Hi, I'm facing the following problem : I'm using 2 auth modules in authoritative mode (if one fail, try the other one). I have one authorization check (using a require directive) for the first module and another one for the other module.
My problem is that the second directive as a syntax that is valid for the first module and will prevent authorization with the first module. He is an example of what I mean : Users are authenticated using basic auth against my ldap server. Authorized users are : 1) all non contractors users 2) plus a list of authorized-contractors (not managed in the LDAP server) AuthType Basic AuthName "access restricted" AuthLDAPURL <ldap URL> require ldap-filter !(employeeType=contractor) AuthLDAPAuthoritative off AuthUserFile .htpasswd AuthGroupFile .htgroup require group authorized-contractors The problem with this is that the 'require group' is a valid directive for the auth_ldap module and will prevent the rule 1) to succeed. That way I'm solving this is by patching the mod_auth module by telling him to support both 'require group' and 'require mod_auth_group' directives. In this case, the following configuration is doing what I wanted : AuthType Basic AuthName "access restricted" AuthLDAPURL <ldap URL> require ldap-filter !(employeeType=contractor) AuthLDAPAuthoritative off AuthUserFile .htpasswd AuthGroupFile .htgroup require mod_auth_group authorized-contractors I'm wondering if it's not a good idea for any auth modules to support 2 names for any "require" options: the common name (group) and a unique name (<module_name>_group). In this case, it could help implementing a strict OR between require directives when using authoritative mode. Any thoughts? Xavier
