Project

General

Profile

mod_auth_file - any way to use group that is not pointed in documentation

Added by mckaygerhard 30 days ago

module auth basic is worki8ng with md5 and digest, but i cannotget any info about how to use with group access.. https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModAuth/77#plain-mod_authn_file at this date

i cannot find any reference in documentation .. only in the ldap part.. all the web servers support groups in the auth http options

i used /usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf and ogt error that seems valid-user cannot be used with a specific group.. as log said:


2021-09-23 12:51:07: mod_auth.c.366) error parsing auth.require 'require' field: missing '=' (expecting "valid-user" or "user=a|user=b|group=g|host=h"). error value: valid-user|group=presidencia error near: valid-user|group=presidencia
2021-09-23 12:51:07: server.c.1517) Configuration of plugins failed. Going down.

details of environment:

OS: debian 11
Ver: 1.4.59-1
Cnf: default

after install i just enable all the required modules:

apt-get install lighttpd && lighttpd-enable-mod accesslog auth unconfigured

the configuration are so organized and spitted in debian so i will translated for you guys in unorganized way one:

server.document-root        = "/var/www/html" 
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log" 
server.pid-file             = "/run/lighttpd.pid" 
server.username             = "www-data" 
server.groupname            = "www-data" 
server.port                 = 80
## this is just misc. so is not affected 
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.conf.pl" 
include "/etc/lighttpd/conf-enabled/*.conf" 
## modules and order is important too of course:
server.modules = (
    "mod_indexfile",
    "mod_access",
    "mod_alias",
    "mod_redirect",
    "mod_dirlisting",
    "mod_staticfile",
    "mod_auth",
    "mod_setenv",
    "mod_accesslog",
)
dir-listing.encoding = "utf-8" 
server.dir-listing   = "enable" 
auth.backend     = "pain" 
# setup for plain backend, this is the relevant part and i want to use usergroups
auth.backend                = "plain" 
auth.backend.plain.userfile = "/tmp/lighttpd/lighttpd.user" 
auth.require = ( 
       "/protedted" => (
               "method"    => "basic",
               "realm"     => "aword",
               "algorithm" => "MD5",
               "require"   => "valid-user|group=presidencia" 
           ),
           ),
    )
debug.log-request-handling = "enable" 

Replies (13)

RE: mod_auth_file - any way to use group that is not pointed in documentation - Added by mckaygerhard 30 days ago

sorry i forgotten the htuser passwd file is in the format of:


susan1:deide1
susan2:$1$5Z5Th$pdRokC9f.G7akwnbizt8Y

the htgroup file is


presidencia: susan1 susan2

RE: mod_auth_file - any way to use group that is not pointed in documentation - Added by gstrauss 30 days ago

Where did you tell lighttpd.conf about your htgroup file? How do you think that could work without specifying the htgroup file?

that is not pointed in documentation

See mod_auth Limitations
As of 1.4.19 the group field inside the require directive is not yet implemented. So auth.backend.plain.groupfile is of no use at this moment. (Note: group support for LDAP is available since lighttpd 1.4.46 (#1817))

RE: mod_auth_file - any way to use group that is not pointed in documentation - Added by gstrauss 29 days ago

i used /usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf and ogt error that seems valid-user cannot be used with a specific group.. as log said:

2021-09-23 12:51:07: mod_auth.c.366) error parsing auth.require 'require' field: missing '=' (expecting "valid-user" or "user=a|user=b|group=g|host=h"). error value: valid-user|group=presidencia error near: valid-user|group=presidencia
2021-09-23 12:51:07: server.c.1517) Configuration of plugins failed. Going down.

I do not think that you understand what "valid-user" means. It means any valid user; any authenticated user.

I do not think that you understand what group membership entails. To be a member of a group, first you need to be an authenticated user. If you failed authentication, how can (failure) be a valid member of any group? If authorization requires any "valid-user", then specifying group membership is excessive, since the user is already a "valid-user".

Repeating what I posted above, lighttpd mod_auth Limitations documents that group support is not implemented in lighttpd mod_auth other than for mod_authn_ldap. mod_authn_dbi has limited support for groups in a different way, if specified in the SQL statement.

Group support in mod_auth is not a feature that has been requested by a sufficient (or by any) people in many, many years. Those who need it probably have more advanced authentication needs and use a FastCGI authorizer for custom auth, or use something similar to Bearer auth with (external module) mod_authn_tkt

RE: mod_auth_file - any way to use group that is not pointed in documentation - Added by mckaygerhard 29 days ago

i already knows that means.. but documentations is not in sync with logs from lighttpd that "expected" a regular expresion that based on your documentation is not valid.. so confused.. but thanks in any case..

group based auth is supported in other web browsers auth modules so there's no big error in my request for educational purposes.

when a person try to learn, never will started from most complicated.. that's why i asking for most simples way until the most secured etc etc.. but this is a behaviour that i selft made too.. dont worry i liked the rude way you are.. is like me!

