From b5e70aad309542edd8c98ddc33787532faa0b12d Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sat, 4 Oct 2008 14:45:49 +0000
Subject: [PATCH] shore up AuthzLDAPAuthoritative

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@701645 13f79535-47bb-0310-9956-ffa450edef68
---
 docs/manual/mod/mod_authnz_ldap.html.en | 25 ++++++++++++-------------
 docs/manual/mod/mod_authnz_ldap.xml     | 25 ++++++++++++-------------
 2 files changed, 24 insertions(+), 26 deletions(-)

diff --git a/docs/manual/mod/mod_authnz_ldap.html.en b/docs/manual/mod/mod_authnz_ldap.html.en
index 2cd3b9d9fbf..ef5684c0465 100644
--- a/docs/manual/mod/mod_authnz_ldap.html.en
+++ b/docs/manual/mod/mod_authnz_ldap.html.en
@@ -254,7 +254,11 @@ for HTTP Basic authentication.</td></tr>
     <code class="directive"><a href="#authzldapauthoritative">AuthzLDAPAuthoritative</a></code>
     is set to <code>off</code> to allow the authorization phase to fall
     back to the module providing the alternate
-    <code class="directive"><a href="../mod/core.html#require">Require</a></code> value.</p>
+    <code class="directive"><a href="../mod/core.html#require">Require</a></code> value. When no 
+    LDAP-specific <code class="directive"><a href="../mod/core.html#require">Require</a></code>  directives
+    are used, authorization is allowed to fall back to other modules
+    as if <code class="directive"><a href="#authzldapauthoritative">AuthzLDAPAuthoritative</a></code>
+    was set to <code>off</code>. </p>
 
     <ul>
         <li>Grant access if there is a <a href="#requser"><code>Require
@@ -324,9 +328,7 @@ for HTTP Basic authentication.</td></tr>
     <p>If this directive exists, <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> grants
     access to any user that has successfully authenticated during the
     search/bind phase.  Requires that <code class="module"><a href="../mod/mod_authz_user.html">mod_authz_user</a></code> be 
-    loaded and that the 
-    <code class="directive"><a href="#authzldapauthoritative">AuthzLDAPAuthoritative</a></code>
-    directive be set to off.</p>
+    loaded.</p>
 
 
 <h3><a name="requser" id="requser">Require ldap-user</a></h3>
@@ -602,17 +604,10 @@ Require valid-user
     that gets created in the web</p>
 <div class="example"><pre>
 AuthLDAPURL            "the url"
-AuthzLDAPAuthoritative off
 AuthGroupFile <em>mygroupfile</em>
 Require group <em>mygroupfile</em>
 </pre></div>
 
-    <p><code class="directive"><a href="#authzldapauthoritative">AuthzLDAPAuthoritative</a></code> 
-    must be off to allow <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> to decline group
-    authentication so that Apache will fall back to file
-    authentication for checking group membership. This allows the
-    FrontPage-managed group file to be used.</p>
-
 <h3><a name="howitworks" id="howitworks">How It Works</a></h3>
 
     <p>FrontPage restricts access to a web by adding the <code>Require
@@ -972,10 +967,14 @@ authenticating the user if this one fails</td></tr>
 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr>
 </table>
     <p>Set to <code>off</code> if this module should let other
-    authentication modules attempt to authenticate the user, should
-    authentication with this module fail. Control is only passed on
+    authorization modules attempt to authorize the user, should
+    authorization with this module fail. Control is only passed on
     to lower modules if there is no DN or rule that matches the
     supplied user name (as passed by the client).</p>
+    <p> When no LDAP-specific <code class="directive"><a href="../mod/core.html#require">Require</a></code>  directives
+    are used, authorization is allowed to fall back to other modules
+    as if <code class="directive"><a href="#authzldapauthoritative">AuthzLDAPAuthoritative</a></code>
+    was set to <code>off</code>. </p>
 
 </div>
 </div>
diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml
index e2a4630efab..d3b2787d5a0 100644
--- a/docs/manual/mod/mod_authnz_ldap.xml
+++ b/docs/manual/mod/mod_authnz_ldap.xml
@@ -233,7 +233,11 @@ for HTTP Basic authentication.</description>
     <directive module="mod_authnz_ldap">AuthzLDAPAuthoritative</directive>
     is set to <code>off</code> to allow the authorization phase to fall
     back to the module providing the alternate
-    <directive module="core">Require</directive> value.</p>
+    <directive module="core">Require</directive> value. When no 
+    LDAP-specific <directive module="core">Require</directive>  directives
+    are used, authorization is allowed to fall back to other modules
+    as if <directive module="mod_authnz_ldap">AuthzLDAPAuthoritative</directive>
+    was set to <code>off</code>. </p>
 
     <ul>
         <li>Grant access if there is a <a href="#requser"><code>Require
@@ -307,9 +311,7 @@ for HTTP Basic authentication.</description>
     <p>If this directive exists, <module>mod_authnz_ldap</module> grants
     access to any user that has successfully authenticated during the
     search/bind phase.  Requires that <module>mod_authz_user</module> be 
-    loaded and that the 
-    <directive module="mod_authnz_ldap">AuthzLDAPAuthoritative</directive>
-    directive be set to off.</p>
+    loaded.</p>
 </section>
 
 <section id="requser"><title>Require ldap-user</title>
@@ -595,17 +597,10 @@ Require valid-user
     that gets created in the web</p>
 <example><pre>
 AuthLDAPURL            "the url"
-AuthzLDAPAuthoritative off
 AuthGroupFile <em>mygroupfile</em>
 Require group <em>mygroupfile</em>
 </pre></example>
 
-    <p><directive module="mod_authnz_ldap">AuthzLDAPAuthoritative</directive> 
-    must be off to allow <module>mod_authnz_ldap</module> to decline group
-    authentication so that Apache will fall back to file
-    authentication for checking group membership. This allows the
-    FrontPage-managed group file to be used.</p>
-
 <section id="howitworks"><title>How It Works</title>
 
     <p>FrontPage restricts access to a web by adding the <code>Require
@@ -677,10 +672,14 @@ authenticating the user if this one fails</description>
 
 <usage>
     <p>Set to <code>off</code> if this module should let other
-    authentication modules attempt to authenticate the user, should
-    authentication with this module fail. Control is only passed on
+    authorization modules attempt to authorize the user, should
+    authorization with this module fail. Control is only passed on
     to lower modules if there is no DN or rule that matches the
     supplied user name (as passed by the client).</p>
+    <p> When no LDAP-specific <directive module="core">Require</directive>  directives
+    are used, authorization is allowed to fall back to other modules
+    as if <directive module="mod_authnz_ldap">AuthzLDAPAuthoritative</directive>
+    was set to <code>off</code>. </p>
 </usage>
 </directivesynopsis>
 
-- 
2.47.2