Suppose you have more than one authz module, for example, mod_authz_groupfile and mod_authnz_ldap, that you want to use to control access. You might configure
Require group authorized_users Require ldap-attribute employeeType=activein hopes of requiring users to both belong to the authorized_users group and be an active employee, but that won't work. Whichever module gets invoked first will either grant or reject access based solely on its own Require statement; the other module never gets to look at the request.
You can stop the modules from rejecting access immediately by configuring AuthzGroupFileAuthoritative off AuthzLDAPAuthoritative offbut that's not quite right either. If mod_authz_groupfile gets invoked first and the user is in the group, access will be granted immediately, and again, the other module doesn't get to check its own Require. The same could happen in the opposite order. The result will be that we require either the right group, or an active employee, but never both; and which one depends on the module ordering.
So, am I right about how this works? And is there any way to configure things so multiple Requires from different authz modules are all required to pass in order to grant access? Or would you have to find some other way entirely?
Thanks, Dan --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|