| View previous topic :: View next topic |
| Author |
Message |
the_g_cat
Tux's lil' helper
Joined: 31 Mar 2004
Posts: 117
Location: Dortmund - Germany
|
 Posted: Wed Mar 12, 2008 11:19 am Post subject: [SOLVED] Apache: 'Require group' breaks 'Require user'? |
 |
|
Hello,
I have a hard time understanding how apache handles the 'Require' directive, espacially how that directive handles precedence of 'group' and 'user' options.
I want to have a group of users (let's call the group write_group) accessing a WebDAV share, and one additional user (read_user) who should only be able to read the share. That's how I thought to configure it:
| Code: |
Alias /webdav/share "/some/path/to/share"
<Directory /some/path/to/share>
Dav On
Options +Indexes
AddDefaultCharset UTF-8
AuthType Basic
AuthName "Test share"
AuthUserFile /path/to/htpasswd2_file
AuthGroupFile /path/to/group_file
<Limit GET HEAD OPTIONS PROPFIND>
Require group write_group
Require user read_user
</Limit>
<LimitExcept GET HEAD PROPFIND OPTIONS>
Require group write_group
</LimitExcept>
Order allow,deny
Allow from all
</Directory>
|
I had also tried it without the <Limit></Limit> part, but the two included Requires in the <Directory></Directory> part, but I got similar errors. The error I get from the error_log:
| Code: |
[Wed Mar 12 11:35:19 2008] [error] [client xx.xx.xx.xx] Authorization of user read_user to access /webdav/share failed, reason: user doesn't appear in group file (/path/to/group_file).
|
I solved the problem for now by creating an extra group for the read_user user, and adding the group to the Require group in the <Limit></Limit> block, but I don't really find that satisfying. Anyone has a better idea or maybe an explanation as to why I can't have a user who is not listed in the group_file?
Last edited by the_g_cat on Fri Mar 14, 2008 5:14 pm; edited 1 time in total |
|
| Back to top |
|
 |
the_g_cat
Tux's lil' helper
Joined: 31 Mar 2004
Posts: 117
Location: Dortmund - Germany
|
| Posted: Fri Mar 14, 2008 8:33 am Post subject: |
|
|
*bump* Noone on this one either?  |
|
| Back to top |
|
|
the_g_cat
Tux's lil' helper
Joined: 31 Mar 2004
Posts: 117
Location: Dortmund - Germany
|
| Posted: Fri Mar 14, 2008 5:14 pm Post subject: |
|
|
Well, after chatting with some people over in #gentoo-apache (freenode.net), we have sorted out the problem.
Per default, apache seems to need every user to fulfill every Require rule (see here http://httpd.apache.org/docs/2.2/mod/mod_authz_groupfile.html#authzgroupfileauthoritative ). By setting AuthzGroupFileAuthoritative to On, apache only needs one of the Requires to be true for the user to be authenticated (well, it's a little more complicated than that, but if you need complexer setups, go read the apache docs linked above, chances are you should be qualified enough to make something out of it  ). |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
