# [SOLVED] Apache: 'Require group' breaks 'Require user'?

## the_g_cat

Hello,

I have a hard time understanding how apache handles the 'Require' directive, espacially how that directive handles precedence of 'group' and 'user' options.

I want to have a group of users (let's call the group write_group) accessing a WebDAV share, and one additional user (read_user) who should only be able to read the share. That's how I thought to configure it:

```

    Alias /webdav/share "/some/path/to/share"

    <Directory /some/path/to/share>

        Dav On

        Options +Indexes

        AddDefaultCharset UTF-8

        AuthType Basic

        AuthName "Test share"

        AuthUserFile /path/to/htpasswd2_file

        AuthGroupFile /path/to/group_file

        <Limit GET HEAD OPTIONS PROPFIND>

            Require group write_group

            Require user read_user

        </Limit>

        <LimitExcept GET HEAD PROPFIND OPTIONS>

            Require group write_group 

        </LimitExcept>

        Order allow,deny

        Allow from all

    </Directory>

```

I had also tried it without the <Limit></Limit> part, but the two included Requires in the <Directory></Directory> part, but I got similar errors. The error I get from the error_log:

```

[Wed Mar 12 11:35:19 2008] [error] [client xx.xx.xx.xx] Authorization of user read_user to access /webdav/share failed, reason: user doesn't appear in group file (/path/to/group_file).

```

I solved the problem for now by creating an extra group for the read_user user, and adding the group to the Require group in the <Limit></Limit> block, but I don't really find that satisfying. Anyone has a better idea or maybe an explanation as to why I can't have a user who is not listed in the group_file?Last edited by the_g_cat on Fri Mar 14, 2008 5:14 pm; edited 1 time in total

----------

## the_g_cat

*bump* Noone on this one either?  :Sad: 

----------

## the_g_cat

Well, after chatting with some people over in #gentoo-apache (freenode.net), we have sorted out the problem.

Per default, apache seems to need every user to fulfill every Require rule (see here http://httpd.apache.org/docs/2.2/mod/mod_authz_groupfile.html#authzgroupfileauthoritative ). By setting AuthzGroupFileAuthoritative to On, apache only needs one of the Requires to be true for the user to be authenticated (well, it's a little more complicated than that, but if you need complexer setups, go read the apache docs linked above, chances are you should be qualified enough to make something out of it  :Smile:  ).

----------

