PR#47521 points out that when mod_authnz_ldap has some fatal LDAP connectivity error, it doesn't allow other AuthBasicProviders to have a shot at checking the userid.
It seems like the normal use case for two providers is when there are two disjoint user repositories, and we only move on to search the second when the user of interest isn't found in the first. For LDAP, should we treat a failure to even search the database this same way, allowing it to move onto other providers (AUTH_USER_NOT_FOUND vs. AUTH_GENERAL_ERROR)? It seems to me that the LDAP backends often have poor reliability and lots of use cases would want the 2nd provider for emergencies, at little expense (hypothetical attacker that took out your LDAP servers, and compromised e.g. AuthUserFile). Thoughts? -- Eric Covener cove...@gmail.com
