httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject Re: authnz_ldap in 2.2.x
Date Thu, 30 Aug 2007 15:32:09 GMT
>>> On 8/29/2007 at 7:51 PM, in message
<1404e5910708291851x5840a4cemd81caaedb41d18d5@mail.gmail.com>, "Eric Covener"
<covener@gmail.com> wrote:
> 
> In 2.2.x If authz_XXX are one of dbm, owner, or groupfile they track
> the list of requires and decline if they don't see any they're
> responsible for -- this isn't a crap shoot of module ordering in this
> case.
> 
> $ grep \!required *.c
> mod_authz_dbm.c:    if (!required_group || !conf->authoritative) {
> mod_authz_groupfile.c:    if (!required_group || !conf->authoritative) {
> mod_authz_owner.c:    if (!required_owner || !conf->authoritative) {
> mod_authz_user.c:    if (!required_user) {
> 
> That roughly leaves authz_host, authz_default, and authnz_ldap.
> authz_host has a built-in default based on Order, and authz_default
> doesn't have any Requires to check -- leaving authnz_ldap as the odd
> man out.
> 

True, so that brings up the question of what does AuthzXXXAuthoritative really mean?  Does
it mean that if set to ON, this module is authoritatively responsible for authorization and
if it can't (whatever the reason including no require statement), then authorization fails?
 Or does it mean that the module is only authoritatively responsible for authorization if
a matching require statement exists?  According to what you are saying as well as what the
code is currently saying in the other authz modules, the latter is true.  And if that is really
the definition of AuthzXXXAuthoritative, then it appears that authnz_ldap needs to be fixed.

Brad





Mime
View raw message