mod-auth-sys-group

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I was facing a problem with the mod-auth-sys-group apache module which comes with mod-auth-pam :

I wanted to set up a restriction access to a SVN repository based on group membership OR given user. The problem was that the module keeps saying  "GROUP: XXX not in required group(s).", even if the user match the require user directive.

 

To be clear, here is a configuration file :

 

        <Location /svn/repo>

                        DAV svn

                        SVNPath /srv/svn/repos/repo

                        SVNListParentPath Off

 

                        Options FollowSymLinks

                        AuthName "Please authenticate"

                        AuthPAM_Enabled on

                        AuthPAM_FallThrough on

                        AuthBasicAuthoritative off

                        AuthGROUP_Enabled on

                        AuthGROUP_FallThrough on

                        AuthUserFile /dev/null

                        AuthType Basic

                        Require group "some group"

                        Require user "some.user"

        </Location>

 

And I want the access to be granted if the user is in specified group(s) OR if the user is listed…

 

I found the solution by patching the module. In comments it is said (mod_auth_sys_group.c) :

typedef struct {

  int

    fall_through,       /* 1 to DECLINE instead of HTTP_UNAUTHORIZEDif we

                           can't find the username in a group.

                           (default to 0) */

    enabled;            /* 1 to use mod_auth_sys_group, 0 otherwise

                          (defaults to 1) */

} auth_sys_group_dir_config;

 

But the fall_through is never used. So I changed the end of the sys_group_check_auth function :

 

  if(conf->fall_through == 0)

  {

    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "GROUP: %s not in required group(s).",r->user);

 

    ap_note_basic_auth_failure (r);

    return HTTP_UNAUTHORIZED;

  } else

  {

    return DECLINED;

  }

 

And everything works as expected !

 

Regards

 

Julien PILLON

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux