You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by bn...@apache.org on 2003/03/10 17:51:21 UTC
cvs commit: httpd-2.0/docs/manual/mod mod_ldap.xml mod_auth_ldap.xml
bnicholes 2003/03/10 08:51:21
Modified: docs/manual/mod Tag: APACHE_2_0_BRANCH mod_ldap.xml
mod_auth_ldap.xml
Log:
Update the auth_ldap docs to reflect the SSL standardization changes that
were back ported from the 2.1 tree.
Revision Changes Path
No revision
No revision
1.3.2.1 +72 -9 httpd-2.0/docs/manual/mod/mod_ldap.xml
Index: mod_ldap.xml
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_ldap.xml,v
retrieving revision 1.3
retrieving revision 1.3.2.1
diff -u -r1.3 -r1.3.2.1
--- mod_ldap.xml 16 Nov 2002 20:21:38 -0000 1.3
+++ mod_ldap.xml 10 Mar 2003 16:51:20 -0000 1.3.2.1
@@ -22,6 +22,13 @@
apr-util. This is achieved by adding the <code>--with-ldap</code>
flag to the <code>./configure</code> script when building
Apache.</p>
+
+ <p>SSL support requires that <module>mod_ldap</module> be linked
+ with one of the following LDAP SDKs: <a href="http://www.openldap.org/">
+ OpenLDAP SDK</a> (both 1.x and 2.x), <a href="http://developer.novell.com/ndk/cldap.htm">
+ Novell LDAP SDK</a> or the <a href="http://www.iplanet.com/downloads/developer/">
+ iPlanet(Netscape)</a> SDK.</p>
+
</summary>
<section id="exampleconfig"><title>Example Configuration</title>
@@ -156,6 +163,51 @@
</section>
</section>
+<section id="usingssltls"><title>Using SSL</title>
+
+ <p>The ability to create an SSL connections to an LDAP server
+ is defined by the directives <directive module="mod_ldap">
+ LDAPTrustedCA</directive> and <directive module="mod_ldap">
+ LDAPTrustedCAType</directive>. These directives specify the certificate
+ file or database and the certificate type. Whenever the LDAP url
+ includes <em>ldaps://</em>, <module>mod_ldap</module> will establish
+ a secure connection to the LDAP server.</p>
+
+ <example>
+ # Establish an SSL LDAP connection. Requires that <br />
+ # mod_ldap and mod_auth_ldap be loaded. Change the <br />
+ # "yourdomain.example.com" to match your domain.<br />
+ <br />
+ LDAPTrustedCA /certs/certfile.der<br />
+ LDAPTrustedCAType DER_FILE<br />
+ <br />
+ <Location /ldap-status><br />
+ <indent>
+ SetHandler ldap-status<br />
+ Order deny,allow<br />
+ Deny from all<br />
+ Allow from yourdomain.example.com<br />
+ AuthLDAPEnabled on<br />
+ AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one<br />
+ AuthLDAPAuthoritative on<br />
+ require valid-user<br />
+ </indent>
+ </Location>
+ </example>
+
+ <p>If <module>mod_ldap</module> is linked against the
+ Netscape/iPlanet LDAP SDK, it will not talk to any SSL server
+ unless that server has a certificate signed by a known Certificate
+ Authority. As part of the configuration
+ <module>mod_ldap</module> needs to be told where it can find
+ a database containing the known CAs. This database is in the same
+ format as Netscape Communicator's <code>cert7.db</code>
+ database. The easiest way to get this file is to start up a fresh
+ copy of Netscape, and grab the resulting
+ <code>$HOME/.netscape/cert7.db</code> file.</p>
+
+</section>
+
<directivesynopsis>
<name>LDAPSharedCacheSize</name>
<description>Size in bytes of the shared-memory cache</description>
@@ -228,19 +280,30 @@
</directivesynopsis>
<directivesynopsis>
-<name>LDAPCertDBPath</name>
-<description>Directory containing certificates for SSL support</description>
-<syntax>LDAPCertDBPath <var>directory-path</var></syntax>
+<name>LDAPTrustedCA</name>
+<description>Sets the file containing the trusted Certificate Authority certificate or database</description>
+<syntax>LDAPTrustedCA <var>directory-path/filename</var></syntax>
<contextlist><context>server config</context></contextlist>
<usage>
- <p>This directive is only valid if Apache has been linked
- against the Netscape/iPlanet Directory SDK.</p>
+ <p>It specifies the directory path and file name of the trusted CA
