A security manager can give one of four responses to a query: Allow, Deny, Fail (request rejected because an error occurred), and Unknown (indicating that the manager has no information relevant to the query).
For user sign-on ("Verify") requests, you can specify whether or not security queries are to be checked by all of the security managers in the security manager list. You do this by setting the Verify against all Security Managers configuration option. If this is not set, the managers will be queried in the order that they appear on the security manager list until one gives a response of Allow, Deny, or Fail. This response will then be used to decide what action should be taken.
Note that if Verify against all Security Managers is not set, after one security manager successfully verifies a user, the remaining security managers will be called to give them an opportunity to set user attributes (such as user timeout). Currently the MLDAP ESM module uses this to configure users that are verified by another ESM, if they are defined in the LDAP directory.
If you do set Verify against all Security Managers, all entries on the list will be queried, and if any returns a Deny or Fail, the user will not be signed on. If there are no Deny or Fail responses and at least one of the entries on the list gives Allow as its response, the user will be signed on.
If a security manager does not have a rule for the user, it gives a response of Unknown. Whatever the setting of the Verify against all Security Managers field, if all of the security managers on the list respond with Unknown, the user will be denied unless you have configured the Allow unknown users option.
For resource access ("Auth") requests, the managers will be queried in the order that they appear on the security manager list until one gives a response of Allow, Deny, or Fail (equivalent to Deny). This response will then be used to decide what action should be taken. (There is no equivalent to Verify against all Security Managers for resource access requests.)
If a security manager does not have a rule that applies to the resource specified in the request for the user making the request, it gives a response of Unknown. If all of the security managers on the list respond with Unknown, the request will be denied unless you have configured the Allow unknown resources option.