Ryan Morgan said:
> Making this generic is a good idea, though you are correct in
> asserting it
> cannot be done without a major re-factoring. Even then the authz
> modules
> would need to be modified to respect the satisfy flag when multiple
> requires
> are given for a single authz module.
>
> The requirement I'm trying to fulfill is multiple group requires
> within ldap.
> I figured making it generic within ldap using satisfy would be a good
> idea,
> though this seems to be blowing up into a much bigger issue.
>
> Perhaps it would be easier if 'require ldap-group' could have
> multiple groups
> listed on a single require line? Something similar to ldap-
> attribute?
The trouble is whether to interpret multiple groups as "and" or "or" - if
you choose one, there is going to be people that want the other option.
> Or maybe
> just move the satisfy flag to an ldap specific directive like
> 'LDAPSatisfyAll'
> to remove any confusion on what it does?
I would definitely like to avoid module specific directives like this, as
it creates inconsistent configuration patterns in the server. A user could
ask "why can I specify multiple groups in LDAP, but not in other
modules?", and that user would have a valid point.
I think in the long run, supporting satisfy all generically would be an
excellent option to have.
Regards,
Graham
--
|