Apache 2.2 - both require user and require group

14/08/2006, 01h54

Hi all,
I've spent way more time on this than I thought it would
take, but I can't lick this one. Per this document I found on the
net (http://linux.dbw.org/articles/apache_userauth.html) I am
supposed to be able to use both require user and require groups
in one .htaccess file. But no matter what I try, the require user
seems to override and the groups are ignored, order of directives
having no affect.

AuthName "Restricted Access"
AuthType Basic
AuthUserFile /etc/httpd/conf/htpasswd
AuthGroupFile /etc/httpd/conf/htgroup
require group group1
require user user1

group1 is definitely in /etc/httpd/conf/htgroup and its users are
in /etc/httpd/conf/htpasswd along with user1.

Should I be able to do this? The official docs don't mention it,
so I am suspicous I may not. Alternate ways to let a single user
AND a group access a location? Thanks.

--
- Kyle

14/08/2006, 08h59

Kyle Tucker wrote:

> am
> supposed to be able to use both require user and require groups
> in one .htaccess file.

Have you checked with your server administrator whether .htaccess
files are enabled in your directory?

> AuthName "Restricted Access"
> AuthType Basic
> AuthUserFile /etc/httpd/conf/htpasswd
> AuthGroupFile /etc/httpd/conf/htgroup
> require group group1
> require user user1

That looks like an apache 1.x/2.0 configuration, which suggests
to me that you may not have read the manual.

> group1 is definitely in /etc/httpd/conf/htgroup and its users are
> in /etc/httpd/conf/htpasswd along with user1.
>
> Should I be able to do this? The official docs don't mention it,
> so I am suspicous I may not. Alternate ways to let a single user
> AND a group access a location? Thanks.

Yes, you can specify multiple require directives.
What does the error log say?

--
Nick Kew

14/08/2006, 11h51

In article <o4n5r3-tig.ln1@asgard.webthing.com>,
Nick Kew <nick@asgard.webthing.com> writes:
> Kyle Tucker wrote:
>
> Have you checked with your server administrator whether .htaccess
> files are enabled in your directory?

Yes and the .htaccess is used, I get prompted with the Realm specifically
set in the .htaccess file. I can log in as a user in a "require user" line.

> That looks like an apache 1.x/2.0 configuration, which suggests
> to me that you may not have read the manual.

Well it looks just like the the example from the 2.2 docs from which I
obtained the info. http://httpd.apache.org/docs/2.2/howto/htaccess.html

> Yes, you can specify multiple require directives.
> What does the error log say?

access to /path failed, reason: user 'kylet' does not meet 'require'ments for user/valid-user to be allowed access

And I (kylet) am in the group. I should note that in the httpd.conf file,
the parent directory of this one I am trying to set up different auth
for is protected by a "require valid-user" directive, but 'kylet' satisfies
that. But I am under the impression the .htaccess overrides the auth stuff
from the <Directory> directives.

--
- Kyle

14/08/2006, 12h05

In article <ebpkjd$88j$1@reader2.panix.com>,
kylet@horsehill.net (Kyle Tucker) writes:
> And I (kylet) am in the group. I should note that in the httpd.conf file,
> the parent directory of this one I am trying to set up different auth
> for is protected by a "require valid-user" directive, but 'kylet' satisfies
> that. But I am under the impression the .htaccess overrides the auth stuff
> from the <Directory> directives.

I should also note that I tried using the user and group require statements
on this parent directory in the <Directory>'s config and saw the exact same
behavior where group was not allowed if a require user directive was present.

--

- Kyle

14/08/2006, 14h44

Kyle Tucker wrote:

> I should also note that I tried using the user and group require statements
> on this parent directory in the <Directory>'s config and saw the exact same
> behavior where group was not allowed if a require user directive was present.

You would get that if it checks the user first and the "require user"
directive is declared authoritative. You'd also get something similar
if the groupfile authz module isn't loaded.

--
Nick Kew

18/08/2006, 13h56

In article <obb6r3-s0i.ln1@asgard.webthing.com>,
Nick Kew <nick@asgard.webthing.com> writes:

>> I should also note that I tried using the user and group require statements
>> on this parent directory in the <Directory>'s config and saw the exact same
>> behavior where group was not allowed if a require user directive was present.

Still can't tackle this.

> You would get that if it checks the user first and the "require user"
> directive is declared authoritative.

