httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 47676] mod_authnz_ldap successful authorization passed through to mod_authz_groupfile
Date Tue, 11 Aug 2009 18:22:21 GMT

Holger Dippel <> changed:

           What    |Removed                     |Added
             Status|NEEDINFO                    |NEW
         AssignedTo|       |

--- Comment #4 from Holger Dippel <> 2009-08-11 11:22:19 PDT
Created an attachment (id=24126)
Debug log (access & error log)

Eric, thank you for the comments and quick response.

I've been trying various combinations of directives between mod_authnz_ldap
with filters and without, and with AuthzLDAPAuthoritative on/off. Here are some
of the results:

1) CAS with a user file authorization and "Require valid-user" works.
2) CAS with LDAP authorization (and a filter that applies to userone or no
filter) and "Require valid-user" works.
3) CAS with "Require group" and userone member of the group works.
4) CAS with LDAP authorization (valid filter and/or other "Require ldap-..."
directives applicable to userone, or neither of these) and Require group
(userone not a member) fails.

About passing it on -- in the mod_authnz_ldap manual, AuthzLDAPAuthoritative:
"Set to off if this module should let other authorization modules attempt to
authorize the user, should authorization with this module fail. Control is only
passed on to lower modules if there is no DN or rule that matches the supplied
user name (as passed by the client)."

This makes me think "Require group" should only be tested when LDAP
authorization fails.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message