httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject Re: authnz_ldap in 2.2.x
Date Wed, 29 Aug 2007 19:28:08 GMT
>>> On 8/29/2007 at 8:28 AM, in message
<1404e5910708290728v5b3ac782o5c94c70b42551eec@mail.gmail.com>, "Eric Covener"
<covener@gmail.com> wrote:
> mod_authnz_ldap in 2.2.x doesn't track whether or not it has seen any
> applicable 'Require ldap-*' entries in the requires list, and also
> doesn't explicitly accept valid-user (despite a commnt)
> 
> Other authz modules check that their flavor of Require was present
> where they check if they're configured to be authoritative.  At the
> simplest level, this allows the authz modules to DECLINE and let
> authz_user authorize based on "Require valid-user"
> 
> To do authn-only where LDAP is used as the basic provider, (or
> otherwise configured in that context) you have to make LDAP
> non-authoritative or come up with some LDAP filter or attribute that
> is always true.
> 
> Is this something were stuck with in a stable release?   The trunk
> authz provider API makes this relevant only to 2.2.x.


Yes, the idea, even going forward into 2.3, is to not have overlapping authz types.  It doesn't
really make sense to have all of the various authz modules replicate "valid-user".  There
should only be one authz module that implements an authorization type.  That is why you only
see authz_user implement "user" where authnz_ldap implements "ldap-user".  They both authorize
users in different ways.  In 2.0 if both  mod_auth and mod_auth_ldap were both loaded (for
whatever reason), they both implemented "user".  So when your configuration used "require
user", you never really knew which one you were getting.  

The only real reason why you have to set LDAP to non-authoritative when using LDAP authn only,
is because LDAP had to combine both authn and authz into the same module.  This is not a good
practice in general, but in the case of LDAP there was so much code and data overlap between
authn_ldap and authz_ldap, that splitting them apart was a problem.

Brad


Mime
View raw message