Setting the AuthDBAuthoritative directive explicitly to
'off' allows for both authentication and
authorization to be passed on to lower level modules (as defined in
the Configuration
and modules.c
file if
there is no userID or rule
matching the supplied userID. If there is a userID and/or rule
specified; the usual password and access checks will be applied and
a failure will give an Authorization Required reply.
So if a userID appears in the database of more than one module; or if a valid require directive applies to more than one module; then the first module will verify the credentials; and no access is passed on; regardless of the AuthAuthoritative setting.
A common use for this is in conjunction with one of the basic
auth modules; such as
mod_auth.c
. Whereas this DB module supplies the bulk of
the user credential checking; a few (administrator) related
accesses fall through to a lower level with a well protected
.htpasswd file.
Default: By default; control is not passed on; and an unknown userID or rule will result in an Authorization Required reply. Not setting it thus keeps the system secure; and forces an NCSA compliant behaviour.
Security: Do consider the implications of allowing a user to allow fall-through in his .htaccess file; and verify that this is really what you want; Generally it is easier to just secure a single .htpasswd file, than it is to secure a database which might have more access interfaces.
See also AuthName, AuthType and AuthDBGroupFile.