Oooh boy, I think this stuff is a mess (or if it's neater than my
perception of it, I need to get it clarified for myself :)
It is my opinion that if AuthUserFile is not specified mod_auth should
decline; I'm indicating that I don't want mod_auth to have any say in the
authentication for this resource. If no AuthUserDBFile is configured,
mod_auth_db should similarly decline. Everyone of the auth modules should
have their shot at it but decline if no resource for looking up the
username is provided. If none of the auth modules have a lookup resource
configured and they're not using the "authoritative" behavior, then
eventually core should pick it up and default to 401 (and perhaps log
something like "authentication credentials required but no resource to
lookup and match against specified. If that's really what you want then
just say 'order deny, allow && deny from all', dumbo!")
Having core throwing a 500 error or an auth module "authoritative" but its
resource specification unspecified highlights a real problem. I may want
to specify what resource to consult first. Say 99.9% of my users are in a
db but there are special case users in a textfile, so I'd want
1) authuserdbfile consulted first, if the user is looked up by the
password mismatched, 401; if the user is not found, declined
2) authuserfile consulted second, same decisions
3) core sees that authuserdbfile and authuserfile had their shot and
declined and throws a 401
Right now, with my understanding of module order no longer being user
configured, I'm not sure how to express this in httpd 2.0 while it may be
expressed in 1.3 by manipulating module order and making the last module
authoritative.
About the authorative stuff, I'd rather signify that an auth module is
authoritative with the absence of other auth module lookup resources and
make it "the last in line."
-Ian
On Sun, 19 Aug 2001, Rodent of Unusual Size wrote:
> Currently, mod_auth (and friends) return DECLINED when asked
> to authenticate a user and there is no AuthUserFile declared.
> This means that the server checks with all the other
> authentication handlers, and is likely to eventually die
> with a 500 status and the cryptic 'no user file?' message
> in the log file.
>
> The lack of an AuthUserFile directive really *is* a configuration
> error, but I would like to propose modifying this behaviour
> slightly. If mod_auth is authoritative and there is no
> userfile, I propose logging the missing file in the error log
> and returning HTTP_UNAUTHORIZED. This will hopefully save
> a wee bit of confusion, and also potentially some cycles
> from the core consulting other, non-authoritative, modules
> to end up with the same result.
>
cheers,
-Ian
--
Ian Kallen <[EMAIL PROTECTED]> | AIM: iankallen
