You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Brad Nicholes <BN...@novell.com> on 2005/08/26 17:44:31 UTC

Conflict in authorization types among various authz modules...

   I am looking for comments from those who helped to implement the
refactored authentication model and those who helped restructure the
authentication modules.  

   One of the problems that I discovered while working on the
restructuring of the authnz_ldap module was the name space for the
authorization types.  I found that the 2.0 version of mod_auth_ldap
implemented authorization types such as "valid-user", "user" and
"group".  After creating mod_authnz_ldap and restructuring the ldap
authorization types, I found that using these authorization type names
conflicted with mod_authz_user and mod_authz_groupfile.  Meaning that if
mod_authnz_ldap was loaded along side of mod_authz_user or
mod_authz_groupfile, the authorization module that actually attempted to
handle authorization was at the mercy of the module load order and in
most cases was wrong.  In other words, the following configuration would
not be able to accurately determine which authz module should be
handling authorization. 

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule authz_user_module modules/mod_authz_user.so

<Directory ...>
...
require user bnicholes
</Directory>

To resolve this issue I prefixed the ldap authorization types with
"ldap-".  

   Looking through the authorization types for the other authz modules
I noticed that there are other similar conflicts.

mod_authz_dbm             file-group, group
mod_authz_groupfile     file-group, group
mod_authz_owner         file-group

I would propose that the following renaming or elimination of types
should be done before Apache 2.2 is released in order to resolve the
conflicts

mod_authz_dbm            dbm-group
mod_authz_groupfile     group
mod_authz_owner         file-group


Comments?

Brad

Re: Conflict in authorization types among various authz modules...

Posted by Graham Leggett <mi...@sharp.fm>.

Brad Nicholes wrote:

>    Are there any comments on this?  If not then I would like
 > to make the type name changes in trunk and then push them back
 > into the 2.2 branch.  I don't consider this a show-stopper for
 > the 2.1.7-beta candidate but the conflict does need to be
 > resolved before 2.2 is released.

+1.

Regards,
Graham
--

Re: Conflict in authorization types among various authz modules...

Posted by Brad Nicholes <BN...@novell.com>.

   Are there any comments on this?  If not then I would like to make the type name changes in trunk and then push them back into the 2.2 branch.  I don't consider this a show-stopper for the 2.1.7-beta candidate but the conflict does need to be resolved before 2.2 is released.

Brad   

>>> On Friday, August 26, 2005 at 9:44:31 am, in message
<43...@novell.com>, BNICHOLES@novell.com wrote:
> I am looking for comments from those who helped to implement the
> refactored authentication model and those who helped restructure the
> authentication modules.  
> 
>    One of the problems that I discovered while working on the
> restructuring of the authnz_ldap module was the name space for the
> authorization types.  I found that the 2.0 version of mod_auth_ldap
> implemented authorization types such as "valid-user", "user" and
> "group".  After creating mod_authnz_ldap and restructuring the ldap
> authorization types, I found that using these authorization type names
> conflicted with mod_authz_user and mod_authz_groupfile.  Meaning that if
> mod_authnz_ldap was loaded along side of mod_authz_user or
> mod_authz_groupfile, the authorization module that actually attempted to
> handle authorization was at the mercy of the module load order and in
> most cases was wrong.  In other words, the following configuration would
> not be able to accurately determine which authz module should be
> handling authorization. 
> 
> LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
> LoadModule authz_user_module modules/mod_authz_user.so
> 
> <Directory ...>
> ...
> require user bnicholes
> </Directory>
> 
> To resolve this issue I prefixed the ldap authorization types with
> "ldap-".  
> 
>    Looking through the authorization types for the other authz modules
> I noticed that there are other similar conflicts.
> 
> mod_authz_dbm             file-group, group
> mod_authz_groupfile     file-group, group
> mod_authz_owner         file-group
> 
> I would propose that the following renaming or elimination of types
> should be done before Apache 2.2 is released in order to resolve the
> conflicts
> 
> mod_authz_dbm            dbm-group
> mod_authz_groupfile     group
> mod_authz_owner         file-group
> 
> 
> Comments?
> 
> Brad