>>> On 8/29/2007 at 8:28 AM, in message <[EMAIL PROTECTED]>, "Eric Covener" <[EMAIL PROTECTED]> wrote: > mod_authnz_ldap in 2.2.x doesn't track whether or not it has seen any > applicable 'Require ldap-*' entries in the requires list, and also > doesn't explicitly accept valid-user (despite a commnt) > > Other authz modules check that their flavor of Require was present > where they check if they're configured to be authoritative. At the > simplest level, this allows the authz modules to DECLINE and let > authz_user authorize based on "Require valid-user" > > To do authn-only where LDAP is used as the basic provider, (or > otherwise configured in that context) you have to make LDAP > non-authoritative or come up with some LDAP filter or attribute that > is always true. > > Is this something were stuck with in a stable release? The trunk > authz provider API makes this relevant only to 2.2.x.
Yes, the idea, even going forward into 2.3, is to not have overlapping authz types. It doesn't really make sense to have all of the various authz modules replicate "valid-user". There should only be one authz module that implements an authorization type. That is why you only see authz_user implement "user" where authnz_ldap implements "ldap-user". They both authorize users in different ways. In 2.0 if both mod_auth and mod_auth_ldap were both loaded (for whatever reason), they both implemented "user". So when your configuration used "require user", you never really knew which one you were getting. The only real reason why you have to set LDAP to non-authoritative when using LDAP authn only, is because LDAP had to combine both authn and authz into the same module. This is not a good practice in general, but in the case of LDAP there was so much code and data overlap between authn_ldap and authz_ldap, that splitting them apart was a problem. Brad
