You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sl...@apache.org on 2001/08/20 19:34:58 UTC
cvs commit: httpd-2.0/docs/manual/mod mod_auth_ldap.html
slive 01/08/20 10:34:58
Modified: docs/manual/mod mod_auth_ldap.html
Log:
Bring this closer to the "standard" Apache module doc format,
and fix some HTML problems.
Revision Changes Path
1.2 +336 -351 httpd-2.0/docs/manual/mod/mod_auth_ldap.html
Index: mod_auth_ldap.html
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_auth_ldap.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -b -u -r1.1 -r1.2
--- mod_auth_ldap.html 2001/08/19 00:45:34 1.1
+++ mod_auth_ldap.html 2001/08/20 17:34:58 1.2
@@ -86,20 +86,9 @@
- <h2>Contents</h2>
+ <h2>Directives</h2>
+
<ul>
-<li>
-<a href="#operation">Operation</a><ul>
-<li>
-<a href="#authenphase">The Authentication Phase</a><ul></ul>
-</li>
-<li>
-<a href="#authorphase">The Authorization Phase</a><ul></ul>
-</li>
-</ul>
-</li>
-<li>
-<a href="#directives">Directives</a><ul>
<li><a href="#AuthLDAPAuthoritative">AuthLDAPAuthoritative</a></li>
<li><a href="#AuthLDAPBindDN">AuthLDAPBindDN</a></li>
<li><a href="#AuthLDAPBindPassword">AuthLDAPBindPassword</a></li>
@@ -113,44 +102,33 @@
<li><a href="#AuthLDAPStartTLS">AuthLDAPStartTLS</a></li>
<li><a href="#AuthLDAPUrl">AuthLDAPUrl</a></li>
</ul>
-</li>
-<li>
-<a href="#requiredirectives">The require Directives</a><ul>
-<li>
-<a href="#reqvaliduser">require valid-user</a><ul></ul>
-</li>
-<li>
-<a href="#requser">require user</a><ul></ul>
-</li>
-<li>
-<a href="#reqgroup">require group</a><ul></ul>
-</li>
-<li>
-<a href="#reqdn">require dn</a><ul></ul>
-</li>
-</ul>
-</li>
-<li>
-<a href="#examples">Examples</a><ul></ul>
-</li>
-<li>
-<a href="#usingtls">Using TLS</a><ul></ul>
-</li>
-<li>
-<a href="#usingssl">Using SSL</a><ul></ul>
-</li>
-<li>
-<a href="#frontpage">Using Microsoft FrontPage with mod_auth_ldap</a><ul>
-<li>
-<a href="#howitworks">How It Works</a><ul></ul>
-</li>
+
+<h2>Contents</h2>
+<ul>
<li>
-<a href="#fpcaveats">Caveats</a><ul></ul>
-</li>
-</ul>
-</li>
+<a href="#operation">Operation</a>
+<ul>
+ <li><a href="#authenphase">The Authentication Phase</a></li>
+ <li><a href="#authorphase">The Authorization Phase</a></li>
+</ul></li>
+<li><a href="#requiredirectives">The require Directives</a>
+<ul>
+ <li><a href="#reqvaliduser">require valid-user</a></li>
+ <li><a href="#requser">require user</a></li>
+ <li><a href="#reqgroup">require group</a></li>
+ <li><a href="#reqdn">require dn</a></li>
+</ul></li>
+<li><a href="#examples">Examples</a></li>
+<li><a href="#usingtls">Using TLS</a></li>
+<li><a href="#usingssl">Using SSL</a></li>
+<li><a href="#frontpage">Using Microsoft FrontPage with mod_auth_ldap</a>
+<ul>
+ <li><a href="#howitworks">How It Works</a></li>
+ <li><a href="#fpcaveats">Caveats</a></li>
+</ul></li>
</ul>
- <a name="operation"><h2>Operation</h2></a>
+
+ <h2><a name="operation">Operation</a></h2>
<p>
There are two phases in granting access to a user. The first
phase is authentication, in which mod_auth_ldap verifies that the
@@ -161,7 +139,7 @@
the <em><b>compare</b></em> phase.
