Mailing List Archive

Confusing (incorrect?) documentation for AuthzProviderAlias
The documentation for AuthzProviderAlias [1] looks wrong.

AFAICT including 'Require all granted' means that anyone can access
the directory.
This is borne out by my local testing.

If I remove the Require line, then httpd complains "AuthUserFile not
specified in the configuration". Presumably this is because auth is
now needed, but the config is incorrect.

If I change AuthBasicProvider to ldap, it complains that AuthLDAPUrl is missing.

This is a bit surprising, given that it is specified in the alias definition.
Also it's not at all obvious what URL should be used, given that the
two aliases use different URLs.

How is one supposed to use AuthzProviderAlias with LDAP auth?


[1] https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#authzalias

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Confusing (incorrect?) documentation for AuthzProviderAlias [ In reply to ]
On Sat, Dec 3, 2022 at 3:21 PM sebb <sebbaz@gmail.com> wrote:
>
> The documentation for AuthzProviderAlias [1] looks wrong.
>
> AFAICT including 'Require all granted' means that anyone can access
> the directory.
> This is borne out by my local testing.

That is odd and should not be in the example, even in such a contrived one.

> If I remove the Require line, then httpd complains "AuthUserFile not
> specified in the configuration". Presumably this is because auth is
> now needed, but the config is incorrect.
>
> If I change AuthBasicProvider to ldap, it complains that AuthLDAPUrl is missing.
>
> This is a bit surprising, given that it is specified in the alias definition.
> Also it's not at all obvious what URL should be used, given that the
> two aliases use different URLs.

AuthBasicProvider is used for authn, not authz, so it can't get
configuration from an AuthzProviderAlias.
If you're authenticating against LDAP, you need to provide a URL.
Authentication can occur against a file and Authorization against
LDAP, but I think it's pretty rare (much less in the only example).

> How is one supposed to use AuthzProviderAlias with LDAP auth?

I don't know a ton about LDAP, but all of the combinations seem kind
of contrived. Maybe the best fix to the example is to use LDAP for
authn, with an AuthLDAPURL, and call the "other" alias some kind of
unusual 2nd LDAP server that has additional groups who might have the
same DN from the authentication LDAP server in other groups.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Confusing (incorrect?) documentation for AuthzProviderAlias [ In reply to ]
On Sat, 3 Dec 2022 at 20:39, Eric Covener <covener@gmail.com> wrote:

Thanks for the speedy reply.

>
> On Sat, Dec 3, 2022 at 3:21 PM sebb <sebbaz@gmail.com> wrote:
> >
> > The documentation for AuthzProviderAlias [1] looks wrong.
> >
> > AFAICT including 'Require all granted' means that anyone can access
> > the directory.
> > This is borne out by my local testing.
>
> That is odd and should not be in the example, even in such a contrived one.

Should I raise a bug then?

> > If I remove the Require line, then httpd complains "AuthUserFile not
> > specified in the configuration". Presumably this is because auth is
> > now needed, but the config is incorrect.
> >
> > If I change AuthBasicProvider to ldap, it complains that AuthLDAPUrl is missing.
> >
> > This is a bit surprising, given that it is specified in the alias definition.
> > Also it's not at all obvious what URL should be used, given that the
> > two aliases use different URLs.
>
> AuthBasicProvider is used for authn, not authz, so it can't get
> configuration from an AuthzProviderAlias.
> If you're authenticating against LDAP, you need to provide a URL.

I see now, thanks.

> Authentication can occur against a file and Authorization against
> LDAP, but I think it's pretty rare (much less in the only example).
>
> > How is one supposed to use AuthzProviderAlias with LDAP auth?
>
> I don't know a ton about LDAP, but all of the combinations seem kind
> of contrived. Maybe the best fix to the example is to use LDAP for
> authn, with an AuthLDAPURL, and call the "other" alias some kind of
> unusual 2nd LDAP server that has additional groups who might have the
> same DN from the authentication LDAP server in other groups.

It might be better to use an example of LDAP groups which use
different attributes for their members.

> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Confusing (incorrect?) documentation for AuthzProviderAlias [ In reply to ]
On Sat, Dec 3, 2022 at 5:13 PM sebb <sebbaz@gmail.com> wrote:
>
> On Sat, 3 Dec 2022 at 20:39, Eric Covener <covener@gmail.com> wrote:
>
> Thanks for the speedy reply.
>
> >
> > On Sat, Dec 3, 2022 at 3:21 PM sebb <sebbaz@gmail.com> wrote:
> > >
> > > The documentation for AuthzProviderAlias [1] looks wrong.
> > >
> > > AFAICT including 'Require all granted' means that anyone can access
> > > the directory.
> > > This is borne out by my local testing.
> >
> > That is odd and should not be in the example, even in such a contrived one.
>
> Should I raise a bug then?

yes please

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org