You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Dirk.vanGulik" <Di...@jrc.it> on 1997/06/21 12:31:46 UTC

Another one for the FAQ

I've been going to a three days worth of email support for
mod_auth_msql, anon, etc, so here is another repeating
one for the FAQ.

Dw.
 

<LI><A NAME="checkuser">
      <STRONG>My authentifcation gives me a server error?</STRONG>
     </A>
  <P>
  Under normal circumstances, the apache access control modules
  will pass unrecognized userid-s on to the next access control
  module in line. Only if the userid is recorgnized, the password
  is validated and a Ok/Denied is given.
  </p>
  <p>
  However if the last access module in line also 'declines' the
  validation request (because it has never heard of the user-id
  or because it is not configured) the http_request handler will 
  give one of the following, confusing, errors:
  <UL>
    <li> <code>check access</code>
    <li> <code>check user.  No user file? </code>
    <li> <code>check access.  No groups file? </code>
  </ul> 
  This does not mean that you have to add a 'AuthUserFile /dev/null'
  line as some magazines suggest !
  </p>
  <p>
  The solution is to ensure that at least the last module is authoritative
  and <b>CONFIGURED</b>. By default <code>mod_auth</code> is authoritative
  and will give an OK/Denied, but only if it is configured with the proper
  AuthUserFile. Likewise if a valid group is required.
  </P>
  <p>
  A typical situation for this error is when you are using the mod_auth_dbm,
  mod_auth_msql, mod_auth_mysql, mod_auth_anon or mod_auth_cookie on their own. 
  These are by default <b>not</b> authoritative, and this will pass the buck on 
  to the (non-existent) next authentification module when the user ID is not in 
  their respective database. Just add the appropriate 'XXXAuthoritative yes' line
  to the configuration.
  </p>
  <p>
  In general it is a good idea (though not terribly efficient) to have the file 
  based mod_auth a module of last resort. This allows you to access the web
  server with a few special passwords even if the databases are down or corrupted.
  This does cost a file-open/seek/close for each request in a protected area.
  </p>