From: jan@unixpapa.com Date: Thu, 6 Oct 2011 19:11:50 +0000 (+0000) Subject: Documentation updates X-Git-Tag: mod_authnz_external-3.3.1~6 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=00506bb54d36d0c3257fa3b6b4a9d10a73500306;p=apache-authnz-external Documentation updates --- diff --git a/mod_authz_unixgroup/CHANGES b/mod_authz_unixgroup/CHANGES index 8e684ef..f8a524f 100644 --- a/mod_authz_unixgroup/CHANGES +++ b/mod_authz_unixgroup/CHANGES @@ -1,6 +1,12 @@ -v1.1.0 (Jan Wolter - ) +v1.1.0 (Jan Wolter - Oct 6, 2011) ----------------------------------- - * Revised to work with Apache 2.4. + * Revised to work as an access control provider in Apache 2.4. + * Eliminated "AuthzUnixgroup on" directive because it is no longer needed. + * Eliminated "AuthnzUnixgroupError 403" directive because it is supplanted + by "AuthzSendForbiddenOnFailure On". + * Eliminated "AuthzUnixgroupAuthoritative off" directive because the whole + concept of authoritativeness is dead for access control providers in + Apache 2.4. v1.0.3 (Jan Wolter - Oct 6, 2011) ------------------------------------ diff --git a/mod_authz_unixgroup/INSTALL b/mod_authz_unixgroup/INSTALL index f4419a7..46f1056 100644 --- a/mod_authz_unixgroup/INSTALL +++ b/mod_authz_unixgroup/INSTALL @@ -95,18 +95,14 @@ Step 4: CONFIGURATION: -------------- -Mod_authz_unixgroup is pretty simple to use. First, you need to enable it -for whatever directory you want to use it in, by inserting the following -directive either in a .htaccess file in the directory or a block -in the httpd.conf file: +Mod_authz_unixgroup is extremely simple to use. Presumably you already are +setting up some kind of authentication in a .htaccess file or in a + block in the httpd.conf file. You'll just need to change the +"Require" directive there to something like: - AuthzUnixgroup on - -Second, you will need a require directive like - - Require group admin + Require unix-group admin or - Require group students teachers staff + Require unix-group students teachers staff Obviously this only makes sense in a directory where you are doing authentication. This could be any kind of authentication, but it makes @@ -127,7 +123,7 @@ be in one of the unix groups listed on the Require line. It is also possible to list groups by gid number instead of name, like - Require group 10 + Require unix-group 10 would be equivalent to "Require group admin" if the gid listed for the group admin in /etc/group is 10. @@ -136,12 +132,20 @@ If mod_authz_owner is enabled in your httpd, then that will work with mod_authz_unixgroup to check access based on file groups. For example if we do: - AuthzUnixgroup on - Require file-group + Require unix-file-group Then a user will be able to access a file if and only if that file is owned by a group of which the user is a member. +Changes from Previous Versions: +------------------------------- + +Previous versions of mod_authz_unixgroup needed a 'AuthzUnixgroup on' to +tell Apache that the "Require file-group" directive was supposed to be +handled by mod_authz_unixgroup. Now we have a distinct directive, +"Require unix-file-group" instead, so the 'AuthzUnixgroup' is no longer +needed and no longer exists. + Normally, when an access check fails, mod_authz_unixgroup will return a HTTP 401 error. This will typically cause the browser to pop up a message saying "Authentication Failed" and then the browser will ask for a new login @@ -149,15 +153,12 @@ name. In some cases this is not the desired behavior. If you are using the "Require file-group" directive, you may not want to log the user off every time he hits a file he doesn't have access to. Maybe you'd rather just show a "Permission denied message" and not log him off. You could do that by -directing mod_authz_unixgroup to return a 403 error instead of a 401 error. -You can do this with the following directive: - - AuthnzUnixgroupError 403 +returning 403 error instead of a 401 error. Older versions of +mod_authz_unixgroup had a directive called 'AuthnzUnixgroupError' that did +this, but in Apache 2.4 that is replaced with a new standard Apache directive: -By default, mod_authz_unixgroup is authoritative. If you want to use more -than one group checker, like mod_authz_unixgroup together with -mod_authz_groupfile or mod_authz_dbm, then you'll want to make them non- -authoritative, so that if one fails, the other will be tried. You can -make mod_authz_unixgroup non-authoritative by saying: + AuthzUnixgroupAuthoritative off - AuthzUnixgroupAuthoritative off +There also used to be an 'AuthzUnixgroupAuthoritative' directive which is +also gone, since the whole concept of authoritativeness no longer applies +to access control providers in Apache 2.4. diff --git a/mod_authz_unixgroup/README b/mod_authz_unixgroup/README index a5570d8..215f99b 100644 --- a/mod_authz_unixgroup/README +++ b/mod_authz_unixgroup/README @@ -23,10 +23,9 @@ following directives: That would cause mod_auth_basic and mod_authnz_external to do authentication based on the Unix passwd database. Mod_Authz_Unixgroup would come into play if you wanted to further restrict access to specific Unix groups. You might -append the following directives: +append the following directive: - AuthzUnixgroup on - Require group staff admin + Require unix-group staff admin This would allow only access to accounts in the 'staff' or 'admin' unix groups. You can alternately specify groups by their gid numbers instead of their names. @@ -34,7 +33,7 @@ You can alternately specify groups by their gid numbers instead of their names. Or you could use mod_authz_unixgroup together with the standard apache module mod_authz_owner to do something like: - Require file-group + Require unix-file-group This would allow access to the page, only the user was a member of the unix group that owns the file. @@ -53,10 +52,10 @@ mod_authz_unixgroup will take the part before the @-sign as the username and ignore the rest. Mod_authnz_external is available from: - http://www.unixpapa.com/mod_auth_external/ + http://code.google.com/p/mod-auth-external/ Pwauth is available from: - http://www.unixpapa.com/pwauth/ + http://code.google.com/p/pwauth/ It might also be possible to use this with mod_auth_shadow, expecially if a authn/authz version of that is ever released.