Group lines in (mod_authz_groupfile) AuthGroupfiles appear to have a maximum fixed size of 8192 characters including the group name, colon, whitespace and end-of-line character(s). Usernames on such a long group line, appearing past the 8192-byte limit, will not be let in: ---8<--- [Fri Aug 10 13:09:33 2007] [error] [client 130.238.131.137] Authorization of user XYZ to access /Pass/index.html failed, reason: user doesn't appear in group file (/apache/secret/abc/def/.htgroup)., referer: http://www.xyz.uu.se/ --->8--- ...even though they are present on the line and hence should be considered a member of the group. Attaching example files to test this. The username "test" will not be considered a member of the group "brokengroup", but will be considered a member of the group "okgroup". (Tested on both Linux and AIX.)
Created attachment 20636 [details] Example AuthGroupFile The user "test" will be considered a user of the group "okgroup", but not of the group "brokengroup", due to line lengths.
Created attachment 20637 [details] Example .htaccess file Adjust the path to the user and group files. Try adding "okgroup" to the list of allowed groups (and not). Notice the difference (let in vs not let in).
True - the line length is limited by the value in include/httpd.h near line 310 /** The length of a Huge string */ #define HUGE_STRING_LEN 8192 This line-length limit applies to user files, group files, config files, log lines, mod_ssl passphrases, and many other things in Apache. Changing it for all of them seems disruptive. A site with a unique requirement could change the value in httpd.h and re-build Apache. Should this really be fixed? Very large group lists may be better handled by DBM or DBD than extra long lines in a flat file.
Fixed in trunk in r1157354
fixed in 2.4.1