Upon first access to these pages, I'm prompted for the correct subdirectory's
realm, so I know it's using the .htaccess file, not the <Directory> parent
auth directives. And according to Apache's own docs, when a require group
is present, it will check to see if a user is even in the group before asking
for a password to check the user/htpasswd file. Given the behavior when both
user and group are required, I have got to believe the group isn't even being
looked at. So what would make the "require user" authorative within the same
..htacess file? It certainly isn't order of the directives within the file as
I've changed those all around with no affect on the behavior. And here's a
test I think indicates Apache isn't looking at both. If I intentially point
the AuthGroupFile to a wrong file name, Apache only gripes when the "require
group" is directive is in .htaccess. If both are in there, then I only get
the user/valid-user issue. If Apache was looking in the group file first
for membership, wouldn't it issue the same error for "No such file"?

Both user and group.

[Fri Aug 18 05:45:33 2006] [error] [client 10.10.10.1] access to /toprealm/subrealm failed, reason: user 'kylet' does not meet 'require'ments for user/valid-user to be allowed access

Just group and myself not a member.

[Fri Aug 18 05:47:52 2006] [error] [client 10.10.10.1] Authorization of user kylet to access /toprealm/subrealm failed, reason: user is not part of the 'require'ed group(s).

Just group directive and incorrect file name.

[Fri Aug 18 05:49:03 2006] [error] [client 10.10.10.1] (2)No such file or directory: Could not open group file: /etc/httpd/conf/htgroups

Both group and user and incorrect file name.

[Fri Aug 18 05:49:17 2006] [error] [client 10.10.10.1] access to /toprealm/subrealm failed, reason: user 'kylet' does not meet 'require'ments for user/valid-user to be allowed access

> You'd also get something similar if the groupfile authz module isn't
> loaded.

Well there's a LoadModule authz_groupfile_module directive in the main
config and all works if it's just the "require group" statement is there,
so I know it is.

--
- Kyle

22/08/2006, 00h13

In article <o4n5r3-tig.ln1@asgard.webthing.com>,
Nick Kew <nick@asgard.webthing.com> writes:

> Yes, you can specify multiple require directives.

FWIW, I posted this problem on the Apache users mailing list and was
told their this will NOT work on Apache 2.2, which is what I am trying
to do this on.

--

- Kyle

22/08/2006, 01h30

Kyle Tucker wrote:
> In article <o4n5r3-tig.ln1@asgard.webthing.com>,
> Nick Kew <nick@asgard.webthing.com> writes:
>
>> Yes, you can specify multiple require directives.
>
> FWIW, I posted this problem on the Apache users mailing list and was
> told their this will NOT work on Apache 2.2, which is what I am trying
> to do this on.
>
That's not quite what he said. It's certainly possible to
have multiple Require directives in Apache 2.2 (and earlier),
but you'll need to ensure the first one to run isn't just
treated as authoritative.

--
Nick Kew

22/08/2006, 02h31

In article <4rvpr3-ab6.ln1@asgard.webthing.com>,
Nick Kew <nick@asgard.webthing.com> writes:

> That's not quite what he said. It's certainly possible to
> have multiple Require directives in Apache 2.2 (and earlier),
> but you'll need to ensure the first one to run isn't just
> treated as authoritative.

Well he said he didn't think it works and another poster to
the mailing list indicated it stopped working for him in 2.2.
Regardless, I can't find info on what makes one require directive
"authoritative" over another. Can you point me to something that
may shed some light on what you're referring to? Thanks.

--

- Kyle

26/08/2006, 00h37

In article <ecdmq2$sap$1@reader2.panix.com>,
kylet@horsehill.net (Kyle Tucker) writes:

> Regardless, I can't find info on what makes one require directive
> "authoritative" over another. Can you point me to something that
> may shed some light on what you're referring to?

Guess not. I put this EXACT same directory structure, .conf and .htaccess
files under an Apache 2.0 on a RedHat 9 system and the two directives
worked perfectly together. So something in 2.2 is definitely different
(or broken).

