[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-dev
Subject:    Re: authnz_ldap in 2.2.x
From:       "Brad Nicholes" <BNICHOLES () novell ! com>
Date:       2007-08-31 18:16:02
Message-ID: 46D80680.6720.00AC.0 () novell ! com
[Download RAW message or body]

> > > On 8/30/2007 at 4:36 PM, in message
<1404e5910708301536p32bbb344u4d1e573cf45028ce@mail.gmail.com>, "Eric Covener"
<covener@gmail.com> wrote:
> On 8/30/07, Brad Nicholes <BNICHOLES@novell.com> wrote:
> > > > > On 8/29/2007 at 7:51 PM, in message
> > <1404e5910708291851x5840a4cemd81caaedb41d18d5@mail.gmail.com>, "Eric Covener"
> > <covener@gmail.com> wrote:
> > > 
> > > In 2.2.x If authz_XXX are one of dbm, owner, or groupfile they track
> > > the list of requires and decline if they don't see any they're
> > > responsible for -- this isn't a crap shoot of module ordering in this
> > > case.
> > > 
> > > $ grep \!required *.c
> > > mod_authz_dbm.c:    if (!required_group || !conf->authoritative) {
> > > mod_authz_groupfile.c:    if (!required_group || !conf->authoritative) {
> > > mod_authz_owner.c:    if (!required_owner || !conf->authoritative) {
> > > mod_authz_user.c:    if (!required_user) {
> > > 
> > > That roughly leaves authz_host, authz_default, and authnz_ldap.
> > > authz_host has a built-in default based on Order, and authz_default
> > > doesn't have any Requires to check -- leaving authnz_ldap as the odd
> > > man out.
> > > 
> > 
> > True, so that brings up the question of what does AuthzXXXAuthoritative 
> really mean?  Does it mean that if set to ON, this module is authoritatively 
> responsible for authorization and if it can't (whatever the reason including 
> no require statement), then authorization fails?  Or does it mean that the 
> module is only authoritatively responsible for authorization if a matching 
> require statement exists?  According to what you are saying as well as what 
> the code is currently saying in the other authz modules, the latter is true.  
> And if that is really the definition of AuthzXXXAuthoritative, then it 
> appears that authnz_ldap needs to be fixed.
> > 
> > Brad
> > 
> 
> For the ones in the list above it seems to roughly be:
> 
> if an authz_XXX require is satisfied, return OK
> If authz_XXX is authoritative, and any authz_XXX require directives
> were present, return HTTP_UNAUTHORIZED
> else return DECLINED
> 
> Any clue from a development process POV how I'd propose such a thing
> for "backport" since it doesn't apply to trunk?  I was also hoping
> some more people might weigh in on the behavior change for
> mod_authnz_ldap in a stable release.

Welcome to the world of ldap development in Apache, outside of a very small group of \
us, there usually isn't much response from anyone else. :(  I would suggest that you \
write a patch and either post the patch file in your people.apache.org user dir so \
that it is easily accessible from the web or attach it to a bugzilla bug that can be \
referenced.  Then write your backport proposal in the 2.2 STATUS file and reference \
the patch file directly rather than a link into SVN.  Also note that this is specific \
to 2.2 and does not apply to trunk due to the authorization refactoring going \
forward.

Brad


[prev in list] [next in list] [prev in thread] [next in thread]