I am trying to get authorization to work on my apache installation. I
want to authorize depending on what group the user belongs to.
I am using
- Apache 2.2.15
- Centos 6.2 (Running as guest in VB)
My setup is working if I only want to authenticate/authorize based on the user.
Here is the significant part (I think...) of my httpd.conf:
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider dbd
Require dbd-group 1
Require valid-user
AuthzDBDQuery "SELECT group_id FROM groupsusers JOIN user
ON groupsusers.user_id = user.id WHERE groupsusers.group_id = 1 AND
user.users = %s"
AuthDBDUserPWQuery "SELECT password FROM user WHERE users = %s"
</Directory
AuthzDBDQuery doesn't work since, as I understand it, it is not part
of any stable version yet. This is the error message I get while
starting httpd:
"Invalid command 'AuthzDBDQuery', perhaps misspelled or
defined by a module not included in the server configuration httpd not
running, trying to start"
My question is, how can I use groups for authorization when using
mysql for storing the groups? I guess it must be possible without
re-compiling apache? If not, please enligth med.
Any help that will point me in the rigth direction is appreciated.
Thanks!
Comments
Re: Authenticate/Authorize user based on group wit
By Nick Kew at 01/12/2012 - 06:16mod_authz_dbd was first dropped into trunk just too late to make the
original 2.2.0 release. That version was developed with 2.2 and worked
with it.
Shortly after came authz refactoring. It was refactored along with all
other authz modules, and no longer works with 2.2.
You can get the original version for 2.2 from the svn repos at
<a href="http://svn.eu.apache.org/viewvc?view=revision&revision=345389" title="http://svn.eu.apache.org/viewvc?view=revision&revision=345389">http://svn.eu.apache.org/viewvc?view=revision&revision=345389</a>
but bear in mind you'll be using largely-untested code!
For a brief history of changes since then, you could see
<a href="http://svn.eu.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c?view=log" title="http://svn.eu.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c?view=log">http://svn.eu.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_...</a>
Re: Authenticate/Authorize user based on group wit
By Niklas Johansson at 01/12/2012 - 06:39Thanks for your answer.
Do you know when it will be delivered with any stable version? Since
we are looking for a beta version in my project right now, we can wait
a little bit with this. But in a while we have to make sure that we
add this security level.
In worst case, are there any instructions for compiling apache with
this module? Reading the instructions for compiling the latest version
(at least this was linked from there:
<a href="http://httpd.apache.org/docs/trunk/programs/configure.html#optionalfeatures" title="http://httpd.apache.org/docs/trunk/programs/configure.html#optionalfeatures">http://httpd.apache.org/docs/trunk/programs/configure.html#optionalfeatures</a>)
mod_authz_dbd is not listed.
Regarding your link with history, it seem's like it's close to GA. But
is it for the version before refactoring?
-Niklas
Den 12 januari 2012 11:16 skrev Nick Kew < ... at webthing dot com>:
Re: Authenticate/Authorize user based on group wit
By Nick Kew at 01/13/2012 - 12:40On Thu, 12 Jan 2012 11:39:20 +0100
It's in current 2.3.x beta releases, and will be in 2.4.x once a
release in the stable branch is made. If your project is in
beta, why not adopt 2.3 as your standard to work with?
Currently GA is very much on the agenda, but there are known
showstoppers on the Windows platform. So the argument is whether
to release as "GA for *X but stick to 2.2 if on windows" or to
hold back until those problems are fixed.
Same as any module. Either build trunk or any 2.3.x from source
or use apxs to add it to an existing build.