>>> On 8/29/2007 at 3:14 PM, in message
<[EMAIL PROTECTED]>, "Eric Covener"
<[EMAIL PROTECTED]> wrote:
> On 8/29/07, Brad Nicholes <[EMAIL PROTECTED]> wrote:
>> The only real reason why you have to set LDAP to
>> non-authoritative when using LDAP authn only, is because LDAP
>> had to combine both authn and authz into the same module.  This
>> is not a good practice in general, but in the case of LDAP there
>> was so much code and data overlap between authn_ldap and
>> authz_ldap, that splitting them apart was a problem.
> 
> 
> To clarify; I understand not duplicating valid-user, but the other
> authz modules know to decline when they haven't seen a single
> requirement they grok, which allows mod_authz_user to authorize the
> request in the case of "Require valid-user".   I don't think the
> coupling is a factor there.


No, all of the authz modules should be working the same.  They all have an 
AuthzXXXAuthoritative directive which defaults to ON.  The problem with 2.0 and 
2.2 is that if you load multiple authz modules and try to use multiple require 
statements, you have no guarantee as to which authz handler will get called 
first.  So it might look like  authz_XXX module is DECLINEing and allowing 
authz_user's "Require valid-user" to handle the authorization, when in fact the 
authz_XXX handler was never called at all.  This problem has been taken care of 
in 2.3.  The difference between mod_authnz_ldap and other authz modules is that 
in most cases, an Authz module is not loaded unless it is needed.  In the case 
of Authnz_LDAP, you don't have that option.  If you load Authnz_LDAP, you get 
both authn and authz even if you don't want to use the authz side.  So your 
only choice is to disable it by setting the AuthzLDAPAuthoritative to OFF.

Brad

Reply via email to