LDAP login and authorization modules can sometimes share a common configuration. However, authorizers do not inherit configuration from login modules you configure. Configurations must be explicit.
In the case where both LDAPLoginModule and LDAPAuthorizer are configured:
- Matching configuration – LDAPAuthorizer simply skips the role retrieval.
- Differing configuration – LDAPAuthorizer proceeds with the role retrieval from the configured backend, and performs the authorization checks using the complete list of roles (from both the login module and itself). Even in the case where multiple LDAPLoginModules are configured, only one LDAPAuthorizer is required as it compares its configuration with the configuration used for the successful authentication of the user.