httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: AuthBasicProvider failover and mod_authnz_ldap
Date Tue, 14 Jul 2009 07:23:28 GMT
 

> -----Original Message-----
> From: Eric Covener  
> Sent: Montag, 13. Juli 2009 23:31
> To: dev@httpd.apache.org
> Subject: AuthBasicProvider failover and mod_authnz_ldap
> 
> PR#47521 points out that when mod_authnz_ldap has some fatal LDAP
> connectivity error, it doesn't allow other AuthBasicProviders to have
> a shot at checking the userid.
> 
> It seems like the normal use case for two providers is when there are
> two disjoint user repositories, and we only move on to search the
> second when the user of interest isn't found in the first.
> 
> For LDAP, should we treat a failure to even search the database this
> same way, allowing it to move onto other providers
> (AUTH_USER_NOT_FOUND vs. AUTH_GENERAL_ERROR)?  It seems to me that the
> LDAP backends often have poor reliability and lots of use cases would
> want the 2nd provider for emergencies, at little expense (hypothetical
> attacker that took out your LDAP servers, and compromised e.g.
> AuthUserFile).
> 
> Thoughts?

Haven't thought this through but from a first glance it makes sense that
the next provider can continue if the first one had a fatal error.

Regards

Rüdiger


Mime
View raw message