httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Graham Leggett" <minf...@sharp.fm>
Subject Re: [PATCH] mod_authnz_ldap and satisfy all
Date Fri, 09 Sep 2005 15:20:40 GMT
Ryan Morgan said:

> Making this generic is a good idea, though you are correct in
> asserting it
> cannot be done without a major re-factoring.  Even then the authz
> modules
> would need to be modified to respect the satisfy flag when multiple
> requires
> are given for a single authz module.
>
> The requirement I'm trying to fulfill is multiple group requires
> within ldap.
> I figured making it generic within ldap using satisfy would be a good
> idea,
> though this seems to be blowing up into a much bigger issue.
>
> Perhaps it would be easier if 'require ldap-group' could have
> multiple groups
> listed on a single require line?  Something similar to ldap-
> attribute?

The trouble is whether to interpret multiple groups as "and" or "or" - if
you choose one, there is going to be people that want the other option.

> Or maybe
> just move the satisfy flag to an ldap specific directive like
> 'LDAPSatisfyAll'
> to remove any confusion on what it does?

I would definitely like to avoid module specific directives like this, as
it creates inconsistent configuration patterns in the server. A user could
ask "why can I specify multiple groups in LDAP, but not in other
modules?", and that user would have a valid point.

I think in the long run, supporting satisfy all generically would be an
excellent option to have.

Regards,
Graham
--


Mime
View raw message