[PATCH] let mod_auth_dbm stand on its own two feet

Thu, 19 May 2005 07:13:00 -0700 

(I ASSume this is resolved with the AAA redesign in 2.1-dev.  I didn't
check, though.)

Try this with 2.0:

<Location /protected>
authtype basic
authname "Restricted Files"
authdbmuserfile /scratch/inst/20/jeffdb
require valid-user
</Location>

If mod_auth isn't loaded, you get this after a successful user/pass
verification, and request fails:

[client 127.0.0.1] configuration error:  couldn't check access.  No
groups file?: /protected/, referer: ...

Then add LoadModule for mod_auth and it starts working as expected.

mod_auth_dbm is missing some boilerplate handling of the require
directive which causes it to decline its auth_checker hook.

Index: modules/aaa/mod_auth_dbm.c
===================================================================
--- modules/aaa/mod_auth_dbm.c  (revision 170790)
+++ modules/aaa/mod_auth_dbm.c  (working copy)
@@ -226,10 +226,10 @@
     const char *t;
     char *w;
 
-    if (!conf->auth_dbmgrpfile)
-        return DECLINED;
-    if (!reqs_arr)
-        return DECLINED;
+    if (!reqs_arr) {
+        /* no "requires" directive; any user will do */
+        return OK;
+    }
 
     for (x = 0; x < reqs_arr->nelts; x++) {
 
@@ -238,11 +238,25 @@
 
         t = reqs[x].requirement;
         w = ap_getword_white(r->pool, &t);
-
-        if (!strcmp(w, "group") && conf->auth_dbmgrpfile) {
+        if (!strcmp(w, "valid-user")) {
+            return OK;
+        }
+        if (!strcmp(w, "user")) {
+            while (t[0]) {
+                w = ap_getword_conf(r->pool, &t);
+                if (!strcmp(user, w)) {
+                    return OK;
+                }
+            }
+        }
+        else if (!strcmp(w, "group")) {
             const char *orig_groups, *groups;
             char *v;
 
+            if (!conf->auth_dbmgrpfile) {
+                return DECLINED;       /* some other module's group? */
+            }
+            
             if (!(groups = get_dbm_grp(r, user, conf->auth_dbmgrpfile,
                                        conf->auth_dbmtype))) {
                 if (!(conf->auth_dbmauthoritative))
@@ -269,6 +283,17 @@
             ap_note_basic_auth_failure(r);
             return HTTP_UNAUTHORIZED;
         }
+        else if (conf->auth_dbmauthoritative) {
+            /* if we aren't authoritative, any require directive could be
+             * valid even if we don't grok it.  However, if we are 
+             * authoritative, we can warn the user they did something wrong.
+             * That something could be a missing "AuthAuthoritative off", but
+             * more likely is a typo in the require directive.
+             */
+            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                          "access to %s failed, reason: unknown require "
+                          "directive:\"%s\"", r->uri, reqs[x].requirement);
+        }
     }
 
     return DECLINED;

Reply via email to