I'm trying to understand how all the parts of
authentication/authorization in Apache 2.2 fit together, and have run
into something that doesn't seem quite right to me. I'm wondering if
I'm correct about how it works. I've been looking at the doc, as well
as reading request.c.
Suppose you have more than one authz module, for example,
mod_authz_groupfile and mod_authnz_ldap, that you want to use to control
access. You might configure
Require group authorized_users
Require ldap-attribute employeeType=active
in hopes of requiring users to both belong to the authorized_users group
and be an active employee, but that won't work. Whichever module gets
invoked first will either grant or reject access based solely on its own
Require statement; the other module never gets to look at the request.
You can stop the modules from rejecting access immediately by configuring
AuthzGroupFileAuthoritative off
AuthzLDAPAuthoritative off
but that's not quite right either. If mod_authz_groupfile gets invoked
first and the user is in the group, access will be granted immediately,
and again, the other module doesn't get to check its own Require. The
same could happen in the opposite order. The result will be that we
require either the right group, or an active employee, but never both;
and which one depends on the module ordering.
So, am I right about how this works? And is there any way to configure
things so multiple Requires from different authz modules are all
required to pass in order to grant access? Or would you have to find
some other way entirely?
Thanks,
Dan
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [email protected]
" from the digest: [email protected]
For additional commands, e-mail: [email protected]
