mod-auth-sys-group
PILLON Julien
julien.pillon at alyotech.fr
Tue Jun 3 09:05:26 UTC 2014
Hello,
I was facing a problem with the mod-auth-sys-group apache module which comes with mod-auth-pam :
I wanted to set up a restriction access to a SVN repository based on group membership OR given user. The problem was that the module keeps saying "GROUP: XXX not in required group(s).", even if the user match the require user directive.
To be clear, here is a configuration file :
<Location /svn/repo>
DAV svn
SVNPath /srv/svn/repos/repo
SVNListParentPath Off
Options FollowSymLinks
AuthName "Please authenticate"
AuthPAM_Enabled on
AuthPAM_FallThrough on
AuthBasicAuthoritative off
AuthGROUP_Enabled on
AuthGROUP_FallThrough on
AuthUserFile /dev/null
AuthType Basic
Require group "some group"
Require user "some.user"
</Location>
And I want the access to be granted if the user is in specified group(s) OR if the user is listed...
I found the solution by patching the module. In comments it is said (mod_auth_sys_group.c) :
typedef struct {
int
fall_through, /* 1 to DECLINE instead of HTTP_UNAUTHORIZEDif we
can't find the username in a group.
(default to 0) */
enabled; /* 1 to use mod_auth_sys_group, 0 otherwise
(defaults to 1) */
} auth_sys_group_dir_config;
But the fall_through is never used. So I changed the end of the sys_group_check_auth function :
if(conf->fall_through == 0)
{
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "GROUP: %s not in required group(s).",r->user);
ap_note_basic_auth_failure (r);
return HTTP_UNAUTHORIZED;
} else
{
return DECLINED;
}
And everything works as expected !
Regards
Julien PILLON
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20140603/f979ffac/attachment.htm>
More information about the Pam-list
mailing list