</p>
- <a name="authenphase"><h3>The Authentication Phase</h3></a>
+ <h3><a name="authenphase">The Authentication Phase</a></h3>
<p>
During the authentication phase, mod_auth_ldap searches for an
entry in the directory that matches the username that the HTTP
@@ -227,7 +205,7 @@
</table>
- <a name="authorphase"><h3>The Authorization Phase</h3></a>
+ <h3><a name="authorphase">The Authorization Phase</a></h3>
<p>
During the authorization phase, mod_auth_ldap attempts to determine
if the user is authorized to access the resource. Many of these
@@ -316,298 +294,8 @@
</td>
</tr>
</table>
-
- <a name="directives"><h2>Directives</h2></a>
- <p>
- This section contains the complete list of directives that are
- used by the mod_auth_ldap module.
- </p>
-
- <a name="AuthLDAPAuthoritative"><h3>AuthLDAPAuthoritative</h3></a><p>
-<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> AuthLDAPAuthoritative
-
- < <strong>on</strong>(default) | off >
-
- <br><a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-<p>
- Set to <i>off</i> if this module should let other
- authentication modules attempt to authenticate the user,
- should authentication with this module fail. Control is only
- passed on to lower modules if there is no DN or rule that matches
- the supplied user name (as passed by the client).
- </p>
-<hr>
-
- <a name="AuthLDAPBindDN"><h3>AuthLDAPBindDN</h3></a><p>
-<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> AuthLDAPBindDN
- <em>
- distinguished-name
- </em>
- <br><a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-<p>
- An optional DN used to bind to the server when searching for
- entries. If not provided, mod_auth_ldap will use an
- anonymous bind.
- </p>
-<hr>
-
- <a name="AuthLDAPBindPassword"><h3>AuthLDAPBindPassword</h3></a><p>
-<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> AuthLDAPBindPassword
- <em>
- password
- </em>
- <br><a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-<p>
- A bind password to use in conjunction with the bind DN. Note
- that the bind password is probably sensitive data, and should be
- properly protected. You should only use the <a href="#AuthLDAPBindDN"><tt>AuthLDAPBindDN</tt></a>
- and <a href="#AuthLDAPBindPassword"><tt>AuthLDAPBindPassword</tt></a>
- if you absolutely need them to search the directory.
- </p>
-<hr>
-
- <a name="AuthLDAPCompareDNOnServer"><h3>AuthLDAPCompareDNOnServer</h3></a><p>
-<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> AuthLDAPCompareDNOnServer
-
- < <strong>on</strong>(default) | off >
-
- <br><a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-<p>
- When set, mod_auth_ldap will use the LDAP server to compare the
- DNs. This is the only foolproof way to compare DNs. mod_auth_ldap
- will search the directory for the DN specified with the <a href="#reqdn"><tt>require dn</tt></a>
- directive, then, retrieve the DN and compare it with the DN
- retrieved from the user entry. If this directive is not set,
- mod_auth_ldap simply does a string comparison. It is possible to
- get false negatives with this approach, but it is much
- faster. Note the mod_ldap cache can speed up DN comparison in
- most situations.
- </p>
-<hr>
-
- <a name="AuthLDAPDereferenceAliases"><h3>AuthLDAPDereferenceAliases</h3></a><p>
-<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> AuthLDAPDereferenceAliases
- <em>
- never | searching | finding | always
- </em>
- <br><a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-<p>
- This directive specifies when mod_auth_ldap will de-reference
- aliases during LDAP operations. The default is
- <i>always</i>.
- </p>
-<hr>
-
- <a name="AuthLDAPEnabled"><h3>AuthLDAPEnabled</h3></a><p>
-<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> AuthLDAPEnabled
-
- < <strong>on</strong>(default) | off >
-
- <br><a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-<p>
- Set to <i>off</i> to disable
- mod_auth_ldap in certain directories. This is useful if you have
- mod_auth_ldap enabled at or near the top of your tree, but want to
- disable it completely in certain locations.
- </p>
-<hr>
-
- <a name="AuthLDAPFrontPageHack"><h3>AuthLDAPFrontPageHack</h3></a><p>
-<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> AuthLDAPFrontPageHack
-
- < on | <strong>off</strong>(default) >
-
- <br><a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-<p>
- See the section on <a href="#frontpage">using Microsoft
- FrontPage</a> with mod_auth_ldap.
- </p>
-<hr>
-
- <a name="AuthLDAPGroupAttribute"><h3>AuthLDAPGroupAttribute</h3></a><p>
-<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> AuthLDAPGroupAttribute
- <em>
- attribute
- </em>
- <br><a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-<p>
- This directive specifies which LDAP attributes are used to check
- for group membership. Multiple attributes can be used by
- specifying this directive multiple times. If not specified, then
- mod_auth_ldap uses the <tt>member</tt> and
- <tt>uniquemember</tt> attributes.
- </p>
-<hr>
-
- <a name="AuthLDAPGroupAttributeIsDN"><h3>AuthLDAPGroupAttributeIsDN</h3></a><p>
-<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> AuthLDAPGroupAttributeIsDN
-
- < <strong>on</strong>(default) | off >
-
- <br><a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-<p>
- When set, this directive says to use the distinguished name of
- the client username when checking for group
- membership. Otherwise, the username will be used. For example,
- assume that the client sent the username
- <i>bjenson</i>, which corresponds to the LDAP DN
- <i>cn=Babs Jenson, o=Airius</i>. If this directive is set,
- mod_auth_ldap will check if the group has <i>cn=Babs Jenson,
- o=Airius</i> as a member. If this directive is not set, then
- mod_auth_ldap will check if the group has
- <i>bjenson</i> as a member.
- </p>
-<hr>
-
- <a name="AuthLDAPRemoteUserIsDN"><h3>AuthLDAPRemoteUserIsDN</h3></a><p>
-<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> AuthLDAPRemoteUserIsDN
-
- < on | <strong>off</strong>(default) >
-
- <br><a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-<p>
- If this directive is set to on, the value of the
- <i>REMOTE_USER</i> environment variable will be set to the
- full distinguished name of the authenticated user, rather than
- just the username that was passed by the client. It is turned
- off by default.
- </p>
-<hr>
-
- <a name="AuthLDAPStartTLS"><h3>AuthLDAPStartTLS</h3></a><p>
-<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> AuthLDAPStartTLS
-
- < on | <strong>off</strong>(default) >
-
- <br><a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-<p>
- If this directive is set to on, mod_auth_ldap will start a secure
- TLS session after connecting to the LDAP server. This requires
- your LDAP server to support TLS.
- </p>
-<hr>
-
- <a name="AuthLDAPUrl"><h3>AuthLDAPUrl</h3></a><p>
-<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> AuthLDAPUrl
- <em>
- url
- </em>
- <br><a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-<p>
- An RFC 2255 URL which specifies the LDAP search parameters to
- use. The syntax of the URL is
-
- <pre>
-ldap://host:port/basedn?attribute?scope?filter</pre>
- </p>
-<table border="0" bgcolor="#ffffff">
- <tr valign="top">
- <td colspan="1" align="left">ldap</td>
- <td colspan="1" align="left">
- For regular ldap, use the string <i>ldap</i>. For secure
- LDAP, use <i>ldaps</i> instead. Secure LDAP is only
- available if Apache was linked to an LDAP library with SSL
- support.
- </td>
- </tr>
- <tr valign="top">
- <td colspan="1" align="left">host:port</td>
- <td colspan="1" align="left">
- <p>
- The name/port of the ldap server (defaults to
- <i>localhost:389</i> for <i>ldap</i>, and
- <i>localhost:636</i> for <i>ldaps</i>). To specify
- multiple, redundant LDAP servers, just list all servers,
- separated by spaces. mod_auth_ldap will try
- connecting to each server in turn, until it makes a
- successful connection.
- </p>
-
- <p>
- Once a connection has been made to a server, that
- connection remains active for the life of the
- <i>httpd</i> process, or until the LDAP server goes
- down.
- </p>
-
- <p>
- If the LDAP server goes down and breaks an existing
- connection, mod_auth_ldap will attempt to re-connect,
- starting with the primary server, and trying each
- redundant server in turn. Note that this is different than
- a true round-robin search.
- </p>
- </td>
- </tr>
-
- <tr valign="top">
- <td colspan="1" align="left">basedn</td>
- <td colspan="1" align="left">
- The DN of the branch of the directory where all searches
- should start from. At the very least, this must be the top
- of your directory tree, but could also specify a subtree in
- the directory.
- </td>
- </tr>
- <tr valign="top">
- <td colspan="1" align="left">attribute</td>
- <td colspan="1" align="left">
- The attribute to search for. Although RFC 2255 allows a
- comma-separated list of attributes, only the first attribute
- will be used, no matter how many are provided. If no
- attributes are provided, the default is to use
- <tt>uid</tt>. It's a good idea to choose an attribute that
- will be unique across all entries in the subtree you will be
- using.
- </td>
- </tr>
-
- <tr valign="top">
- <td colspan="1" align="left">scope</td>
- <td colspan="1" align="left">
- The scope of the search. Can be either <i>one</i> or
- <i>sub</i>. Note that a scope of <i>base</i> is also
- supported by RFC 2255, but is not supported by this
- module. If the scope is not provided, or if <i>base</i>
- scope is specified, the default is to use a scope of
- <i>sub</i>.
- </td>
- </tr>
-
- <tr valign="top">
- <td colspan="1" align="left">filter</td>
- <td colspan="1" align="left">
- A valid LDAP search filter. If not provided, defaults to
- <tt>(objectClass=*)</tt>, which will search for all
- objects in the tree. Filters are limited to approximately
- 8000 characters (the definition of
- <i>MAX_STRING_LEN</i> in the Apache source code). This
- should be than sufficient for any application.
- </td>
- </tr>
- </table>
-<p>
- When doing searches, the attribute, filter and username passed
- by the HTTP client are combined to create a search filter that
- looks like
- <tt>(&(<i>filter</i>)(<i>attribute</i>=<i>username</i>))</tt>.
- </p>
-<p>
- For example, consider an URL of
- <i>ldap://ldap.airius.com/o=Airius?cn?sub?(posixid=*)</i>.
- When a client attempts to connect using a username of
- <i>
- Babs Jenson</i>, the resulting search filter will be
- <tt>(&(posixid=*)(cn=Babs Jenson))</tt>.
- </p>
-<p>
- See below for examples of <a href="#AuthLDAPURL"><tt>AuthLDAPURL</tt></a>
- URLs.
- </p>
-<hr>
-
- <a name="requiredirectives"><h2>The require Directives</h2></a>
+ <h2><a name="requiredirectives">The require Directives</a></h2>
<p>
Apache's <tt>require</tt> directives are used during
@@ -615,14 +303,14 @@
a resource.
</p>
- <a name="reqvaliduser"><h3>require valid-user</h3></a>
+ <h3><a name="reqvaliduser">require valid-user</a></h3>
<p>
If this directive exists, mod_auth_ldap grants access to any user
that has successfully authenticated during the search/bind
phase.
</p>
- <a name="requser"><h3>require user</h3></a>
+ <h3><a name="requser">require user</a></h3>
<p>
The <tt>require user</tt> directive specifies what
@@ -705,7 +393,7 @@
</p>
- <a name="reqdn"><h3>require dn</h3></a>
+ <h3><a name="reqdn">require dn</a></h3>
<p>
The <tt>require dn</tt> directive allows the
administrator to grant access based on distinguished names. It
@@ -729,7 +417,7 @@
</p>
- <a name="examples"><h2>Examples</h2></a>
+ <h2><a name="examples">Examples</a></h2>
<ul>
<li>
@@ -834,13 +522,13 @@
- <a name="usingtls"><h2>Using TLS</h2></a>
+ <h2><a name="usingtls">Using TLS</a></h2>
<p>
To use TLS, simply set the <tt>AuthLDAPStartTLS</tt>
to on. Nothing else needs to be done (other than ensure that your
LDAP server is configured for TLS).
</p>
- <a name="usingssl"><h2>Using SSL</h2></a>
+ <h2><a name="usingssl">Using SSL</a></h2>
<p>
If mod_auth_ldap is linked against the Netscape/iPlanet LDAP SDK,
@@ -860,7 +548,7 @@
<i>ldap://</i>.
</p>
- <a name="frontpage"><h2>Using Microsoft FrontPage with mod_auth_ldap</h2></a>
+ <h2><a name="frontpage">Using Microsoft FrontPage with mod_auth_ldap</a></h2>
<p>
Normally, FrontPage uses FrontPage-web-specific user/group files
@@ -891,7 +579,7 @@
used.
</p>
- <a name="howitworks"><h3>How It Works</h3></a>
+ <h3><a name="howitworks">How It Works</h3></h3>
<p>
FrontPage restricts access to a web by adding the
<tt>
@@ -917,7 +605,7 @@
</p>
- <a name="fpcaveats"><h3>Caveats</h3></a>
+ <h3><a name="fpcaveats">Caveats</a></h3>
<ul>
<li>
@@ -963,8 +651,305 @@
</ul>
+<hr>
+
+<h2><a name="AuthLDAPAuthoritative">AuthLDAPAuthoritative Directive</a></h2>
+
+<p>
+<a href="directive-dict.html#Syntax" rel="Help">
+<strong>Syntax:</strong></a> AuthLDAPAuthoritative on|off<br>
+<a href="directive-dict.html#Default" rel="Help"><strong>Default:</strong></a>
+<code>AuthLDAPAuthoritative on</code><br>
+
+<a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
+<p>
+ Set to <i>off</i> if this module should let other
+ authentication modules attempt to authenticate the user,
+ should authentication with this module fail. Control is only
+ passed on to lower modules if there is no DN or rule that matches
+ the supplied user name (as passed by the client).
+ </p>
+<hr>
+
+<h2><a name="AuthLDAPBindDN">AuthLDAPBindDN</a></h2>
+<p>
+<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> AuthLDAPBindDN
+ <em>
+ distinguished-name
+ </em>
+ <br><a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
+<p>
+ An optional DN used to bind to the server when searching for
+ entries. If not provided, mod_auth_ldap will use an
+ anonymous bind.
+ </p>
+<hr>
+
+<h2><a name="AuthLDAPBindPassword">AuthLDAPBindPassword</a></h2>
+<p>
+<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> AuthLDAPBindPassword
+ <em>
+ password
+ </em>
+ <br><a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
+<p>
+ A bind password to use in conjunction with the bind DN. Note
+ that the bind password is probably sensitive data, and should be
+ properly protected. You should only use the <a href="#AuthLDAPBindDN"><tt>AuthLDAPBindDN</tt></a>
+ and <a href="#AuthLDAPBindPassword"><tt>AuthLDAPBindPassword</tt></a>
+ if you absolutely need them to search the directory.
+ </p>
+<hr>
+
+<h2><a name="AuthLDAPCompareDNOnServer">AuthLDAPCompareDNOnServer</a></h2>
+<p>
+<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a>
+AuthLDAPCompareDNOnServer on|off
+<br>
+<a href="directive-dict.html#Default" rel="Help"><strong>Default:</strong></a>
+<code>AuthLDAPCompareDNOnServer on</code><br>
+<a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
+<p>
+ When set, mod_auth_ldap will use the LDAP server to compare the
+ DNs. This is the only foolproof way to compare DNs. mod_auth_ldap
+ will search the directory for the DN specified with the <a href="#reqdn"><tt>require dn</tt></a>
+ directive, then, retrieve the DN and compare it with the DN
+ retrieved from the user entry. If this directive is not set,
+ mod_auth_ldap simply does a string comparison. It is possible to
+ get false negatives with this approach, but it is much
+ faster. Note the mod_ldap cache can speed up DN comparison in
+ most situations.
+ </p>
+<hr>
+
+<h2><a name="AuthLDAPDereferenceAliases">AuthLDAPDereferenceAliases</a></h2>
+<p>
+<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a>
+AuthLDAPDereferenceAliases never|searching|finding|always
+ </em>
+ <br>
+<a href="directive-dict.html#Default" rel="Help"><strong>Default:</strong></a>
+<code>AuthLDAPDereferenceAliases Always</code><br>
+<a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
+<p>
+ This directive specifies when mod_auth_ldap will de-reference
+ aliases during LDAP operations. The default is
+ <i>always</i>.
+ </p>
+<hr>
+
+<h2><a name="AuthLDAPEnabled">AuthLDAPEnabled</a></h2>
+<p>
+<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a>
+AuthLDAPEnabled on|off
+<br>
+<a href="directive-dict.html#Default" rel="Help"><strong>Default:</strong></a>
+<code>AuthLDAPEnabled on</code><br>
+<a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
+<p>
+ Set to <i>off</i> to disable
+ mod_auth_ldap in certain directories. This is useful if you have
+ mod_auth_ldap enabled at or near the top of your tree, but want to
+ disable it completely in certain locations.
+ </p>
+<hr>
+<h2><a name="AuthLDAPFrontPageHack">AuthLDAPFrontPageHack</a></h2>
+<p>
+<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a>
+AuthLDAPFrontPageHack on|off<br>
+<a href="directive-dict.html#Default" rel="Help"><strong>Default:</strong></a>
+<code>AuthLDAPFronPageHack off</code><br>
+<a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
+<p>
+ See the section on <a href="#frontpage">using Microsoft
+ FrontPage</a> with mod_auth_ldap.
+ </p>
+<hr>
+<h2><a name="AuthLDAPGroupAttribute">AuthLDAPGroupAttribute</a></h2><p>
+<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> AuthLDAPGroupAttribute
+ <em>
+ attribute
+ </em>
+ <br><a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
+<p>
+ This directive specifies which LDAP attributes are used to check
+ for group membership. Multiple attributes can be used by
+ specifying this directive multiple times. If not specified, then
+ mod_auth_ldap uses the <tt>member</tt> and
+ <tt>uniquemember</tt> attributes.
+ </p>
+<hr>
+
+<h2><a name="AuthLDAPGroupAttributeIsDN">AuthLDAPGroupAttributeIsDN</a></h2>
+<p>
+<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a>
+AuthLDAPGroupAttributeIsDN on|off<br>
+<a href="directive-dict.html#Default" rel="Help"><strong>Default:</strong></a>
+<code>AuthLDAPGroupAttributeIsDN on</code><br>
+<a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
+<p>
+ When set, this directive says to use the distinguished name of
+ the client username when checking for group
+ membership. Otherwise, the username will be used. For example,
+ assume that the client sent the username
+ <i>bjenson</i>, which corresponds to the LDAP DN
+ <i>cn=Babs Jenson, o=Airius</i>. If this directive is set,
+ mod_auth_ldap will check if the group has <i>cn=Babs Jenson,
+ o=Airius</i> as a member. If this directive is not set, then
+ mod_auth_ldap will check if the group has
+ <i>bjenson</i> as a member.
+ </p>
+<hr>
+
+<h2><a name="AuthLDAPRemoteUserIsDN">AuthLDAPRemoteUserIsDN</a></h2>
+<p>
+<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a>
+AuthLDAPRemoteUserIsDN on|off<br>
+<a href="directive-dict.html#Default" rel="Help"><strong>Default:</strong></a>
+<code>AuthLDAPUserIsDN off</code><br>
+<a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
+<p>
+ If this directive is set to on, the value of the
+ <i>REMOTE_USER</i> environment variable will be set to the
+ full distinguished name of the authenticated user, rather than
+ just the username that was passed by the client. It is turned
+ off by default.
+ </p>
+<hr>
+
+<h2><a name="AuthLDAPStartTLS">AuthLDAPStartTLS</a></h2><p>
+<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a>
+AuthLDAPStartTLS on|off<br>
+<a href="directive-dict.html#Default" rel="Help"><strong>Default:</strong></a>
+<code>AuthLDAPStartTLS off</code><br>
+<a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
+<p>
+ If this directive is set to on, mod_auth_ldap will start a secure
+ TLS session after connecting to the LDAP server. This requires
+ your LDAP server to support TLS.
