>>> On 8/29/2007 at 3:14 PM, in message <[EMAIL PROTECTED]>, "Eric Covener" <[EMAIL PROTECTED]> wrote: > On 8/29/07, Brad Nicholes <[EMAIL PROTECTED]> wrote: >> The only real reason why you have to set LDAP to >> non-authoritative when using LDAP authn only, is because LDAP >> had to combine both authn and authz into the same module. This >> is not a good practice in general, but in the case of LDAP there >> was so much code and data overlap between authn_ldap and >> authz_ldap, that splitting them apart was a problem. > > > To clarify; I understand not duplicating valid-user, but the other > authz modules know to decline when they haven't seen a single > requirement they grok, which allows mod_authz_user to authorize the > request in the case of "Require valid-user". I don't think the > coupling is a factor there.
No, all of the authz modules should be working the same. They all have an AuthzXXXAuthoritative directive which defaults to ON. The problem with 2.0 and 2.2 is that if you load multiple authz modules and try to use multiple require statements, you have no guarantee as to which authz handler will get called first. So it might look like authz_XXX module is DECLINEing and allowing authz_user's "Require valid-user" to handle the authorization, when in fact the authz_XXX handler was never called at all. This problem has been taken care of in 2.3. The difference between mod_authnz_ldap and other authz modules is that in most cases, an Authz module is not loaded unless it is needed. In the case of Authnz_LDAP, you don't have that option. If you load Authnz_LDAP, you get both authn and authz even if you don't want to use the authz side. So your only choice is to disable it by setting the AuthzLDAPAuthoritative to OFF. Brad
