Thanks. I'm in a production environment, so going to the trunk will be a tough sell. Ryan Patrick offered up a complete patch in 2005 to allow "and" -- reused "Satisfy all", which raised some controversy. I'll revive/update his patch suggestion, but add a one-off flag for "AuthzLDAPSatisfy all" [defaulting to "any" which yields the current OR behavior]. At the time, Graham L. didn't like the one-off flag, as it was asymmetric with other modules. I don't see that as an overwhelming concern. --Pete > -----Original Message----- > From: Eric Covener [mailto:covener@xxxxxxxxx] > Sent: Tuesday, April 06, 2010 3:57 PM > To: users@xxxxxxxxxxxxxxxx > Subject: Re: How do I require more than one > Require ldap-* directive match? > > On Tue, Apr 6, 2010 at 1:50 PM, Thomas, Peter > <pthomas@xxxxxxxx> wrote: > > I've looked at the mod_authnz_ldap code and the > documentation. "Out > > of the box" it sems like there's no way to turn the "OR" > behavior of > > Require ldap-* lines into "AND." I've been trying as hard > as I can to > > avoid creating not only a new provider type but also a new > provider. > > Unfortunately, the more I dig into mod_authnz_ldap the more > it seems like it's not quite what I need. > > Is there a "right" way to do this? One thought is creating a hook > > that "fakes out" check_user_access by dynamically updating > the array > > of requires to "present" one ldap-* require line at a time, then > > aggregating the results into a single return value. > > > > I've seen some pretty subtle tricks from all of you--I'm > hoping that > > someone out there has a better option than building up a > new provider. > > > > This comes for free in trunk. I'd review a 2.2.x patch that > just changed the way the loop operates to respect an "AND" > flag -- my guess is that it is not very hard but I am too > swamped to play with it > > The caveat for the doc would would be that it only made sense > in an all ldap-* configuration. > > This AND behavior for LDAP authz is frequently requested. > > > -- > Eric Covener > covener@xxxxxxxxx > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP > Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|