+ </p>
+<hr>
+
+<h2><a name="AuthLDAPUrl">AuthLDAPUrl</a></h2><p>
+<a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> AuthLDAPUrl
+ <em>
+ url
+ </em>
+ <br><a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br><a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br><a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br><a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
+<p>
+ An RFC 2255 URL which specifies the LDAP search parameters to
+ use. The syntax of the URL is
+
+ <pre>
+ldap://host:port/basedn?attribute?scope?filter</pre>
+ </p>
+<table border="0" bgcolor="#ffffff">
+ <tr valign="top">
+ <td colspan="1" align="left">ldap</td>
+ <td colspan="1" align="left">
+ For regular ldap, use the string <i>ldap</i>. For secure
+ LDAP, use <i>ldaps</i> instead. Secure LDAP is only
+ available if Apache was linked to an LDAP library with SSL
+ support.
+ </td>
+ </tr>
+ <tr valign="top">
+ <td colspan="1" align="left">host:port</td>
+ <td colspan="1" align="left">
+ <p>
+ The name/port of the ldap server (defaults to
+ <i>localhost:389</i> for <i>ldap</i>, and
+ <i>localhost:636</i> for <i>ldaps</i>). To specify
+ multiple, redundant LDAP servers, just list all servers,
+ separated by spaces. mod_auth_ldap will try
+ connecting to each server in turn, until it makes a
+ successful connection.
+ </p>
+
+ <p>
+ Once a connection has been made to a server, that
+ connection remains active for the life of the
+ <i>httpd</i> process, or until the LDAP server goes
+ down.
+ </p>
+
+ <p>
+ If the LDAP server goes down and breaks an existing
+ connection, mod_auth_ldap will attempt to re-connect,
+ starting with the primary server, and trying each
+ redundant server in turn. Note that this is different than
+ a true round-robin search.
+ </p>
+ </td>
+ </tr>
+
+ <tr valign="top">
+ <td colspan="1" align="left">basedn</td>
+ <td colspan="1" align="left">
+ The DN of the branch of the directory where all searches
+ should start from. At the very least, this must be the top
+ of your directory tree, but could also specify a subtree in
+ the directory.
+ </td>
+ </tr>
+
+ <tr valign="top">
+ <td colspan="1" align="left">attribute</td>
+ <td colspan="1" align="left">
+ The attribute to search for. Although RFC 2255 allows a
+ comma-separated list of attributes, only the first attribute
+ will be used, no matter how many are provided. If no
+ attributes are provided, the default is to use
+ <tt>uid</tt>. It's a good idea to choose an attribute that
+ will be unique across all entries in the subtree you will be
+ using.
+ </td>
+ </tr>
+
+ <tr valign="top">
+ <td colspan="1" align="left">scope</td>
+ <td colspan="1" align="left">
+ The scope of the search. Can be either <i>one</i> or
+ <i>sub</i>. Note that a scope of <i>base</i> is also
+ supported by RFC 2255, but is not supported by this
+ module. If the scope is not provided, or if <i>base</i>
+ scope is specified, the default is to use a scope of
+ <i>sub</i>.
+ </td>
+ </tr>
+
+ <tr valign="top">
+ <td colspan="1" align="left">filter</td>
+ <td colspan="1" align="left">
+ A valid LDAP search filter. If not provided, defaults to
+ <tt>(objectClass=*)</tt>, which will search for all
+ objects in the tree. Filters are limited to approximately
+ 8000 characters (the definition of
+ <i>MAX_STRING_LEN</i> in the Apache source code). This
+ should be than sufficient for any application.
+ </td>
+ </tr>
+ </table>
+<p>
+ When doing searches, the attribute, filter and username passed
+ by the HTTP client are combined to create a search filter that
+ looks like
+ <tt>(&(<i>filter</i>)(<i>attribute</i>=<i>username</i>))</tt>.
+ </p>
+<p>
+ For example, consider an URL of
+ <i>ldap://ldap.airius.com/o=Airius?cn?sub?(posixid=*)</i>.
+ When a client attempts to connect using a username of
+ <i>
+ Babs Jenson</i>, the resulting search filter will be
+ <tt>(&(posixid=*)(cn=Babs Jenson))</tt>.
+ </p>
+<p>
+ See above for examples of <a href="#AuthLDAPURL"><tt>AuthLDAPURL</tt></a>
+ URLs.
+ </p>
<!--#include virtual="footer.html" -->
</BODY>