Re: Apache authentication - require group AND (not OR) user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 8/16/2012 11:28 AM, Ben Johnson wrote:
> 
> 
>> On 8/15/2012 7:45 AM, Rainer Jung wrote:
>> You might be looking for the RequireAny and RequireAll container
>> directives:
>>
>> http://httpd.apache.org/docs/2.4/en/mod/mod_authz_core.html#requireall
>>
>> See also
>>
>> httpd.apache.org/docs/2.4/en/mod/mod_authz_core.html#requireall
>>
>> and finally the How To
>>
>> http://httpd.apache.org/docs/2.4/en/howto/auth.html
>>
>> Regards,
>>
>> Rainer
> 
> Thanks, Rainer! This is exactly what I was looking for: the ability to
> implement complex authorization containers.
> 
> That said, as I explained in my reply to Hugh (on this same subject), it
> seems that the AuthzSVN module (and the directives defined in
> AuthzSVNAccessFile) is taking precedence over Basic authorization
> module. I found the following excerpt at
> http://www.csparks.com/Subversion.xhtml :
> 
> "The Satisfy Any directive tells Apache to allow access if either the
> Allow directive is satisfied or one of the Auth modules is satified. The
> "Allow from all" is always satisfied. But we have two Auth modules:
> AuthzSVN and AuthDigest. In this case AuthzSVN will look into the
> svnusers.conf file. If no user name is required for the requested
> resource, no prompt for authentication will occur. But if a username is
> required, the AuthDigest module will come into play and prompt for
> credentials. The authorized name is allowed to do whatever the
> AuthzSVNAccessFile permits."
> 
> This statement seems consistent with the observed behavior. And it bears
> mention that in my example directives (and those at the above-cited
> resource), "require" directives come before the "AuthzSVNAccessFile"
> directive, which seems to indicate that the order is irrelevant.
> 
> Do you have any experience or advice in this regard?
> 
> Basically, I am trying to determine how much of the access control
> should be done in the <Location></Location> block and how much of it
> should be done in the AuthzSVNAccessFile. My primary concern is that we
> have dozens of SVN repositories and I don't want to have to define the
> "[groups]" for every single repository when the groups are the same for
> all of them.

I should add that I don't want to have to define every single
repository, and permissions for their attendant paths, in the
AuthzSVNAccessFile, either.

> In fact, I would prefer to use a single AuthzSVNAccessFile that has some
> very basic rules and handle all other aspects of access control in the
> Location blocks in which each repository is defined.
> 
> Does this make any sense at all?

After more digging, I realize that I'm not the only one who has raised
this issue:

http://www.svnforum.org/threads/37237-AuthzSVNAccessFile-Require-ldap-group

To quote "Tubaman":

"However, it still seems a shame that the Require ldap-group directive
cannot be usefully used to restrict valid users in conjunction with a
more permissive AuthzSVNAccessFile (which knows nothing about the LDAP
groups). Does anyone know if some sort of priority setting is planned
for future releases that would enable this behaviour? Or is it actually
a bug or feature that could be mentioned in the documentation?"

This statement, and the lack of a response, confirms that it is not
possible to implement meaningful authentication requirements, via the
"Require" family of configuration directives, when at the same time
using the AuthzSVNAccessFile directive.

This fact is disappointing, but perfectly understandable, given the
complexity of these systems.

I just wanted to be sure that my request wasn't possible before
accepting that there will be redundancy across numerous
AuthzSVNAccessFile files.

> Thanks again,
> 
> -Ben

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux