+1 for splitting auth_ldap into authz/authn. We will be releasing our mod_edir module that provides an alternative authorization service for auth_ldap. It relies on mod_auth_ldap for authentication and then enforces access control through mod_edir. It it currently implemented by adding an "edir-user" option in place of "valid-user" to the requires directive. Splitting auth_ldap into authz/authn would allow us to completely replace the authorization services with eDirectory.
Brad Nicholes Senior Software Engineer Novell, Inc., the leading provider of Net business solutions http://www.novell.com >>> [EMAIL PROTECTED] Friday, January 17, 2003 2:02:17 AM >>> --On Friday, January 17, 2003 9:59 AM +0200 Graham Leggett <[EMAIL PROTECTED]> wrote: > If I were to change mod_auth_ldap to use the new authz/authn system > in v2.1, I have to split mod_auth_ldap into mod_authn_ldap (the > is-password-correct part) and mod_authz_ldap (group-membership > part). Am I correct? No, you don't *have* to split them into different modules. One module could register for both authn/authz providers. The only reason we split was because their wasn't a lot of shared code between the other auth modules. I think mod_auth_ldap has a lot of shared code in its authn/authz split. Perhaps a mod_auth_ldap core module that exports the basic LDAP functionality, then a mod_authn_ldap and mod_authz_ldap module that does the direct auth code? I dunno. -- justin
