Re: Require dbd-group not accepting users belonging to multiple groups

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sorry about that. I just noticed that this has already been posted as bug# 46421. The posted fix solves the issue.

Regards,
-bill

paredes wrote:
Greetings!

In testing mod_authz_dbd it seems that the if a user is a member of a *single* group the following Authz directives work properly:

Require dbd-group faculty
AuthDBDUserPWQuery "SELECT pw FROM auth where user =%"
AuthzDBDQuery "SELECT grp FROM groups WHERE user = %

However, when the user is a member of *multiple* groups [faculty & staff] the Authz directives always fail returning an access denied:

Require dbd-group faculty staff dean alumni
AuthDBDUserPWQuery "SELECT pw FROM auth where user =%"
AuthzDBDQuery "SELECT grp FROM groups WHERE user = %

[likewise this also doesn't work]

Require dbd-group faculty staff dean alumni
AuthDBDUserPWQuery "SELECT pw FROM auth where user =%"
AuthzDBDQuery "SELECT grp FROM groups WHERE user = % AND (grp = 'faculty' OR grp ='staff'')"

[I'm using the following in my httpd.conf]
DBDDriver mysql
DBDParams "host=localhost  dbname=dbase  user=xxx  pass=xxx"
DBDMin 1
DBDKeep 2
DBDMax 10
DBDExptime 60
<directory /usr/local/apache2/htdocs/grouptest>
AllowOverride none
AuthType basic
AuthName "Mysql Groups"
AuthBasicProvider dbd
AuthUserFile /dev/null

plus any one of the above sets of directives
</directory>

* It could be that authz is working as intended - one user can only belong to one group?

* Apache logs set to debug just returns "user is denied access to /grouptest"
* The mysgl.logs display the prepared sql statements
* I'm using a new build of apr-1.3.3 & apr-util-1.3.4
* I'm using mod_authz_dbd.c & mod_authz_dbd.h found at: http://people.apache.org/~niq
* I'm using apache 2.2.11;   mysql 5.1.31;   OSX 10.5.6

Thanks for your help,
-bill


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux