Comment 2 for bug 781036

Richard, I think I mis-read your description, and totally missed that you had configured mod_authnz_external properly. I probably shouldn't triage bugs at 4:30am.

I suspect that the order matters because some of the other modules you are loading override mod_authnz_external's authoritative status after it is configured. Possibly mod_authz_default is the culprit... as it defaults to authoritative:

http://httpd.apache.org/docs/current/mod/mod_authz_default.html

I wonder, if you put mod_authz_default last, does it have the same enabling effect?

Re-opening as New, leaving set to mod_authnz_external for now, though it may be that mod_authz_default needs to always load last, which would be a bug in apache2.