Re: Puzzling News

[Jess Holle]

Graham Leggett wrote: Jess Holle said: Also a module (for Apache 2, not 1.3) that could use multiple LDAP repositories -- and not for failover, but for separate user communities -- all for a single resource/directory would be *very* helpful. Can mod_authnz_ldap not do this? If this capability was added in 2.1, that would be news to me. It cannot do this in 2.0.x. The use cases are: multiple organizations, each with their own LDAP wish to allow their personnel into a common site -- each has its own, separately administered LDAP a single organization has a read-only internal LDAP and a writable LDAP for external guests -- again for a common site In both cases there are multiple LDAP directories which have no overlap, i.e. if the first LDAP does not contain the uid, then the second must be tried -- this is quite different then the multiple fail-over LDAP URLs allowed in auth_ldap and Apache 2.0's mod_auth_ldap. Right now, you have to use arcane LDAP "standards" for chaining/referral, replication, etc -- which don't hold up between multiple organizations and LDAP vendors so well -- or use some expensive add on. Can you explain some more? As long as the uid's have to be combined under one LDAP URL you then have to tackle these use cases with LDAP technologies.  These are not well standardized across vendors and overall are a *lot* harder to work with than simply being able to specify a list of (non-overlapping, non-failover) LDAP URLs. -- Jess Holle