On Wed, Dec 21, 2005 at 01:16:53PM -0700, Brad Nicholes wrote: > <Directory /www/mydocs> > Authname ... > AuthBasicProvider ... > ... > > Require user John > <RequireAll> > Require Group admins > Require ldap-group cn=mygroup,o=foo > <RequireOne> > Require ldap-attribute dept="sales" > Require file-group > </RequireOne> > </RequireAll> > </Directory
So if I write <Directory /www/mydocs> Authname... ... Require Group admins Require ldap-group cn=mygroup,o=foo </Directory> then from your example I think you're saying there is an implicit <RequireOne> around that, yes? If so, I think it would be better if it were implicitly <RequireAll>. Otherwise it's easy to write an insecure configuration accidentally (you think you've written Require A *and* B, when you've actually written Require A *or* B) What happens if I mix Require and Reject - within a <RequireAll> section - within a <RequireOne> section? i.e. is 'Reject ...' exactly equivalent to 'Require Not ...', or is it more complex than that? Will there be <RejectOne> and <RejectAll> as well? That is, I think you need NAND and NOR, or at least NOT around a group, to be able to build any desired boolean combination. Anyway, this framework does seem to be a lot more flexible and easier to understand that the current one, especially if the 'Order allow,deny' and 'Order deny,allow' stuff is eliminated :-) Regards, Brian.
