For the archives, should someone comes across this, the solution I found was to use mod_auth_env, which worked to set REMOTE_USER from a cookie value so AuthzDBDQuery could use that in the query. From my previous contrived example, it would look like: <IfModule mod_setenvif.c> SetEnvIf Cookie "PHPSESSID=([^ ;]+)" phpsessid=$1 </IfModule> <Directory "/whatever/"> <IfModule mod_auth_env.c> AuthType Env AuthEnvUser phpsessid < /IfModule> <RequireAll> Require env phpsessid Require dbd-group foo </RequireAll> # this now works, to set %s from PHPSESSID cookie: AuthzDBDQuery "SELECT 'foo' FROM sys_session WHERE session_id = %s" </Directory> On Mon, 2018-10-01 at 18:10 -0600, Jesse Norell wrote: > I'm still interested in any ideas to try to set REMOTE_USER from a > cookie value. > > > AuthBasicFake sounds like it would work, but when I use it authz_dbd > still complains: > > AH00027: No authentication done but request not allowed without > authentication for /whatever/file.txt. Authentication not > configured? > > Does that sound like a bug/deficiency in AuthBasicFake? Ie. it > appears it didn't 'fake' authentication enough for an authorization > module to think that it had been configured. > > > mod_auth_env looks like it would work, but isn't packaged for debian > so doesn't work well for my needs (creating a tutorial for users to > follow after they've installed apache & modules from debian > packages). > > This patch looks like just the ticket, but isn't included upstream so > of course the same source/packaging issue as with mod_auth_env: > https://github.com/jkbzh/apache2_mod_authz_dbd > > If I can't find any other way I might have to just use mod_auth_env > (assuming it will work) and provide instructions for how to build and > install the .deb file, but I'd sure rather use stock modules. > > Thanks! > Jesse > > > On Tue, 2018-09-25 at 14:54 -0600, Jesse Norell wrote: > > Hello, > > > > I'm trying to use an authz_dbd query to authorize based on the > > value > > of a cookie (ie. if PHPSESSID cookie is set, a db query can test if > > it > > should be authorized). It seems the only parameter AUTHzDBDQuery > > will > > supply to the sql query is the username in place of %s; this could > > work > > if I could set what REMOTE_USER should be prior to the query > > running, > > but I haven't found a way to do so. Eg. here the username for the > > query is from the auth provider (anon), the SetEnv doesn't the > > query: > > > > <Directory "/whatever/"> > > AuthName "Name" > > AuthType Basic > > AuthBasicProvider anon > > > > Anonymous_NoUserID on > > Anonymous_MustGiveEmail off > > Anonymous anonymous "*" > > > > SetEnvIf Cookie "PHPSESSID=([^ ]+)" REMOTE_USER=$1 > > > > Require dbd-group foo > > > > # this will work, for any username entered in the browser: > > #AuthzDBDQuery "SELECT 'foo' FROM sys_session" > > > > # this does not work to obtain %s from PHPSESSID: > > AuthzDBDQuery "SELECT 'foo' FROM sys_session WHERE session_id = > > %s" > > > > </Directory> > > > > I'm pretty sure I must convince apache to set a new REMOTE_USER > > (or > > httpd_username?) internal variable, not an environment variable, > > but > > I > > don't see how. If I don't specify any AuthType, or set it to None, > > the > > AuthzDBDQuery never runs and the error.log says it requires > > authentication but authentication is not set up. Any ideas are > > appreciated - thanks! > > > > I'm running 2.4.25-3+deb9u5 from debian stretch. > > > > Thanks, > > Jesse Norell > > -- Jesse Norell Kentec Communications, Inc. 970-522-8107 - www.kci.net --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx