From mikemol at gmail.com  Wed Jun 13 21:52:25 2012
From: mikemol at gmail.com (Michael Mol)
Date: Wed, 13 Jun 2012 15:52:25 -0400
Subject: [mpm-itk] Configuration directives valid scope
Message-ID: <CA+czFiCMAuFP-ncCh8wyeySbBFfy79OOtpAdd_xUZ05mndodBw@mail.gmail.com>

The documentation on the website[1] describes three configuration directives:

* AssignUserID
* MaxClientsVHost
* NiceValue

...but doesn't describe which scopes they're valid in. Are those
directives only valid as part of the <VirtualHost> scope, or might I
also put them in a <Location> scope?

The particular scenario I face involves mod_dav_svn to an NFS mount,
and getting UIDs mapped in a reasonably secure and robust manner; I
intend to have AssignUserID associate with a user found in Active
Directory.

My configuration looks roughly like this:

<VirtualHost $some_ip>

   ... settings for a website ...

  <Location /svn_repo>
    ... settings for authenticated mod_dav_svn ...
  </Location>
</VirtualHost>

For me, a Good result would be:
* mpm_itk forks over to another user when someone accesses this virtualhost.

A Better result would be:
* mpm_itk forks over to a static UID when someone accesses the
/svn_repo path of this virtual host.

The absolute best result would be:
* mpm_itk forks over to the user authenticated via Apache's Basic auth
challenge, which only occurs within the /svn_repo portion of the
virtual host.[2]


[1] http://mpm-itk.sesse.net/
[2] As things stand, I do have apache successfully and securely doing
basic auth against AD, and that only for the portion specified inside
the <Location> directive. It would be icing on the cake, so to speak,
if I could have mpm_itk fork and continue as that user.
-- 
:wq



From sgunderson at bigfoot.com  Wed Jun 13 22:18:34 2012
From: sgunderson at bigfoot.com (Steinar H. Gunderson)
Date: Wed, 13 Jun 2012 22:18:34 +0200
Subject: [mpm-itk] Configuration directives valid scope
In-Reply-To: <CA+czFiCMAuFP-ncCh8wyeySbBFfy79OOtpAdd_xUZ05mndodBw@mail.gmail.com>
References: <CA+czFiCMAuFP-ncCh8wyeySbBFfy79OOtpAdd_xUZ05mndodBw@mail.gmail.com>
Message-ID: <20120613201833.GA3719@uio.no>

On Wed, Jun 13, 2012 at 03:52:25PM -0400, Michael Mol wrote:
> The documentation on the website[1] describes three configuration directives:
> 
> * AssignUserID
> * MaxClientsVHost
> * NiceValue
> 
> ...but doesn't describe which scopes they're valid in.

>From the web site:

AssignUserID and NiceValue can be set wherever you'd like in the Apache
configuration, except in .htaccess. MaxClientsVHost can only be set inside a
VirtualHost directive.

> The absolute best result would be:
> * mpm_itk forks over to the user authenticated via Apache's Basic auth
> challenge, which only occurs within the /svn_repo portion of the
> virtual host.

This is not currently supported, unfortunately; it _might_ be with Apache 2.4
at some point in the future, but I won't guaruantee anything (I haven't had
the time to dig properly into the new functionality).

/* Steinar */
-- 
Homepage: http://www.sesse.net/



From mikemol at gmail.com  Wed Jun 13 22:23:43 2012
From: mikemol at gmail.com (Michael Mol)
Date: Wed, 13 Jun 2012 16:23:43 -0400
Subject: [mpm-itk] Configuration directives valid scope
In-Reply-To: <20120613201833.GA3719@uio.no>
References: <CA+czFiCMAuFP-ncCh8wyeySbBFfy79OOtpAdd_xUZ05mndodBw@mail.gmail.com>
	<20120613201833.GA3719@uio.no>
Message-ID: <CA+czFiB=e6AVys3cxJRycDdLMHzGk1CbQKUtOv0q9R9KdoJaOA@mail.gmail.com>

On Wed, Jun 13, 2012 at 4:18 PM, Steinar H. Gunderson
<sgunderson at bigfoot.com> wrote:
> On Wed, Jun 13, 2012 at 03:52:25PM -0400, Michael Mol wrote:
>> The documentation on the website[1] describes three configuration directives:
>>
>> * AssignUserID
>> * MaxClientsVHost
>> * NiceValue
>>
>> ...but doesn't describe which scopes they're valid in.
>
> From the web site:
>
> AssignUserID and NiceValue can be set wherever you'd like in the Apache
> configuration, except in .htaccess. MaxClientsVHost can only be set inside a
> VirtualHost directive.

Had to go back and search for the text. Don't know how I missed it
there. :-/ I may have been thrown by the dissimilarity in layout from
docs for other apache modules.

>
>> The absolute best result would be:
>> * mpm_itk forks over to the user authenticated via Apache's Basic auth
>> challenge, which only occurs within the /svn_repo portion of the
>> virtual host.
>
> This is not currently supported, unfortunately; it _might_ be with Apache 2.4
> at some point in the future, but I won't guaruantee anything (I haven't had
> the time to dig properly into the new functionality).

I realized one caveat after I sent that email. AssignUserID requires
two arguments, a username and a group name. However, HTTP basic auth
will only provide a username; group would have to be supplied
separately. Perhaps separate 'AssignUser' and 'AssignGroup'
directives?


Anyway, thank you for your time.

-- 
:wq



From sgunderson at bigfoot.com  Wed Jun 13 22:30:30 2012
From: sgunderson at bigfoot.com (Steinar H. Gunderson)
Date: Wed, 13 Jun 2012 22:30:30 +0200
Subject: [mpm-itk] Configuration directives valid scope
In-Reply-To: <CA+czFiB=e6AVys3cxJRycDdLMHzGk1CbQKUtOv0q9R9KdoJaOA@mail.gmail.com>
References: <CA+czFiCMAuFP-ncCh8wyeySbBFfy79OOtpAdd_xUZ05mndodBw@mail.gmail.com>
	<20120613201833.GA3719@uio.no>
	<CA+czFiB=e6AVys3cxJRycDdLMHzGk1CbQKUtOv0q9R9KdoJaOA@mail.gmail.com>
Message-ID: <20120613203030.GB3719@uio.no>

On Wed, Jun 13, 2012 at 04:23:43PM -0400, Michael Mol wrote:
> I realized one caveat after I sent that email. AssignUserID requires
> two arguments, a username and a group name. However, HTTP basic auth
> will only provide a username; group would have to be supplied
> separately. Perhaps separate 'AssignUser' and 'AssignGroup'
> directives?

Well, if you would implement this, you'd probably need some way of specifying
the group separately from whatever came from the authorization heder, yes.
But still still means you'd need to run your entire LDAP lookup etc. as root,
which might not be ideal.

/* Steinar */
-- 
Homepage: http://www.sesse.net/



From mikemol at gmail.com  Wed Jun 13 22:55:14 2012
From: mikemol at gmail.com (Michael Mol)
Date: Wed, 13 Jun 2012 16:55:14 -0400
Subject: [mpm-itk] Configuration directives valid scope
In-Reply-To: <20120613203030.GB3719@uio.no>
References: <CA+czFiCMAuFP-ncCh8wyeySbBFfy79OOtpAdd_xUZ05mndodBw@mail.gmail.com>
	<20120613201833.GA3719@uio.no>
	<CA+czFiB=e6AVys3cxJRycDdLMHzGk1CbQKUtOv0q9R9KdoJaOA@mail.gmail.com>
	<20120613203030.GB3719@uio.no>
Message-ID: <CA+czFiBWE-ewDQqZMitxo+A_JSP=M10XN5GmXKzyntcrRsPFRg@mail.gmail.com>

On Wed, Jun 13, 2012 at 4:30 PM, Steinar H. Gunderson
<sgunderson at bigfoot.com> wrote:
> On Wed, Jun 13, 2012 at 04:23:43PM -0400, Michael Mol wrote:
>> I realized one caveat after I sent that email. AssignUserID requires
>> two arguments, a username and a group name. However, HTTP basic auth
>> will only provide a username; group would have to be supplied
>> separately. Perhaps separate 'AssignUser' and 'AssignGroup'
>> directives?
>
> Well, if you would implement this, you'd probably need some way of specifying
> the group separately from whatever came from the authorization heder, yes.
> But still still means you'd need to run your entire LDAP lookup etc. as root,
> which might not be ideal.

I'm actually using saslauthd as the auth backend, which delegates to
PAM, which gets to AD via samba and winbind. Heck of a lot easier than
hitting AD directly over LDAP.

-- 
:wq



From raphael at skyleafdesign.com  Tue Jun 19 21:13:22 2012
From: raphael at skyleafdesign.com (Raphael)
Date: Tue, 19 Jun 2012 14:13:22 -0500
Subject: [mpm-itk] Itk on SUSE
Message-ID: <20120619191305.911BF3900AB@smtp-out-2.01.com>

Anyone got apache2-itk working on SLES 11 SP2?

There is an package in the opensuse build service, but it's in a non-working state.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.err.no/pipermail/mpm-itk/attachments/20120619/7f9da668/attachment.htm>