You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Dirk.vanGulik" <Di...@jrc.it> on 1997/06/21 12:31:46 UTC
Another one for the FAQ
I've been going to a three days worth of email support for
mod_auth_msql, anon, etc, so here is another repeating
one for the FAQ.
Dw.
<LI><A NAME="checkuser">
<STRONG>My authentifcation gives me a server error?</STRONG>
</A>
<P>
Under normal circumstances, the apache access control modules
will pass unrecognized userid-s on to the next access control
module in line. Only if the userid is recorgnized, the password
is validated and a Ok/Denied is given.
</p>
<p>
However if the last access module in line also 'declines' the
validation request (because it has never heard of the user-id
or because it is not configured) the http_request handler will
give one of the following, confusing, errors:
<UL>
<li> <code>check access</code>
<li> <code>check user. No user file? </code>
<li> <code>check access. No groups file? </code>
</ul>
This does not mean that you have to add a 'AuthUserFile /dev/null'
line as some magazines suggest !
</p>
<p>
The solution is to ensure that at least the last module is authoritative
and <b>CONFIGURED</b>. By default <code>mod_auth</code> is authoritative
and will give an OK/Denied, but only if it is configured with the proper
AuthUserFile. Likewise if a valid group is required.
</P>
<p>
A typical situation for this error is when you are using the mod_auth_dbm,
mod_auth_msql, mod_auth_mysql, mod_auth_anon or mod_auth_cookie on their own.
These are by default <b>not</b> authoritative, and this will pass the buck on
to the (non-existent) next authentification module when the user ID is not in
their respective database. Just add the appropriate 'XXXAuthoritative yes' line
to the configuration.
</p>
<p>
In general it is a good idea (though not terribly efficient) to have the file
based mod_auth a module of last resort. This allows you to access the web
server with a few special passwords even if the databases are down or corrupted.
This does cost a file-open/seek/close for each request in a protected area.
</p>