>>> On 8/29/2007 at 7:51 PM, in message
<[EMAIL PROTECTED]>, "Eric Covener"
<[EMAIL PROTECTED]> wrote:
>
> In 2.2.x If authz_XXX are one of dbm, owner, or groupfile they track
> the list of requires and decline if they don't see any they're
> responsible for -- this isn't a crap shoot of module ordering in this
> case.
>
> $ grep \!required *.c
> mod_authz_dbm.c: if (!required_group || !conf->authoritative) {
> mod_authz_groupfile.c: if (!required_group || !conf->authoritative) {
> mod_authz_owner.c: if (!required_owner || !conf->authoritative) {
> mod_authz_user.c: if (!required_user) {
>
> That roughly leaves authz_host, authz_default, and authnz_ldap.
> authz_host has a built-in default based on Order, and authz_default
> doesn't have any Requires to check -- leaving authnz_ldap as the odd
> man out.
>
True, so that brings up the question of what does AuthzXXXAuthoritative really
mean? Does it mean that if set to ON, this module is authoritatively
responsible for authorization and if it can't (whatever the reason including no
require statement), then authorization fails? Or does it mean that the module
is only authoritatively responsible for authorization if a matching require
statement exists? According to what you are saying as well as what the code is
currently saying in the other authz modules, the latter is true. And if that
is really the definition of AuthzXXXAuthoritative, then it appears that
authnz_ldap needs to be fixed.
Brad
