On 2/25/14, 12:52 PM, Ben Reser wrote:
> 2) Write a custom authz hook that always returns HTTP_FORBIDDEN that hooks
> after the ldap module. Configure your custom module to be turned on for your
> location. Then set 'AuthzLDAPAuthoritative off', meaning that the ldap module
> will DECLINE and the final module should handle this.
>
> I'm off to lunch but when I get back I can probably write a quick authz module
> that does the second bit for you.
First of all I was able to duplicate this with a SVN 1.6.x server, 1.8.x client
and the following setup (without needing LDAP since group file module has the
same behavior):
httpd.conf:
[[[
<Location /svn>
DAV svn
SVNPath ${HOME}/iprops
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile ${HOME}/iprops/conf/users
AuthGroupFile ${HOME}/iprops/conf/groups
Require group constant
AuthzSVNAuthoritative off
AuthzSVNAccessFile ${HOME}/iprops/conf/authz
</Location>
]]]
users (password is rayjandom for both):
[[[
jrandom:xCGl35kV9oWCY
jconstant:xCGl35kV9oWCY
]]]
groups:
[[[
constant: jconstant
]]]
authz:
[[[
[/random]
jrandom = rw
]]]
I was able to make it work by adding the attached module. It's a slightly
hacked version of mod_authz_default, which comes with httpd 2.2.x (and also
returns a 401). The only differences are I changed the name of the symbols and
configuration settings so that it doesn't conflict with mod_authz_default.
The following should install it (note that on Debian use apxs2 instead of apxs):
apxs -cia mod_authz_forbid.c
Now add the following extra options to the Location block for SVN:
[[[
AuthzDefaultAuthoritative Off
AuthzGroupFileAuthoritative Off
]]]
And now it works with a 1.8 client. The first directive is only needed if
mod_authz_default is built in or loaded as a module. The second line is the
correct option to disable authoritative in the group module. In your case
you'd want to use "AuthzLDAPAuthoritative off".
The mod_authz_default module is intended as a fallback in case of there are
Requires lines but no authz hooks is configured as authoritative, which default
behavior in httpd would be to allow that access. So it is desirable to leave
this module enabled but simply enable it for where you're using the
mod_authz_forbid module I've attached.
Both mod_authz_default and mod_authz_forbid are registering in the
APR_HOOK_LAST group. So their order is not determinate. If you want to avoid
mod_authz_forbid activating for any other traffic (with or without
mod_authz_default) loaded you should add the following directive inside your
server level of your httpd.conf (i.e. outside a Location/Directory block):
AuthzForbidAuthoritative On
Received on 2014-02-26 00:38:25 CET