Moved from using mod_auth_krb to mod_authnz_ldap, and noticing a problem. With previous setup, a successful authentication + failed authorization results in a 401 w/o the WWW-Authenticate header. With mod_authnz_ldap, it always returns the WWW-Authenticate header, even if authentication was successful. This changes user behaviour significantly in the case of a page they are not supposed to have access to, even though they have correctly entered their userid+pw. I have not been able to find any combination of authoritative config options to get this to work as expected. Is this an expected limitation of mod_authnz_ldap, or am I just missing something in my configuration? --------- [Thu Nov 11 14:00:01 2010] [debug] mod_authnz_ldap.c(379): [client 131.151.49.1] [28790] auth_ldap authenticate: using URL ldap://mst-gc.mst.edu:3268/dc=edu?sAMAccountName?sub?(objectClass=*) [Thu Nov 11 14:00:01 2010] [debug] mod_authnz_ldap.c(484): [client 131.151.49.1] [28790] auth_ldap authenticate: accepting nneul [Thu Nov 11 14:00:01 2010] [debug] mod_authnz_ldap.c(665): [client 131.151.49.1] [28790] auth_ldap authorise: require user: authorisation failed [Comparison false (cached)][Compare False] [Thu Nov 11 14:00:01 2010] [debug] mod_authnz_ldap.c(685): [client 131.151.49.1] [28790] auth_ldap authorise: require user: authorisation failed [Comparison false (cached)][Compare False] [Thu Nov 11 14:00:01 2010] [debug] mod_authnz_ldap.c(874): [client 131.151.49.1] [28790] auth_ldap authorise: authorisation denied ----------
This is really a comparison between mod_auth_krb and any in-tree authorization provider, right? RFC2616 says a 401 must include www-authenticate, and that a 401 means authorization was denied.
Interesting, I think you may be right there. It's been a while since I used other auth modules - I'm just used to the mod_auth_krb behavior where it doesn't continually reprompt for user+pw for an authorization failure. Is there any way to get that similar behavior - where an authorization failure (as opposed to authentication failure) doesn't result in another password prompt with the basic auth facility?
I don't think this is something that can be made optional
(In reply to comment #3) > I don't think this is something that can be made optional True for 2.2. But mod_authz_core in trunk has all necessary information to make the behaviour configurable. *** This bug has been marked as a duplicate of bug 40721 ***