I continue to fight with this.  I added in "stub" handlers for Access,
I've determined that the authorization check of mod_authnz_ldap is being
executed in the Access phase of AAA.  This isn't documented; it's
causing two problems:  early auth failure as well as a side-effect of an
extra, useless LDAP query with a blank filter.
 
How do I instruct Apache to remove mod_authnz_ldap's authorization
handler from the access phase, while leaving it in for authorization?
 
Warmly,
 
--Pete
 
 
________________________________

From: Thomas, Peter [mailto:[email protected]] 
Sent: Thursday, February 25, 2010 12:53 PM
To: [email protected]
Subject: [us...@httpd] Controlling which handlers run, and when



I'm trying to combine mod_authnz_ldap with a mod_perl PerlAuthenHandler.
I've got everything working correctly except that the mod_authnz_ldap
handler is being called twice...once before my PerlAuthenHandler [when
the request has not been properly configured] and once after.

This is a problem.  I've been able to see this flow by using
AuthzLDAPAuthoritative off. [to get a "DECLINED" out of the first
invocation].  When I do, my require ldap-filter, etc., directives are
not treated as authoritative on the "second pass" when the request user
has been set correctly.

--Pete 

--- 
Peter L. Thomas, [email protected] <mailto:[email protected]>  
(w) 703-682-5308 (c) 703-615-7806 (pgr) 877-383-8910 
<<Thomas, Peter L. ([email protected]).vcf>> 

Reply via email to