Greetings,
I have configuration that is not behaving as I'm assuming it should -
suspect I'm missing a critical detail.
I am using the following setup in a VirtualHost to protect access to a
Mercurial web repo:
<Location /hg>
WSGIProcessGroup hg
AuthType Basic
AuthName "Mercurial LDAP Auth"
AuthBasicProvider ldap
# For AD LDAPS support, requires LDAPVerifyServerCert to be
disabled up above.
AuthLDAPURL [redacted]
AuthLDAPBindDN [redacted]
AuthLDAPBindPassword [redacted]
# Must be off to honor valid-user as "fallback" authorization
AuthzLDAPAuthoritative Off
Require valid-user
AuthGroupFile /etc/httpd/auth/groups
<LimitExcept GET>
#Require group hgpushers
Require group poopy
</LimitExcept>
</Location>
## /etc/httpd/auth/groups
# Authorized to perform Mercurial push operations
#hgpushers: jdoe jdoe2
hgpushers: jdoe
Authentication against LDAP works correctly. Authorization to
'valid-user' works correctly in the normal case. My goal is to use
LimitExcept to restrict Mercurial 'push' operations to members of an
authorized group; this can be done by evaluation of the HTTP methods
as described at
http://mercurial.selenic.com/wiki/PublishingRepositories#Configuring_Apache.
For everything I've tried though, I can still perform push operations
when authenticating as a user not listed in the 'hgpushers' group in
AuthGroupFile (jdoe2 in the above config case). As a test, I also
modified Require to check against a non-existent group 'poopy' and my
authenticated user is still authorized for 'push' operations. it seems
to me that the configuration for LimitExcept as I have is not being
honored. Every change to config at any level is followed by restart of
daemon to apply.
Logging shows the 'hg push' operation concluding with POST requests; I
believe these should be denied.
[04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA
"GET /hg/main?pairs=0000000000000000000000000000000000000000-0000000000000000000000000000000000000000&cmd=between
HTTP/1.1" 1
[04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA
"GET /hg/main?cmd=capabilities HTTP/1.1" 495
[04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA
"GET /hg/main?cmd=capabilities HTTP/1.1" 130
[04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA
"GET /hg/main?cmd=heads HTTP/1.1" 495
[04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA
"GET /hg/main?cmd=heads HTTP/1.1" 41
[04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA
"GET /hg/main?cmd=branchmap HTTP/1.1" 495
[04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA
"GET /hg/main?cmd=branchmap HTTP/1.1" 48
[04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA
"POST /hg/main?cmd=unbundle&heads=131dc47de7e0812281c3547f6d65f3de3ab4f5fd
HTTP/1.1" 495
[04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA
"POST /hg/main?cmd=unbundle&heads=131dc47de7e0812281c3547f6d65f3de3ab4f5fd
HTTP/1.1" 102
# httpd -V
Server version: Apache/2.2.3
Server built: Jan 21 2009 20:31:52
Server's Module Magic Number: 20051115:3
Server loaded: APR 1.2.7, APR-Util 1.2.7
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture: 64-bit
Server MPM: Prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/etc/httpd"
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="logs/accept.lock"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
# httpd -l
Compiled in modules:
core.c
prefork.c
http_core.c
mod_so.c
# httpd -M
Loaded Modules:
core_module (static)
mpm_prefork_module (static)
http_module (static)
so_module (static)
auth_basic_module (shared)
auth_digest_module (shared)
authn_file_module (shared)
authn_alias_module (shared)
authn_anon_module (shared)
authn_dbm_module (shared)
authn_default_module (shared)
authz_host_module (shared)
authz_user_module (shared)
authz_owner_module (shared)
authz_groupfile_module (shared)
authz_dbm_module (shared)
authz_default_module (shared)
ldap_module (shared)
authnz_ldap_module (shared)
include_module (shared)
log_config_module (shared)
logio_module (shared)
env_module (shared)
ext_filter_module (shared)
mime_magic_module (shared)
expires_module (shared)
deflate_module (shared)
headers_module (shared)
usertrack_module (shared)
setenvif_module (shared)
mime_module (shared)
dav_module (shared)
status_module (shared)
autoindex_module (shared)
info_module (shared)
dav_fs_module (shared)
vhost_alias_module (shared)
negotiation_module (shared)
dir_module (shared)
actions_module (shared)
speling_module (shared)
userdir_module (shared)
alias_module (shared)
rewrite_module (shared)
proxy_module (shared)
proxy_balancer_module (shared)
proxy_ftp_module (shared)
proxy_http_module (shared)
proxy_connect_module (shared)
cache_module (shared)
suexec_module (shared)
disk_cache_module (shared)
file_cache_module (shared)
mem_cache_module (shared)
cgi_module (shared)
version_module (shared)
authz_ldap_module (shared)
perl_module (shared)
php5_module (shared)
proxy_ajp_module (shared)
wsgi_module (shared)
ssl_module (shared)
Syntax OK
--
Darren Spruell
phatbuckett@xxxxxxxxx
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|