On Fri, Oct 2, 2009 at 8:38 AM, Marc Patermann <hans.moser@xxxxxxxxxxxxxxxxxxxxxxxx> wrote: > Hi, > > Tom Evans schrieb: >> >> On Thu, 2009-10-01 at 17:18 -0400, Tony Rice (trice) wrote: > >> This is how we do it: >> [...] >> AuthzLDAPAuthoritative "On" >> Require valid-user >> Require ldap-group cn=Department,ou=Groups,o=Company > > Does this work? > When I read the docs: > "Require valid-user > If this directive exists, mod_authnz_ldap grants access to any user that has > successfully authenticated during the search/bind phase." > and: > "Other Require values may also be used which may require loading additional > authorization modules. Note that if you use a Require value from another > authorization module, you will need to ensure that AuthzLDAPAuthoritative > is set to off to allow the authorization phase to fall back to the module > providing the alternate Require value." > -> http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html > > This seems to me like either "Require valid-user" is not working at all - > because AuthzLDAPAuthoritative is "On" - or it overrules any ldap-group > setting. Hm!? The doc is poor in this regard. mod_authnz_ldap does not handle "valid-user", it allows another module to handle it [if the request gets that far]. This is why the AuthzLDAPAuthoritiative does not apply to the "Require valid-user", and this quoted config boils down to the same as if you'd removed the first two quoted directives [IIUC]. -- Eric Covener covener@xxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|