Would it be too offensive if mod_authnz_ldap stashed away the users basic auth password in its own per-request config after it successfully authenticates, then used it later during authorization? It is floating around base64'ed anyway, but it still sounds unsavory.
There are some cases where at authorization time, if LDAP was also the authentication source, the users credentials could be used against the backend instead of hard-coded server credentials (this non-anoynmous, no-hard-coded BindDN/BindPassword config is requested every now and again) -- Eric Covener cove...@gmail.com