Making this generic is a good idea, though you are correct in
asserting it
cannot be done without a major re-factoring. Even then the authz
modules
would need to be modified to respect the satisfy flag when multiple
requires
are given for a single authz module.
The requirement I'm trying to fulfill is multiple group requires
within ldap.
I figured making it generic within ldap using satisfy would be a good
idea,
though this seems to be blowing up into a much bigger issue.
Perhaps it would be easier if 'require ldap-group' could have
multiple groups
listed on a single require line? Something similar to ldap-
attribute? Or maybe
just move the satisfy flag to an ldap specific directive like
'LDAPSatisfyAll'
to remove any confusion on what it does?
On Sep 7, 2005, at 9:02 AM, Brad Nicholes wrote:
+1 in concept as well but it seems that this should be
implemented at
some lower level so that we don't have to touch each authz module to
teach them how to deal with the satisfy directive.
The problem is that the auth_checker hook is defined as
AP_IMPLEMENT_HOOK_RUN_FIRST meaning that each registered hook will be
called in turn until something other than DECLINE is returned. If
something other than DECLINE is returned then the appropriate action
takes place. Either authorization succeeds or fails with a specific
error. Satisfy All would need to change the behavior of the hook so
that each registered hook is called in turn as long as OK or
DECLINE is
returned. Then if something other than OK or DECLINE is returned, the
authorization fails. This would probably require defining a new
type of
hook that would be defined as AP_IMPLEMENT_HOOK_RUN_ALL.
At this point I am not sure how to make that happen without
drastically
altering the way authorization is currently configured and works.
Currently Satisfy All | Any is very specific in how it is implemented
inside of ap_process_request_internal(). It's purpose is to satisfy
access control vs. (authentication and authorization). This would
also
need to be changed or use something other than the Satisfy directive.
Brad
On Monday, September 05, 2005 at 4:15:56 am, in message
<[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
Ryan Morgan wrote:
require ldap-group cn=Engineering,ou=Groups,o=SomeCompany,c=US
require ldap-group cn=QA,ou=Groups,o=SomeCompany,c=US
satisfy all
Could someone provide feedback on whether this is a feature that
could be
added to the ldap module?
Definitely a +1 in concept. Do the other authz modules handle satisfy
all in the same way?
A quick eyeball of the patch shows up some C++ comments - can you
convert them to C comments?
Regards,
Graham
--
