This is an alternate path that I considered in my AuthType Cert work. I didn't choose it, because it was actually meaningful in my situation to declare a user with an otherwise valid certificate "unauthenticated" if no matching LDAP record could be found.
I agree with Eric that "AUTHENTICATE_" isn't the best prefix [of course, we need to respect the installed base that may be depending upon it]. I think a more appropriate prefix might be "LDAP_<attributename>" [semantically I think this is a better way to "hint" that the value for the attribute came from an LDAP search]. > -----Original Message----- > From: Eric Covener [mailto:cove...@gmail.com] > Sent: Tuesday, April 27, 2010 10:37 PM > To: dev@httpd.apache.org > Subject: Re: patch for mod_ldap_authnz > > On Tue, Apr 27, 2010 at 9:25 PM, Kevin Kalupson > <kjk...@kevinkal.com> wrote: > > Hi, > > mod_authnz_ldap will put the attributes from the > AuthLdapUrl in the > > request environmental variables if ldap is the > authentication source. > > However, if mod_authnz_ldap is only providing Authorization and > > another module is the authentication source, the attributes are not > > available as request variables. > > > > Anyone have feelings about LDAP-as-authorizer adding entries > to AUTHENTICATE_*? Seems like an unfortunate name given the > nature of the data people are likely to plug into with this. > > Perhaps hide it behind a directive in mod_authnz_ldap and let > users pick the prefix during authz? > > -- > Eric Covener > cove...@gmail.com >