DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=40075>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40075 ------- Additional Comments From [EMAIL PROTECTED] 2007-01-11 08:03 ------- Unless I am missing something, the AuthLDAPRequireDN functionality is being handled by AuthLDAPGroupAttributeIsDN. If AuthLDAPGroupAttributeIsDN is set to ON (which is the default) then AuthnzLDAP will expect the user object to exist in the directory and for that user ID to be resolved to a full DN. Otherwise it will not be able to do a DN comparison which is what AuthLDAPGroupAttributeIsDN ON implies. If AuthLDAPGroupAttributeIsDN is set to OFF, then the user ID that is passed in, does not have to be resolved to a full DN which means that the user object does not have to exist in the directory but will be resolved to a DN if it does exist. The group membership comparison will then follow the DN or UN specifier. If DN is specified then a full DN comparison will occur. If UN is specified then a simple user id comparison will occur. If neither is specified then the comparison follows the AuthLDAPGroupAttributeIsDN setting which would default to a UN comparison. What additional functionality is AuthzLDAPRequireDN performing than that? >From what I could see in the original patch, AuthzLDAPRequireDN simple determined whether a failed search for the user object forced the entire request to fail or was ignored. AuthLDAPGroupAttributeIsDN is allowing for the same functionality. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