--

- Kyle

14/08/2006, 01h54	#1
Kyle Tucker Messages: n/a Hébergeur:	Apache 2.2 - both require user and require group Hi all, I've spent way more time on this than I thought it would take, but I can't lick this one. Per this document I found on the net (http://linux.dbw.org/articles/apache_userauth.html) I am supposed to be able to use both require user and require groups in one .htaccess file. But no matter what I try, the require user seems to override and the groups are ignored, order of directives having no affect. AuthName "Restricted Access" AuthType Basic AuthUserFile /etc/httpd/conf/htpasswd AuthGroupFile /etc/httpd/conf/htgroup require group group1 require user user1 group1 is definitely in /etc/httpd/conf/htgroup and its users are in /etc/httpd/conf/htpasswd along with user1. Should I be able to do this? The official docs don't mention it, so I am suspicous I may not. Alternate ways to let a single user AND a group access a location? Thanks. -- - Kyle

14/08/2006, 08h59	#2
Nick Kew Messages: n/a Hébergeur:	Re: Apache 2.2 - both require user and require group Kyle Tucker wrote: > am > supposed to be able to use both require user and require groups > in one .htaccess file. Have you checked with your server administrator whether .htaccess files are enabled in your directory? > AuthName "Restricted Access" > AuthType Basic > AuthUserFile /etc/httpd/conf/htpasswd > AuthGroupFile /etc/httpd/conf/htgroup > require group group1 > require user user1 That looks like an apache 1.x/2.0 configuration, which suggests to me that you may not have read the manual. > group1 is definitely in /etc/httpd/conf/htgroup and its users are > in /etc/httpd/conf/htpasswd along with user1. > > Should I be able to do this? The official docs don't mention it, > so I am suspicous I may not. Alternate ways to let a single user > AND a group access a location? Thanks. Yes, you can specify multiple require directives. What does the error log say? -- Nick Kew

14/08/2006, 11h51	#3
Kyle Tucker Messages: n/a Hébergeur:	Re: Apache 2.2 - both require user and require group In article <o4n5r3-tig.ln1@asgard.webthing.com>, Nick Kew <nick@asgard.webthing.com> writes: > Kyle Tucker wrote: > > Have you checked with your server administrator whether .htaccess > files are enabled in your directory? Yes and the .htaccess is used, I get prompted with the Realm specifically set in the .htaccess file. I can log in as a user in a "require user" line. > That looks like an apache 1.x/2.0 configuration, which suggests > to me that you may not have read the manual. Well it looks just like the the example from the 2.2 docs from which I obtained the info. http://httpd.apache.org/docs/2.2/howto/htaccess.html > Yes, you can specify multiple require directives. > What does the error log say? access to /path failed, reason: user 'kylet' does not meet 'require'ments for user/valid-user to be allowed access And I (kylet) am in the group. I should note that in the httpd.conf file, the parent directory of this one I am trying to set up different auth for is protected by a "require valid-user" directive, but 'kylet' satisfies that. But I am under the impression the .htaccess overrides the auth stuff from the <Directory> directives. -- - Kyle

14/08/2006, 12h05	#4
Kyle Tucker Messages: n/a Hébergeur:	Re: Apache 2.2 - both require user and require group In article <ebpkjd$88j$1@reader2.panix.com>, kylet@horsehill.net (Kyle Tucker) writes: > And I (kylet) am in the group. I should note that in the httpd.conf file, > the parent directory of this one I am trying to set up different auth > for is protected by a "require valid-user" directive, but 'kylet' satisfies > that. But I am under the impression the .htaccess overrides the auth stuff > from the <Directory> directives. I should also note that I tried using the user and group require statements on this parent directory in the <Directory>'s config and saw the exact same behavior where group was not allowed if a require user directive was present. -- - Kyle

14/08/2006, 14h44	#5
Nick Kew Messages: n/a Hébergeur:	Re: Apache 2.2 - both require user and require group Kyle Tucker wrote: > I should also note that I tried using the user and group require statements > on this parent directory in the <Directory>'s config and saw the exact same > behavior where group was not allowed if a require user directive was present. You would get that if it checks the user first and the "require user" directive is declared authoritative. You'd also get something similar if the groupfile authz module isn't loaded. -- Nick Kew

