Ryan Morgan said: > Making this generic is a good idea, though you are correct in > asserting it > cannot be done without a major re-factoring. Even then the authz > modules > would need to be modified to respect the satisfy flag when multiple > requires > are given for a single authz module. > > The requirement I'm trying to fulfill is multiple group requires > within ldap. > I figured making it generic within ldap using satisfy would be a good > idea, > though this seems to be blowing up into a much bigger issue. > > Perhaps it would be easier if 'require ldap-group' could have > multiple groups > listed on a single require line? Something similar to ldap- > attribute?
The trouble is whether to interpret multiple groups as "and" or "or" - if you choose one, there is going to be people that want the other option. > Or maybe > just move the satisfy flag to an ldap specific directive like > 'LDAPSatisfyAll' > to remove any confusion on what it does? I would definitely like to avoid module specific directives like this, as it creates inconsistent configuration patterns in the server. A user could ask "why can I specify multiple groups in LDAP, but not in other modules?", and that user would have a valid point. I think in the long run, supporting satisfy all generically would be an excellent option to have. Regards, Graham --
