You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Kyle Tucker <ky...@panix.com> on 2006/08/20 22:56:53 UTC

[users@httpd] Using both require user/group in .htaccess

Hi all,
        I've spent way more time on this than I thought it would
take, but I can't lick this one. Per this document I found on the
net (http://linux.dbw.org/articles/apache_userauth.html) I am
supposed to be able to use both require user and require groups
in one .htaccess file. But no matter what I try, the require user 
seems to override and the groups are ignored, order of directives
having no affect. This is Apache 2.2.0 on Fedora.

AuthName "Subdirectory Area Restricted Access"
AuthType Basic
AuthUserFile /etc/httpd/conf/htpasswd
AuthGroupFile /etc/httpd/conf/htgroup
require group testgrp
require user someuser

This .htaccess file is in a subdirectory of one covered by an Auth 
realm of the parent, but all credential prompting is for the Realm of 
the subdirectory. testgrp is definitely in /etc/httpd/conf/htgroup 
and its users including "kylet" are in /etc/httpd/conf/htpasswd along 
with "someuser".

Upon first access to these pages, I'm prompted for the correct 
subdirectory's realm, so I know it's using the .htaccess file, not 
the <Directory> parent's auth directives. And according to Apache's 
own docs, when a require group is present, it will check to see if a 
user is even in the group before asking for a password to check the 
user/htpasswd file. Given the behavior when both user and group are 
required, I have got to believe the group isn't even being looked at. 
It is not the order of the directives within the file as I've changed 
those all around with no affect on the behavior. And here's a test I 
think indicates Apache isn't looking at both. If I intentially point
the AuthGroupFile to a wrong file name, Apache only gripes when the 
"require group" is directive is in .htaccess. If both are in there, 
then I only get the user/valid-user issue. If Apache was looking in 
the group file first for membership, wouldn't it issue the same error 
for "No such file"? Here's some test scenarios that tell me it's not 
honoring both directives being there.

Both user and group directives.

[Fri Aug 18 05:45:33 2006] [error] [client 10.10.10.1] access to /toprealm/subrealm failed, reason: user 'kylet' does not meet 'require'ments for user/valid-user to be allowed access

Just group directive and "kylet" not a member.

[Fri Aug 18 05:47:52 2006] [error] [client 10.10.10.1] Authorization of user kylet to access /toprealm/subrealm failed, reason: user is not part of the 'require'ed group(s).

Just group directive and incorrect file name.

[Fri Aug 18 05:49:03 2006] [error] [client 10.10.10.1] (2)No such file or directory: Could not open group file: /etc/httpd/conf/htgroups

Both group and user directives and incorrect file name.

[Fri Aug 18 05:49:17 2006] [error] [client 10.10.10.1] access to /toprealm/subrealm failed, reason: user 'kylet' does not meet 'require'ments for user/valid-user to be allowed access

Auth works properly if it's just the "require group" statement is there 
and I am in the group.

What am I missing? Thanks.




-- 
- Kyle 
---------------------------------------------
kylet@panix.com   http://www.panix.com/~kylet    
---------------------------------------------

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Using both require user/group in .htaccess

Posted by Kyle Tucker <ky...@panix.com>.
On Sun, Aug 20, 2006 at 06:52:45PM -0400, Joshua Slive wrote:
> On 8/20/06, Kyle Tucker <ky...@panix.com> wrote:
> >
> >AuthName "Subdirectory Area Restricted Access"
> >AuthType Basic
> >AuthUserFile /etc/httpd/conf/htpasswd
> >AuthGroupFile /etc/httpd/conf/htgroup
> >require group testgrp
> >require user someuser
> 
> I don't think you can do that in 2.2. The dev version (2.3/2.4) will
> be able to do this.  The work-around is just put someuser into
> testgrp.

The whole intent is for someuser to only have access to the
subdirectory whereas testgrp has global access. Others report
it used to work in 2.0 and earlier. I don't see any mention 
of it being dropped in the Apache CHANGES file. Is it broken?

Thanks.

-- 
- Kyle 
---------------------------------------------
kylet@panix.com   http://www.panix.com/~kylet    
---------------------------------------------

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Using both require user/group in .htaccess

Posted by Joshua Slive <jo...@slive.ca>.
On 8/20/06, Kyle Tucker <ky...@panix.com> wrote:
>
> AuthName "Subdirectory Area Restricted Access"
> AuthType Basic
> AuthUserFile /etc/httpd/conf/htpasswd
> AuthGroupFile /etc/httpd/conf/htgroup
> require group testgrp
> require user someuser

I don't think you can do that in 2.2. The dev version (2.3/2.4) will
be able to do this.  The work-around is just put someuser into
testgrp.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org