18/08/2006, 13h56	#6
Kyle Tucker Messages: n/a Hébergeur:	Re: Apache 2.2 - both require user and require group In article <obb6r3-s0i.ln1@asgard.webthing.com>, Nick Kew <nick@asgard.webthing.com> writes: >> I should also note that I tried using the user and group require statements >> on this parent directory in the <Directory>'s config and saw the exact same >> behavior where group was not allowed if a require user directive was present. Still can't tackle this. > You would get that if it checks the user first and the "require user" > directive is declared authoritative. Upon first access to these pages, I'm prompted for the correct subdirectory's realm, so I know it's using the .htaccess file, not the <Directory> parent auth directives. And according to Apache's own docs, when a require group is present, it will check to see if a user is even in the group before asking for a password to check the user/htpasswd file. Given the behavior when both user and group are required, I have got to believe the group isn't even being looked at. So what would make the "require user" authorative within the same ..htacess file? It certainly isn't order of the directives within the file as I've changed those all around with no affect on the behavior. And here's a test I think indicates Apache isn't looking at both. If I intentially point the AuthGroupFile to a wrong file name, Apache only gripes when the "require group" is directive is in .htaccess. If both are in there, then I only get the user/valid-user issue. If Apache was looking in the group file first for membership, wouldn't it issue the same error for "No such file"? Both user and group. [Fri Aug 18 05:45:33 2006] [error] [client 10.10.10.1] access to /toprealm/subrealm failed, reason: user 'kylet' does not meet 'require'ments for user/valid-user to be allowed access Just group and myself not a member. [Fri Aug 18 05:47:52 2006] [error] [client 10.10.10.1] Authorization of user kylet to access /toprealm/subrealm failed, reason: user is not part of the 'require'ed group(s). Just group directive and incorrect file name. [Fri Aug 18 05:49:03 2006] [error] [client 10.10.10.1] (2)No such file or directory: Could not open group file: /etc/httpd/conf/htgroups Both group and user and incorrect file name. [Fri Aug 18 05:49:17 2006] [error] [client 10.10.10.1] access to /toprealm/subrealm failed, reason: user 'kylet' does not meet 'require'ments for user/valid-user to be allowed access > You'd also get something similar if the groupfile authz module isn't > loaded. Well there's a LoadModule authz_groupfile_module directive in the main config and all works if it's just the "require group" statement is there, so I know it is. -- - Kyle

22/08/2006, 00h13	#7
Kyle Tucker Messages: n/a Hébergeur:	Re: Apache 2.2 - both require user and require group In article <o4n5r3-tig.ln1@asgard.webthing.com>, Nick Kew <nick@asgard.webthing.com> writes: > Yes, you can specify multiple require directives. FWIW, I posted this problem on the Apache users mailing list and was told their this will NOT work on Apache 2.2, which is what I am trying to do this on. -- - Kyle

22/08/2006, 01h30	#8
Nick Kew Messages: n/a Hébergeur:	Re: Apache 2.2 - both require user and require group Kyle Tucker wrote: > In article <o4n5r3-tig.ln1@asgard.webthing.com>, > Nick Kew <nick@asgard.webthing.com> writes: > >> Yes, you can specify multiple require directives. > > FWIW, I posted this problem on the Apache users mailing list and was > told their this will NOT work on Apache 2.2, which is what I am trying > to do this on. > That's not quite what he said. It's certainly possible to have multiple Require directives in Apache 2.2 (and earlier), but you'll need to ensure the first one to run isn't just treated as authoritative. -- Nick Kew

22/08/2006, 02h31	#9
Kyle Tucker Messages: n/a Hébergeur:	Re: Apache 2.2 - both require user and require group In article <4rvpr3-ab6.ln1@asgard.webthing.com>, Nick Kew <nick@asgard.webthing.com> writes: > That's not quite what he said. It's certainly possible to > have multiple Require directives in Apache 2.2 (and earlier), > but you'll need to ensure the first one to run isn't just > treated as authoritative. Well he said he didn't think it works and another poster to the mailing list indicated it stopped working for him in 2.2. Regardless, I can't find info on what makes one require directive "authoritative" over another. Can you point me to something that may shed some light on what you're referring to? Thanks. -- - Kyle

26/08/2006, 00h37	#10
Kyle Tucker Messages: n/a Hébergeur:	Re: Apache 2.2 - both require user and require group In article <ecdmq2$sap$1@reader2.panix.com>, kylet@horsehill.net (Kyle Tucker) writes: > Regardless, I can't find info on what makes one require directive > "authoritative" over another. Can you point me to something that > may shed some light on what you're referring to? Guess not. I put this EXACT same directory structure, .conf and .htaccess files under an Apache 2.0 on a RedHat 9 system and the two directives worked perfectly together. So something in 2.2 is definitely different (or broken). -- - Kyle

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email