Alan Ge <[email protected]> writes: > Sorry, guys, another questions on webauthldap. This may have been asked > before, but please bear with me as I didn't find an answer in the > mailing list archive.
> What is the difference between > <Location /webapp/> > AuthType WebAuth > Require valid-user > Require privgroup stanford:staff > Require privgroup stanford:faculty > </Location> This will deny access to anyone who is not a member of either stanford:staff or stanford:faculty at the Apache level. In other words, people who are not members of one of those privgroups will be rejected with a 403 error at the HTTP layer. > <Location /webapp/> > AuthType WebAuth > Require valid-user > WebAuthLdapPrivgroup stanford:staff > WebAuthLdapPrivgroup stanford:faculty > </Location> This will grant access to everyone who can authenticate via WebAuth. If the user is in one of those privilege groups, the name of that group will be placed in the WEBAUTH_LDAPPRIVGROUP environment variable. If not, that environment variable will not be present, but the user will still be granted access. > Besides this, does the two provide the same protection on the location? No. WebAuthLdapPrivgroup is not about access control. It just gathers information and puts it in the environment for the application to use itself. -- Russ Allbery <[email protected]> Technical Lead, ITS Infrastructure Delivery Group, Stanford University
