Greetings, I have configuration that is not behaving as I'm assuming it should - suspect I'm missing a critical detail. I am using the following setup in a VirtualHost to protect access to a Mercurial web repo: <Location /hg> WSGIProcessGroup hg AuthType Basic AuthName "Mercurial LDAP Auth" AuthBasicProvider ldap # For AD LDAPS support, requires LDAPVerifyServerCert to be disabled up above. AuthLDAPURL [redacted] AuthLDAPBindDN [redacted] AuthLDAPBindPassword [redacted] # Must be off to honor valid-user as "fallback" authorization AuthzLDAPAuthoritative Off Require valid-user AuthGroupFile /etc/httpd/auth/groups <LimitExcept GET> #Require group hgpushers Require group poopy </LimitExcept> </Location> ## /etc/httpd/auth/groups # Authorized to perform Mercurial push operations #hgpushers: jdoe jdoe2 hgpushers: jdoe Authentication against LDAP works correctly. Authorization to 'valid-user' works correctly in the normal case. My goal is to use LimitExcept to restrict Mercurial 'push' operations to members of an authorized group; this can be done by evaluation of the HTTP methods as described at http://mercurial.selenic.com/wiki/PublishingRepositories#Configuring_Apache. For everything I've tried though, I can still perform push operations when authenticating as a user not listed in the 'hgpushers' group in AuthGroupFile (jdoe2 in the above config case). As a test, I also modified Require to check against a non-existent group 'poopy' and my authenticated user is still authorized for 'push' operations. it seems to me that the configuration for LimitExcept as I have is not being honored. Every change to config at any level is followed by restart of daemon to apply. Logging shows the 'hg push' operation concluding with POST requests; I believe these should be denied. [04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA "GET /hg/main?pairs=0000000000000000000000000000000000000000-0000000000000000000000000000000000000000&cmd=between HTTP/1.1" 1 [04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA "GET /hg/main?cmd=capabilities HTTP/1.1" 495 [04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA "GET /hg/main?cmd=capabilities HTTP/1.1" 130 [04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA "GET /hg/main?cmd=heads HTTP/1.1" 495 [04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA "GET /hg/main?cmd=heads HTTP/1.1" 41 [04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA "GET /hg/main?cmd=branchmap HTTP/1.1" 495 [04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA "GET /hg/main?cmd=branchmap HTTP/1.1" 48 [04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA "POST /hg/main?cmd=unbundle&heads=131dc47de7e0812281c3547f6d65f3de3ab4f5fd HTTP/1.1" 495 [04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA "POST /hg/main?cmd=unbundle&heads=131dc47de7e0812281c3547f6d65f3de3ab4f5fd HTTP/1.1" 102 # httpd -V Server version: Apache/2.2.3 Server built: Jan 21 2009 20:31:52 Server's Module Magic Number: 20051115:3 Server loaded: APR 1.2.7, APR-Util 1.2.7 Compiled using: APR 1.2.7, APR-Util 1.2.7 Architecture: 64-bit Server MPM: Prefork threaded: no forked: yes (variable process count) Server compiled with.... -D APACHE_MPM_DIR="server/mpm/prefork" -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=128 -D HTTPD_ROOT="/etc/httpd" -D SUEXEC_BIN="/usr/sbin/suexec" -D DEFAULT_PIDLOG="logs/httpd.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_LOCKFILE="logs/accept.lock" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf" # httpd -l Compiled in modules: core.c prefork.c http_core.c mod_so.c # httpd -M Loaded Modules: core_module (static) mpm_prefork_module (static) http_module (static) so_module (static) auth_basic_module (shared) auth_digest_module (shared) authn_file_module (shared) authn_alias_module (shared) authn_anon_module (shared) authn_dbm_module (shared) authn_default_module (shared) authz_host_module (shared) authz_user_module (shared) authz_owner_module (shared) authz_groupfile_module (shared) authz_dbm_module (shared) authz_default_module (shared) ldap_module (shared) authnz_ldap_module (shared) include_module (shared) log_config_module (shared) logio_module (shared) env_module (shared) ext_filter_module (shared) mime_magic_module (shared) expires_module (shared) deflate_module (shared) headers_module (shared) usertrack_module (shared) setenvif_module (shared) mime_module (shared) dav_module (shared) status_module (shared) autoindex_module (shared) info_module (shared) dav_fs_module (shared) vhost_alias_module (shared) negotiation_module (shared) dir_module (shared) actions_module (shared) speling_module (shared) userdir_module (shared) alias_module (shared) rewrite_module (shared) proxy_module (shared) proxy_balancer_module (shared) proxy_ftp_module (shared) proxy_http_module (shared) proxy_connect_module (shared) cache_module (shared) suexec_module (shared) disk_cache_module (shared) file_cache_module (shared) mem_cache_module (shared) cgi_module (shared) version_module (shared) authz_ldap_module (shared) perl_module (shared) php5_module (shared) proxy_ajp_module (shared) wsgi_module (shared) ssl_module (shared) Syntax OK -- Darren Spruell phatbuckett@xxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx