[replying to my own msg]
>> Sander Striker wrote:
>>
>>> IMO this should be split. Auth and authz are
>>> completely different things and it would be nice
>>> to have different modules to do authentication
>>> in a different way, but still utilize the same
>>> authorization method.
>>
>> I'm not sure if splitting them will accomplish this though. From the
>> LDAP auth stuff, the authentication phase and the authorisation phase
>> are separate, but share common configuration parameters (LDAP bind info,
>> for example), so splitting them wouldn't make much sense.
>
> In all the modules the phases are seperate, because they all hook
> check_user_id and check_user_access. There is no way however to
> determine the group a user is in from check_user_id in a non module
^^
this should ofcourse be 'access'.
> specific way. I would like _that_ to be possible, since now, the
> authz part (check_user_access) is doing stuff auth should do: checking
> for group membership.
>
>> Also - there isn't a clear line over what constitutes an authentication
>> token - again, the LDAP authenticator converts a provided username into
>> a DN, which the authorisation phase uses to apply to the require
>> directives. If you have to mix up the different modules, you would need
>> to make sure they are all talking the same language (so to speak).
>
> Yes, but I don't see that as a problem. Right now, the same is
> true for the FakeBasicAuth feature of mod_ssl which provides a one line
> DN as the username.
>
>> Regards,
>> Graham
>
> Sander