We are using the Enterprise version (3.3.15) on Slackware 12 (32bit). We've setup a LDAP realm that seems to work properly. I mean, if you give the correct user/pass it all works as it is supposed to. But the real problem is when you give a bogus user/pass. Instead of asking for the user/pass again it will give you the URI requested. Of course on the next request it will ask again for user/pass, you can give a bogus one again and go on like that forever, gaining access to areas that are supposed to be protected. Now I've checked and this happens only when the "Required" field in the context config is left empty (I tried putting there valid-user, with no effect). But the documentation says: "If it is not specified, all valid users can access this resource.", or a bogus user/pass combination shouldn't be considered valid.