+ <module>mod_ldap</module> should use when establishing an SSL
+ connection to an LDAP server. If using the Netscape/iPlanet Directory
+ SDK, the file name should be <code>cert7.db</code>.</p>
+</usage>
+</directivesynopsis>
- <p>It specifies in which directory <module>mod_ldap</module>
- should look for the certificate authorities database for SSL
- support. There should be a file named <code>cert7.db</code> in that
- directory.</p>
+<directivesynopsis>
+<name>LDAPTrustedCAType</name>
+<description>Specifies the type of the Certificate Authority file</description>
+<syntax>LDAPTrustedCAType <var>type</var></syntax>
+<contextlist><context>server config</context></contextlist>
+
+<usage>
+ <p>The following types are supported:<br />
+ DER_FILE - file in binary DER format<br />
+ BASE64_FILE - file in Base64 format<br />
+ CERT7_DB_PATH - Netscape certificate database file ")</p>
</usage>
</directivesynopsis>
1.6.2.6 +9 -33 httpd-2.0/docs/manual/mod/mod_auth_ldap.xml
Index: mod_auth_ldap.xml
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_auth_ldap.xml,v
retrieving revision 1.6.2.5
retrieving revision 1.6.2.6
diff -u -r1.6.2.5 -r1.6.2.6
--- mod_auth_ldap.xml 22 Jan 2003 10:33:53 -0000 1.6.2.5
+++ mod_auth_ldap.xml 10 Mar 2003 16:51:20 -0000 1.6.2.6
@@ -17,7 +17,8 @@
<ul>
<li>Known to support the <a
href="http://www.openldap.org/">OpenLDAP SDK</a> (both 1.x
- and 2.x), and the <a
+ and 2.x), <a href="http://developer.novell.com/ndk/cldap.htm">
+ Novell LDAP SDK</a> and the <a
href="http://www.iplanet.com/downloads/developer/">iPlanet
(Netscape)</a> SDK.</li>
@@ -32,7 +33,7 @@
href="mod_ldap.html">mod_ldap</a>.</li>
<li>Support for LDAP over SSL (requires the Netscape SDK) or
- TLS (requires the OpenLDAP 2.x SDK).</li>
+ TLS (requires the OpenLDAP 2.x SDK or Novell LDAP SDK).</li>
</ul>
</summary>
@@ -413,24 +414,16 @@
<section id="usingtls"><title>Using TLS</title>
- <p>To use TLS, simply set the <directive
- module="mod_auth_ldap">AuthLDAPStartTLS</directive> to on.
- Nothing else needs to be done (other than ensure that your LDAP
- server is configured for TLS).</p>
+ <p>To use TLS, see the <module>mod_ldap</module> directives <directive
+ module="mod_ldap">LDAPTrustedCA</directive> and <directive
+ module="mod_ldap">LDAPTrustedCAType</directive>.</p>
</section>
<section id="usingssl"><title>Using SSL</title>
- <p>If <module>mod_auth_ldap</module> is linked against the
- Netscape/iPlanet LDAP SDK, it will not talk to any SSL server
- unless that server has a certificate signed by a known Certificate
- Authority. As part of the configuration
- <module>mod_auth_ldap</module> needs to be told where it can find
- a database containing the known CAs. This database is in the same
- format as Netscape Communicator's <code>cert7.db</code>
- database. The easiest way to get this file is to start up a fresh
- copy of Netscape, and grab the resulting
- <code>$HOME/.netscape/cert7.db</code> file.</p>
+ <p>To use SSL, see the <module>mod_ldap</module> directives <directive
+ module="mod_ldap">LDAPTrustedCA</directive> and <directive
+ module="mod_ldap">LDAPTrustedCAType</directive>.</p>
<p>To specify a secure LDAP server, use <em>ldaps://</em> in the
<directive module="mod_auth_ldap">AuthLDAPURL</directive>
@@ -732,23 +725,6 @@
distinguished name of the authenticated user, rather than just
the username that was passed by the client. It is turned off by
default.</p>
-</usage>
-</directivesynopsis>
-
-<directivesynopsis>
-<name>AuthLDAPStartTLS</name>
-<description>Use a secure TLS connection to the LDAP server</description>
-<syntax>AuthLDAPStartTLS on|off</syntax>
-<default>AuthLDAPStartTLS off</default>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>AuthConfig</override>
-
-<usage>
- <p>If this directive is set to <code>on</code>,
- <module>mod_auth_ldap</module> will start a secure TLS session
- after connecting to the LDAP server. This requires your LDAP
- server to support TLS.</p>
</usage>
</directivesynopsis>