> -----Original Message----- > From: Eric Covener > Sent: Montag, 13. Juli 2009 23:31 > To: dev@httpd.apache.org > Subject: AuthBasicProvider failover and mod_authnz_ldap > > PR#47521 points out that when mod_authnz_ldap has some fatal LDAP > connectivity error, it doesn't allow other AuthBasicProviders to have > a shot at checking the userid. > > It seems like the normal use case for two providers is when there are > two disjoint user repositories, and we only move on to search the > second when the user of interest isn't found in the first. > > For LDAP, should we treat a failure to even search the database this > same way, allowing it to move onto other providers > (AUTH_USER_NOT_FOUND vs. AUTH_GENERAL_ERROR)? It seems to me that the > LDAP backends often have poor reliability and lots of use cases would > want the 2nd provider for emergencies, at little expense (hypothetical > attacker that took out your LDAP servers, and compromised e.g. > AuthUserFile). > > Thoughts?
Haven't thought this through but from a first glance it makes sense that the next provider can continue if the first one had a fatal error. Regards Rüdiger
