGroupFile "/var/www/apache-users" require group programmers require user joe DAV svn AuthzSVNAccessFile /var/www/projects/svn-access-control.cfg SVNPath /var/www/svn/project </Location> I am beginning to wonder if the directives contained in the AuthzSVNAccessFile are overriding those in the above location block. In what order are these directives processed? I assumed (perhaps naively) that the location block directives would be processed first, and the AuthzSVNAccessFile processed only if one of the "require" directives is met. Thanks again, -Ben --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
