You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Brad Nicholes <BN...@novell.com> on 2005/08/30 17:01:28 UTC
Re: Conflict in authorization types among various authz
modules...
Are there any comments on this? If not then I would like to make the type name changes in trunk and then push them back into the 2.2 branch. I don't consider this a show-stopper for the 2.1.7-beta candidate but the conflict does need to be resolved before 2.2 is released.
Brad
>>> On Friday, August 26, 2005 at 9:44:31 am, in message
<43...@novell.com>, BNICHOLES@novell.com wrote:
> I am looking for comments from those who helped to implement the
> refactored authentication model and those who helped restructure the
> authentication modules.
>
> One of the problems that I discovered while working on the
> restructuring of the authnz_ldap module was the name space for the
> authorization types. I found that the 2.0 version of mod_auth_ldap
> implemented authorization types such as "valid-user", "user" and
> "group". After creating mod_authnz_ldap and restructuring the ldap
> authorization types, I found that using these authorization type names
> conflicted with mod_authz_user and mod_authz_groupfile. Meaning that if
> mod_authnz_ldap was loaded along side of mod_authz_user or
> mod_authz_groupfile, the authorization module that actually attempted to
> handle authorization was at the mercy of the module load order and in
> most cases was wrong. In other words, the following configuration would
> not be able to accurately determine which authz module should be
> handling authorization.
>
> LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
> LoadModule authz_user_module modules/mod_authz_user.so
>
> <Directory ...>
> ...
> require user bnicholes
> </Directory>
>
> To resolve this issue I prefixed the ldap authorization types with
> "ldap-".
>
> Looking through the authorization types for the other authz modules
> I noticed that there are other similar conflicts.
>
> mod_authz_dbm file-group, group
> mod_authz_groupfile file-group, group
> mod_authz_owner file-group
>
> I would propose that the following renaming or elimination of types
> should be done before Apache 2.2 is released in order to resolve the
> conflicts
>
> mod_authz_dbm dbm-group
> mod_authz_groupfile group
> mod_authz_owner file-group
>
>
> Comments?
>
> Brad
Re: Conflict in authorization types among various authz modules...
Posted by Graham Leggett <mi...@sharp.fm>.
Brad Nicholes wrote:
> Are there any comments on this? If not then I would like
> to make the type name changes in trunk and then push them back
> into the 2.2 branch. I don't consider this a show-stopper for
> the 2.1.7-beta candidate but the conflict does need to be
> resolved before 2.2 is released.
+1.
Regards,
Graham
--