I've looked at the mod_authnz_ldap code and the documentation. "Out of the box" it sems like there's no way to turn the "OR" behavior of Require ldap-* lines into "AND." I've been trying as hard as I can to avoid creating not only a new provider type but also a new provider. Unfortunately, the more I dig into mod_authnz_ldap the more it seems like it's not quite what I need. Is there a "right" way to do this? One thought is creating a hook that "fakes out" check_user_access by dynamically updating the array of requires to "present" one ldap-* require line at a time, then aggregating the results into a single return value. I've seen some pretty subtle tricks from all of you--I'm hoping that someone out there has a better option than building up a new provider. --Pete ________________________________
From: Thomas, Peter [mailto:ptho...@hpti.com] Sent: Tuesday, April 06, 2010 1:26 PM To: users@httpd.apache.org Subject: [us...@httpd] How do I require more than one Require ldap-* directive match? How do I configure mod_authnz_ldap to require that I meet multiple authorization conditions [i.e. user must be a member of an LDAP group AND also posses one or more attributes]. As it is, the code returns "OK" as soon as the first "Require ldap-*" directive succeeds, short-circuiting subsequent require directives. If I only had to match on attributes, I could use a Require llda-filter directive, but needing to search for both a group and an attribute stops me cold. -Pete