RE: mod_auth_file - any way to use group that is not pointed in documentation - Added by gstrauss 29 days ago

If something is not documented on this site, do not assume that lighttpd supports it.

Also, you should read the documentation more carefully. You have repeatedly made false statements that something was not documented when documentation did in fact exist. (I make no claim that the documentation is perfect or complete, especially when it comes to your recent security-ignorant demands for insecure examples.)

when a person try to learn, never will started from most complicated

You're not trying to learn. Your making ungrounded assumptions (guessing), failing to cross-reference the documentation, and then asking to be spoon-fed. I am done "reading" the documentation to you. With all your questions recently, I have not made any edits to the documentation since the documentation has been correct, even when you falsely claimed that it was not.

RE: mod_auth_file - any way to use group that is not pointed in documentation - Added by adga137 29 days ago

I always asked this question, the fact is that in lighttpd I have only been able to use basic and digest with plain file, in these last three days I have seen about this issue, I agree with him that the documentation does not indicate so clear or nicely how to enter the data to the database, neither details of other method, only point about security, more than one time! I appreciate too, the help if someone comes to provide it the exact way to archive it and how to make this work

RE: mod_auth_file - any way to use group that is not pointed in documentation - Added by adga137 29 days ago

I think the regular expression in terms of what "valid-user" means The documentation is clear not in sync with logs from lighttpd that "xpected" a regular expresion that based on your documentation is not valid.. ("user=a|user=b|group=g|host=h") that there is not much desire to ask, and it is certainly funny that two haters ask themselves things, unfortunately only the community suffers with this, can't they just answer without mentioning how unintelligent the counterpart is ?

RE: mod_auth_file - any way to use group that is not pointed in documentation - Added by gstrauss 29 days ago

adga137 you are possibly a troll. Your account was created today. If you had been following this forum so closely, then you probably would have ask a question long ago. The nuances of your language suggests that you are an alt of mckaygerhard.

As I have posted before on this site, you are more likely to receive assistance when you demonstrate some effort. Ask a thoughtful and respectful question and you are more likely to get a thoughtful answer, or at least a pointer in the right direction.

"Do it for me" is not a thoughtful question. "Do it for me" demands are frequently not answered at all, since doing so tends to lead to more "do it for me" demands.

Sharing observations and context is encouraged. "I tried 'this' and when I tested, I saw 'that'. I was hoping for 'this other thing'."
Those are different from stating demands. If you are asking questions, then stating ignorant assumptions or making false statements as declarations is likely to receive a critical response.

If you do not know how to use a database, you will continue to find that this is not the place where you will be taught SQL. This is a website for the lighttpd web server.

RE: mod_auth_file - any way to use group that is not pointed in documentation - Added by adga137 29 days ago

not, mckaygerhard is my friend, you can find me on telegram as adga137 and we can have a video call about it, understant "Do it for me", The issue is that we need a functionality for a web file management system in the cloud, and we have tried with security methods and without them and we also have problems with auth.

I have been using and documenting myself with lighttpd or lighty for several years.

and by the way you can search for my fingerprint on the internet as adga137 you will find it easily

gitlab.com adga137
github.com adga137

RE: mod_auth_file - any way to use group that is not pointed in documentation - Added by gstrauss 28 days ago

I agree with him that the documentation does not indicate so clear or nicely how to enter the data to the database

Shell script examples are provided in the paragraphs directly above mod_authn_dbi in the section about htdigests, and this is stated in the mod_authn_dbi documentation:
If storing hashes (message digests), the hash is the message digest of the combination of $user:$realm:$pass, and the unique $user:$realm: combination fills in as the salt. (e.g. refer to the htdigest format above, with user, realm, and hash in separate database columns).

As I posted above to mckaygerhard: I am done "reading" the documentation to you.

If you do not know how to use a database, you will continue to find that this is not the place where you will be taught SQL. This is a website for the lighttpd web server.

Since you do not appear to know how to use a database, I suggest that you continue to use file-based auth, preferably htdigest, which is more secure than plain text.

RE: mod_auth_file - any way to use group that is not pointed in documentation - Added by gstrauss 28 days ago

and we can have a video call about it

???

The issue is that we need a functionality for a web file management system in the cloud, and we have tried with security methods and without them and we also have problems with auth.

If you are looking to hire someone for a contract, then please post an RFP.

RE: mod_auth_file - any way to use group that is not pointed in documentation - Added by mckaygerhard 28 days ago

interesting.. we are trying to provide helpt to others.. and all finish in "fire me" XD .. we are tyred with that.. as always we end in nginx and apache shit.. cos lighty is good but developers.. .... humm

RE: mod_auth_file - any way to use group that is not pointed in documentation - Added by gstrauss 28 days ago

"Do it for me" demands do not constitute you helping others. Your "contributions" here have not been contributions of any value.

You and your friend have not made much effort to understand the already existing documentation, which I had to quote at you multiple times.

    (1-13/13)