httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <>
Subject Re: [users@httpd] group authorization via LDAP
Date Fri, 02 Oct 2009 15:05:00 GMT
On Fri, Oct 2, 2009 at 8:38 AM, Marc Patermann
<> wrote:
> Hi,
> Tom Evans schrieb:
>> On Thu, 2009-10-01 at 17:18 -0400, Tony Rice (trice) wrote:
>> This is how we do it:
>> [...]
>> AuthzLDAPAuthoritative "On"
>> Require valid-user
>> Require ldap-group cn=Department,ou=Groups,o=Company
> Does this work?
> When I read the docs:
> "Require valid-user
> If this directive exists, mod_authnz_ldap grants access to any user that has
> successfully authenticated during the search/bind phase."
> and:
> "Other Require values may also be used which may require loading additional
> authorization modules. Note that if you use a Require  value from another
> authorization module, you will need to ensure that AuthzLDAPAuthoritative
>  is set to off to allow the authorization phase to fall back to the module
> providing the alternate Require value."
> ->

> This seems to me like either "Require valid-user" is not working at all -
> because AuthzLDAPAuthoritative is "On" - or it overrules any ldap-group
> setting. Hm!?

The doc is poor in this regard.  mod_authnz_ldap does not handle
"valid-user", it allows another module to handle it [if the request
gets that far].  This is why the AuthzLDAPAuthoritiative does not
apply to the "Require valid-user", and this quoted config boils down
to the same as if you'd removed the first two quoted directives

Eric Covener

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message