Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 20681 invoked from network); 1 Sep 2005 22:34:25 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 1 Sep 2005 22:34:25 -0000 Received: (qmail 62714 invoked by uid 500); 1 Sep 2005 22:34:21 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 62667 invoked by uid 500); 1 Sep 2005 22:34:20 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 62654 invoked by uid 99); 1 Sep 2005 22:34:20 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Sep 2005 15:34:20 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=RCVD_BY_IP,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of ryanmorgan@gmail.com designates 64.233.184.203 as permitted sender) Received: from [64.233.184.203] (HELO wproxy.gmail.com) (64.233.184.203) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Sep 2005 15:34:34 -0700 Received: by wproxy.gmail.com with SMTP id i32so241069wra for ; Thu, 01 Sep 2005 15:34:18 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:mime-version:content-transfer-encoding:message-id:content-type:to:subject:date:x-mailer:from; b=ojpAGHQ4orjtQVP6rqmXx2Yv1vyAnbHjMSnb9xn7L7ilUYhqdTz01Lo/vm33DPEhtI0g3xv4C6pPnQTVyXl3YlrF+V/6Zm90BAF6MtjHNY5xQdyu0SJLRGrNezEUdt1Lr2+TEDo9ixBslfXQEYUM3YJyguYqpMRCTkACfBFCWhE= Received: by 10.54.36.9 with SMTP id j9mr1566041wrj; Thu, 01 Sep 2005 15:34:17 -0700 (PDT) Received: from ?192.168.0.94? ( [64.81.68.217]) by mx.gmail.com with ESMTP id 45sm1151621wri.2005.09.01.15.34.17; Thu, 01 Sep 2005 15:34:17 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v733) Content-Transfer-Encoding: 7bit Message-Id: <4433C7B8-258C-42AC-9A06-9F2722D6AC33@pobox.com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: dev@httpd.apache.org Subject: Multiple group authorization in mod_ldap Date: Thu, 1 Sep 2005 15:34:13 -0700 X-Mailer: Apple Mail (2.733) From: Ryan Morgan X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Hey everyone, I have a quick question regarding authorization against multiple groups in mod_ldap. Currently, if any of the require lines succeed, the user will be granted access. (Unless I'm missing something obvious in the code and docs) I'd like to add the ability to require all, so that each require line is checked for successful authorization. This would allow mod_ldap to check that a user is in multiple groups before granting access. I can think of a couple of ways of implementing this: 1) Use the core's Satisfy directive to check if 'Satisfy all' has been requested. 2) Add a new directive 'AuthLDAPRequireAll' which would be a flag indicating to check all require lines. Thoughts? (Apologies if this comes through twice, I originally sent it from the wrong email address, so it's probably in the queue for the list moderator)