Geoffrey Young said: > isn't this kind of thing really up to the provider itself? I would think > that the provider would need to be intelligent enough to understand when > to > iterate over directories or files and when not to.
The end goal is to simplify the providers so that you do not have to teach each one how to handle multiple sources. The problem with implementing multiple sources in one provider is that the end users assumes that the same is possible in other providers, and is surprised when they find out the hard way it's not. > while I don't claim to have more than a cursory understanding of ldap, I > would think these cases could be handled by extending the current > situation > a bit. for instance, for the file provider something like > > AuthBasicProvider file > AuthFileName file1 file2 > > if AuthFileName were ITERATE mod_authn_file would know that it should not > return AUTH_USER_NOT_FOUND until it has checked all the files present. or > somesuch off the top of my head. > > are there situations specific to ldap that would make some variant of this > difficult or unacceptable? I'm just trying to get a better feel for why > the > exception you raise isn't an issue for providers to locally figure out > themselves. The problem is that LDAP auth is set up using many directives ("system" user to bind to the directory as, password, the search details to find the user record, possible SSL directives per LDAP server). While the file case fits neatly into the AuthFileName directive, this doesn't fit into any other auth provider where there are multiple arguments. To fill out the example of the "Auth" container to better illustrate what I mean, you might have this: <Auth ldap-acc-activedirectory> require ldap-group cn=Accounting,ou=Groups,ou=XXX AuthLDAPBindDN cn=Mail,dc=XXX AuthLDAPBindPassword blah1 LDAPTrustedMode SSL AuthLDAPURL ldaps://xxx.co.za/dc=xxx,dc=co,dc=za?uid?sub AuthLDAPRemoteUserIsDN on </Auth> <Auth ldap-eng-activedirectory> require ldap-group cn=Engineering,ou=Groups,ou=YYY AuthLDAPBindDN cn=Mail,dc=YYY AuthLDAPBindPassword blah2 LDAPTrustedMode SSL AuthLDAPURL ldaps://yyy.co.za/dc=yyy,dc=co,dc=za?uid?sub AuthLDAPRemoteUserIsDN on </Auth> AuthBasicProvider ldap-acc-activedirectory ldap-eng-activedirectory Regards, Graham --