You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Kyle Tucker <ky...@panix.com> on 2006/08/20 22:56:53 UTC
[users@httpd] Using both require user/group in .htaccess
Hi all,
I've spent way more time on this than I thought it would
take, but I can't lick this one. Per this document I found on the
net (http://linux.dbw.org/articles/apache_userauth.html) I am
supposed to be able to use both require user and require groups
in one .htaccess file. But no matter what I try, the require user
seems to override and the groups are ignored, order of directives
having no affect. This is Apache 2.2.0 on Fedora.
AuthName "Subdirectory Area Restricted Access"
AuthType Basic
AuthUserFile /etc/httpd/conf/htpasswd
AuthGroupFile /etc/httpd/conf/htgroup
require group testgrp
require user someuser
This .htaccess file is in a subdirectory of one covered by an Auth
realm of the parent, but all credential prompting is for the Realm of
the subdirectory. testgrp is definitely in /etc/httpd/conf/htgroup
and its users including "kylet" are in /etc/httpd/conf/htpasswd along
with "someuser".
Upon first access to these pages, I'm prompted for the correct
subdirectory's realm, so I know it's using the .htaccess file, not
the <Directory> parent's auth directives. And according to Apache's
own docs, when a require group is present, it will check to see if a
user is even in the group before asking for a password to check the
user/htpasswd file. Given the behavior when both user and group are
required, I have got to believe the group isn't even being looked at.
It is not the order of the directives within the file as I've changed
those all around with no affect on the behavior. And here's a test I
think indicates Apache isn't looking at both. If I intentially point
the AuthGroupFile to a wrong file name, Apache only gripes when the
"require group" is directive is in .htaccess. If both are in there,
then I only get the user/valid-user issue. If Apache was looking in
the group file first for membership, wouldn't it issue the same error
for "No such file"? Here's some test scenarios that tell me it's not
honoring both directives being there.
Both user and group directives.
[Fri Aug 18 05:45:33 2006] [error] [client 10.10.10.1] access to /toprealm/subrealm failed, reason: user 'kylet' does not meet 'require'ments for user/valid-user to be allowed access
Just group directive and "kylet" not a member.
[Fri Aug 18 05:47:52 2006] [error] [client 10.10.10.1] Authorization of user kylet to access /toprealm/subrealm failed, reason: user is not part of the 'require'ed group(s).
Just group directive and incorrect file name.
[Fri Aug 18 05:49:03 2006] [error] [client 10.10.10.1] (2)No such file or directory: Could not open group file: /etc/httpd/conf/htgroups
Both group and user directives and incorrect file name.
[Fri Aug 18 05:49:17 2006] [error] [client 10.10.10.1] access to /toprealm/subrealm failed, reason: user 'kylet' does not meet 'require'ments for user/valid-user to be allowed access
Auth works properly if it's just the "require group" statement is there
and I am in the group.
What am I missing? Thanks.
--
- Kyle
---------------------------------------------
kylet@panix.com http://www.panix.com/~kylet
---------------------------------------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Using both require user/group in .htaccess
Posted by Kyle Tucker <ky...@panix.com>.
On Sun, Aug 20, 2006 at 06:52:45PM -0400, Joshua Slive wrote:
> On 8/20/06, Kyle Tucker <ky...@panix.com> wrote:
> >
> >AuthName "Subdirectory Area Restricted Access"
> >AuthType Basic
> >AuthUserFile /etc/httpd/conf/htpasswd
> >AuthGroupFile /etc/httpd/conf/htgroup
> >require group testgrp
> >require user someuser
>
> I don't think you can do that in 2.2. The dev version (2.3/2.4) will
> be able to do this. The work-around is just put someuser into
> testgrp.
The whole intent is for someuser to only have access to the
subdirectory whereas testgrp has global access. Others report
it used to work in 2.0 and earlier. I don't see any mention
of it being dropped in the Apache CHANGES file. Is it broken?
Thanks.
--
- Kyle
---------------------------------------------
kylet@panix.com http://www.panix.com/~kylet
---------------------------------------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Using both require user/group in .htaccess
Posted by Joshua Slive <jo...@slive.ca>.
On 8/20/06, Kyle Tucker <ky...@panix.com> wrote:
>
> AuthName "Subdirectory Area Restricted Access"
> AuthType Basic
> AuthUserFile /etc/httpd/conf/htpasswd
> AuthGroupFile /etc/httpd/conf/htgroup
> require group testgrp
> require user someuser
I don't think you can do that in 2.2. The dev version (2.3/2.4) will
be able to do this. The work-around is just put someuser into
testgrp.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org