[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



I was facing a problem with the mod-auth-sys-group apache module which comes with mod-auth-pam :

I wanted to set up a restriction access to a SVN repository based on group membership OR given user. The problem was that the module keeps saying  "GROUP: XXX not in required group(s).", even if the user match the require user directive.


To be clear, here is a configuration file :


        <Location /svn/repo>

                        DAV svn

                        SVNPath /srv/svn/repos/repo

                        SVNListParentPath Off


                        Options FollowSymLinks

                        AuthName "Please authenticate"

                        AuthPAM_Enabled on

                        AuthPAM_FallThrough on

                        AuthBasicAuthoritative off

                        AuthGROUP_Enabled on

                        AuthGROUP_FallThrough on

                        AuthUserFile /dev/null

                        AuthType Basic

                        Require group "some group"

                        Require user "some.user"



And I want the access to be granted if the user is in specified group(s) OR if the user is listed…


I found the solution by patching the module. In comments it is said (mod_auth_sys_group.c) :

typedef struct {


    fall_through,       /* 1 to DECLINE instead of HTTP_UNAUTHORIZEDif we

                           can't find the username in a group.

                           (default to 0) */

    enabled;            /* 1 to use mod_auth_sys_group, 0 otherwise

                          (defaults to 1) */

} auth_sys_group_dir_config;


But the fall_through is never used. So I changed the end of the sys_group_check_auth function :


  if(conf->fall_through == 0)


    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "GROUP: %s not in required group(s).",r->user);


    ap_note_basic_auth_failure (r);


  } else


    return DECLINED;



And everything works as expected !





Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux