Re: Confusing (incorrect?) documentation for AuthzProviderAlias

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, 3 Dec 2022 at 20:39, Eric Covener <covener@xxxxxxxxx> wrote:

Thanks for the speedy reply.

>
> On Sat, Dec 3, 2022 at 3:21 PM sebb <sebbaz@xxxxxxxxx> wrote:
> >
> > The documentation for AuthzProviderAlias [1] looks wrong.
> >
> > AFAICT including 'Require all granted' means that anyone can access
> > the directory.
> > This is borne out by my local testing.
>
> That is odd and should not be in the example, even in such a contrived one.

Should I raise a bug then?

> > If I remove the Require line, then httpd complains "AuthUserFile not
> > specified in the configuration". Presumably this is because auth is
> > now needed, but the config is incorrect.
> >
> > If I change AuthBasicProvider to ldap, it complains that AuthLDAPUrl is missing.
> >
> > This is a bit surprising, given that it is specified in the alias definition.
> > Also it's not at all obvious what URL should be used, given that the
> > two aliases use different URLs.
>
> AuthBasicProvider is used for authn, not authz, so it can't get
> configuration from an AuthzProviderAlias.
> If you're authenticating against LDAP, you need to provide a URL.

I see now, thanks.

> Authentication can occur against a file and Authorization against
> LDAP, but I think it's pretty rare (much less in the only example).
>
> > How is one supposed to use AuthzProviderAlias with LDAP auth?
>
> I don't know a ton about LDAP, but all of the combinations seem kind
> of contrived.  Maybe the best fix to the example is to use LDAP for
> authn, with an AuthLDAPURL, and call the "other" alias some kind of
> unusual 2nd LDAP server that has additional groups who might have the
> same DN from the authentication LDAP server in other groups.

It might be better to use an example of LDAP groups which use
different attributes for their members.

> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux