Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 52817 invoked from network); 30 Aug 2007 15:32:52 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 30 Aug 2007 15:32:52 -0000 Received: (qmail 22633 invoked by uid 500); 30 Aug 2007 15:32:42 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 22563 invoked by uid 500); 30 Aug 2007 15:32:42 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 22520 invoked by uid 99); 30 Aug 2007 15:32:42 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Aug 2007 08:32:42 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [137.65.248.137] (HELO sinclair.provo.novell.com) (137.65.248.137) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Aug 2007 15:33:38 +0000 Received: from INET-PRV-MTA by sinclair.provo.novell.com with Novell_GroupWise; Thu, 30 Aug 2007 09:32:14 -0600 Message-Id: <46D68E98.6720.00AC.0@novell.com> X-Mailer: Novell GroupWise Internet Agent 7.0.2 HP Date: Thu, 30 Aug 2007 09:32:09 -0600 From: "Brad Nicholes" To: Subject: Re: authnz_ldap in 2.2.x References: <1404e5910708290728v5b3ac782o5c94c70b42551eec@mail.gmail.com> <46D57467.6720.00AC.0@novell.com> <1404e5910708291414l7542aadagc808825ef3b7de82@mail.gmail.com> <46D5ADD5.3235.00AC.0@novell.com> <1404e5910708291851x5840a4cemd81caaedb41d18d5@mail.gmail.com> In-Reply-To: <1404e5910708291851x5840a4cemd81caaedb41d18d5@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Virus-Checked: Checked by ClamAV on apache.org >>> On 8/29/2007 at 7:51 PM, in message <1404e5910708291851x5840a4cemd81caaedb41d18d5@mail.gmail.com>, "Eric = Covener" wrote: >=20 > In 2.2.x If authz_XXX are one of dbm, owner, or groupfile they track > the list of requires and decline if they don't see any they're > responsible for -- this isn't a crap shoot of module ordering in this > case. >=20 > $ grep \!required *.c > mod_authz_dbm.c: if (!required_group || !conf->authoritative) { > mod_authz_groupfile.c: if (!required_group || !conf->authoritative) { > mod_authz_owner.c: if (!required_owner || !conf->authoritative) { > mod_authz_user.c: if (!required_user) { >=20 > That roughly leaves authz_host, authz_default, and authnz_ldap. > authz_host has a built-in default based on Order, and authz_default > doesn't have any Requires to check -- leaving authnz_ldap as the odd > man out. >=20 True, so that brings up the question of what does AuthzXXXAuthoritative = really mean? Does it mean that if set to ON, this module is authoritativel= y responsible for authorization and if it can't (whatever the reason = including no require statement), then authorization fails? Or does it = mean that the module is only authoritatively responsible for authorization = if a matching require statement exists? According to what you are saying = as well as what the code is currently saying in the other authz modules, = the latter is true. And if that is really the definition of AuthzXXXAuthor= itative, then it appears that authnz_ldap needs to be fixed. Brad