On Thu, Jan 15, 2009 at 4:17 PM, Dan Poirier <poirier@xxxxxxxxx> wrote: > Require group authorized_users > Require ldap-attribute employeeType=active > > in hopes of requiring users to both belong to the authorized_users group and > be an active employee, but that won't work. Whichever module gets invoked > first will either grant or reject access based solely on its own Require > statement; the other module never gets to look at the request. All Require's are "OR"'ed in 2.2.x and earlier. Any single match is sufficient and nothing else can be expressed. > > You can stop the modules from rejecting access immediately by configuring > > AuthzGroupFileAuthoritative off > AuthzLDAPAuthoritative off > > but that's not quite right either. If mod_authz_groupfile gets invoked > first and the user is in the group, access will be granted immediately, and > again, the other module doesn't get to check its own Require. The same > could happen in the opposite order. The result will be that we require > either the right group, or an active employee, but never both; and which one > depends on the module ordering. This is even the case when requirements are within the same module. > > So, am I right about how this works? And is there any way to configure > things so multiple Requires from different authz modules are all required to > pass in order to grant access? Or would you have to find some other way > entirely? Yes, modules DECLINE if they don't see any of _their_ Require types, and return HTTP_FORBIDDEN if they see some of the types but don't match any of them. -- Eric Covener covener@xxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|