https://issues.apache.org/bugzilla/show_bug.cgi?id=47676
Holger Dippel <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW AssignedTo|[email protected] |[email protected] --- Comment #4 from Holger Dippel <[email protected]> 2009-08-11 11:22:19 PDT --- Created an attachment (id=24126) Debug log (access & error log) Eric, thank you for the comments and quick response. I've been trying various combinations of directives between mod_authnz_ldap with filters and without, and with AuthzLDAPAuthoritative on/off. Here are some of the results: 1) CAS with a user file authorization and "Require valid-user" works. 2) CAS with LDAP authorization (and a filter that applies to userone or no filter) and "Require valid-user" works. 3) CAS with "Require group" and userone member of the group works. 4) CAS with LDAP authorization (valid filter and/or other "Require ldap-..." directives applicable to userone, or neither of these) and Require group (userone not a member) fails. About passing it on -- in the mod_authnz_ldap manual, AuthzLDAPAuthoritative: "Set to off if this module should let other authorization modules attempt to authorize the user, should authorization with this module fail. Control is only passed on to lower modules if there is no DN or rule that matches the supplied user name (as passed by the client)." This makes me think "Require group" should only be tested when LDAP authorization fails. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
