httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <>
Subject Re: authnz_ldap in 2.2.x
Date Wed, 29 Aug 2007 23:33:11 GMT
>>> On 8/29/2007 at 3:14 PM, in message
<>, "Eric Covener"
<> wrote:
> On 8/29/07, Brad Nicholes <> wrote:
>> The only real reason why you have to set LDAP to
>> non-authoritative when using LDAP authn only, is because LDAP
>> had to combine both authn and authz into the same module.  This
>> is not a good practice in general, but in the case of LDAP there
>> was so much code and data overlap between authn_ldap and
>> authz_ldap, that splitting them apart was a problem.
> To clarify; I understand not duplicating valid-user, but the other
> authz modules know to decline when they haven't seen a single
> requirement they grok, which allows mod_authz_user to authorize the
> request in the case of "Require valid-user".   I don't think the
> coupling is a factor there.

No, all of the authz modules should be working the same.  They all have an AuthzXXXAuthoritative
directive which defaults to ON.  The problem with 2.0 and 2.2 is that if you load multiple
authz modules and try to use multiple require statements, you have no guarantee as to which
authz handler will get called first.  So it might look like  authz_XXX module is DECLINEing
and allowing authz_user's "Require valid-user" to handle the authorization, when in fact the
authz_XXX handler was never called at all.  This problem has been taken care of in 2.3.  The
difference between mod_authnz_ldap and other authz modules is that in most cases, an Authz
module is not loaded unless it is needed.  In the case of Authnz_LDAP, you don't have that
option.  If you load Authnz_LDAP, you get both authn and authz even if you don't want to use
the authz side.  So your only choice is to disable it by setting the AuthzLDAPAuthoritative
to OFF.


View raw message