Hello, I was facing a problem with the mod-auth-sys-group apache module which comes with mod-auth-pam : I wanted to set up a restriction access to a SVN repository based on group membership OR given user. The problem was that the module keeps saying "GROUP: XXX not in required group(s).", even if the user match the require user directive. To be clear, here is a configuration file : <Location /svn/repo> DAV svn SVNPath /srv/svn/repos/repo SVNListParentPath Off Options FollowSymLinks AuthName "Please authenticate" AuthPAM_Enabled on AuthPAM_FallThrough on AuthBasicAuthoritative off AuthGROUP_Enabled on AuthGROUP_FallThrough on AuthUserFile /dev/null AuthType Basic Require group "some group" Require user "some.user" </Location> And I want the access to be granted if the user is in specified group(s) OR if the user is listed… I found the solution by patching the module. In comments it is said (mod_auth_sys_group.c) : typedef struct { int fall_through, /* 1 to DECLINE instead of HTTP_UNAUTHORIZEDif we can't find the username in a group. (default to 0) */ enabled; /* 1 to use mod_auth_sys_group, 0 otherwise (defaults to 1) */ } auth_sys_group_dir_config; But the fall_through is never used. So I changed the end of the sys_group_check_auth function : if(conf->fall_through == 0) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "GROUP: %s not in required group(s).",r->user); ap_note_basic_auth_failure (r); return HTTP_UNAUTHORIZED; } else { return DECLINED; } And everything works as expected ! Regards Julien PILLON |
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list