diff options
Diffstat (limited to 'docs/manual/mod/mod_authnz_ldap.html.en')
| -rw-r--r-- | docs/manual/mod/mod_authnz_ldap.html.en | 102 |
1 files changed, 45 insertions, 57 deletions
diff --git a/docs/manual/mod/mod_authnz_ldap.html.en b/docs/manual/mod/mod_authnz_ldap.html.en index 54f426a3..58bf9c3c 100644 --- a/docs/manual/mod/mod_authnz_ldap.html.en +++ b/docs/manual/mod/mod_authnz_ldap.html.en @@ -9,7 +9,7 @@ <link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> <link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> <link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" /> -<script src="../style/scripts/prettify.js" type="text/javascript"> +<script src="../style/scripts/prettify.min.js" type="text/javascript"> </script> <link href="../images/favicon.ico" rel="shortcut icon" /></head> @@ -350,6 +350,9 @@ for HTTP Basic authentication.</td></tr> <code>ldap-filter</code>. Other authorization types may also be used but may require that additional authorization modules be loaded.</p> + <p>Since v2.5.0, <a href="../expr.html">expressions</a> are supported + within the LDAP require directives.</p> + <h3><a name="requser" id="requser">Require ldap-user</a></h3> <p>The <code>Require ldap-user</code> directive specifies what @@ -366,11 +369,9 @@ for HTTP Basic authentication.</td></tr> <code>ldap://ldap/o=Example?cn</code> (i.e., <code>cn</code> is used for searches), the following Require directives could be used to restrict access:</p> -<pre class="prettyprint lang-config"> -Require ldap-user "Barbara Jenson" +<pre class="prettyprint lang-config">Require ldap-user "Barbara Jenson" Require ldap-user "Fred User" -Require ldap-user "Joe Manager" -</pre> +Require ldap-user "Joe Manager"</pre> <p>Because of the way that <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> handles this @@ -394,12 +395,10 @@ Require ldap-user "Joe Manager" group. Note: Do not surround the group name with quotes. For example, assume that the following entry existed in the LDAP directory:</p> -<div class="example"><pre> -dn: cn=Administrators, o=Example +<div class="example"><pre>dn: cn=Administrators, o=Example objectClass: groupOfUniqueNames uniqueMember: cn=Barbara Jenson, o=Example -uniqueMember: cn=Fred User, o=Example -</pre></div> +uniqueMember: cn=Fred User, o=Example</pre></div> <p>The following directive would grant access to both Fred and Barbara:</p> @@ -410,8 +409,7 @@ uniqueMember: cn=Fred User, o=Example if <code class="directive"><a href="#authldapmaxsubgroupdepth">AuthLDAPMaxSubGroupDepth</a></code> is set to a value greater than 0. For example, assume the following entries exist in the LDAP directory:</p> -<div class="example"><pre> -dn: cn=Employees, o=Example +<div class="example"><pre>dn: cn=Employees, o=Example objectClass: groupOfUniqueNames uniqueMember: cn=Managers, o=Example uniqueMember: cn=Administrators, o=Example @@ -436,17 +434,14 @@ uniqueMember: cn=Temporary Employees, o=Example dn: cn=Temporary Employees, o=Example objectClass: groupOfUniqueNames uniqueMember: cn=Jim Swenson, o=Example -uniqueMember: cn=Elliot Rhodes, o=Example -</pre></div> +uniqueMember: cn=Elliot Rhodes, o=Example</pre></div> <p>The following directives would allow access for Bob Ellis, Tom Jackson, Barbara Jensen, Fred User, Allan Jefferson, and Paul Tilley but would not allow access for Jim Swenson, or Elliot Rhodes (since they are at a sub-group depth of 2):</p> -<pre class="prettyprint lang-config"> -Require ldap-group cn=Employees, o-Example -AuthLDAPMaxSubGroupDepth 1 -</pre> +<pre class="prettyprint lang-config">Require ldap-group cn=Employees, o-Example +AuthLDAPMaxSubGroupDepth 1</pre> <p>Behavior of this directive is modified by the <code class="directive"><a href="#authldapgroupattribute">AuthLDAPGroupAttribute</a></code>, <code class="directive"><a href="#authldapgroupattributeisdn">AuthLDAPGroupAttributeIsDN</a></code>, <code class="directive"><a href="#authldapmaxsubgroupdepth">AuthLDAPMaxSubGroupDepth</a></code>, <code class="directive"><a href="#authldapsubgroupattribute">AuthLDAPSubGroupAttribute</a></code>, and <code class="directive"><a href="#authldapsubgroupclass">AuthLDAPSubGroupClass</a></code> @@ -532,10 +527,8 @@ AuthLDAPMaxSubGroupDepth 1 <li> Grant access to anyone who exists in the LDAP directory, using their UID for searches. -<pre class="prettyprint lang-config"> -AuthLDAPURL "ldap://ldap1.example.com:389/ou=People, o=Example?uid?sub?(objectClass=*)" -Require valid-user -</pre> +<pre class="prettyprint lang-config">AuthLDAPURL "ldap://ldap1.example.com:389/ou=People, o=Example?uid?sub?(objectClass=*)" +Require valid-user</pre> </li> @@ -544,8 +537,7 @@ Require valid-user that have useful defaults omitted. Also, note the use of a redundant LDAP server. <pre class="prettyprint lang-config">AuthLDAPURL "ldap://ldap1.example.com ldap2.example.com/ou=People, o=Example" -Require valid-user -</pre> +Require valid-user</pre> </li> @@ -558,20 +550,25 @@ Require valid-user this approach is not recommended: it's a better idea to choose an attribute that is guaranteed unique in your directory, such as <code>uid</code>. -<pre class="prettyprint lang-config"> -AuthLDAPURL "ldap://ldap.example.com/ou=People, o=Example?cn" -Require valid-user -</pre> +<pre class="prettyprint lang-config">AuthLDAPURL "ldap://ldap.example.com/ou=People, o=Example?cn" +Require valid-user</pre> </li> <li> Grant access to anybody in the Administrators group. The users must authenticate using their UID. -<pre class="prettyprint lang-config"> -AuthLDAPURL ldap://ldap.example.com/o=Example?uid -Require ldap-group cn=Administrators, o=Example -</pre> +<pre class="prettyprint lang-config">AuthLDAPURL ldap://ldap.example.com/o=Example?uid +Require ldap-group cn=Administrators, o=Example</pre> + + </li> + + <li> + Grant access to anybody in the group whose name matches the + hostname of the virtual host. In this example an + <a href="../expr.html">expression</a> is used to build the filter. +<pre class="prettyprint lang-config">AuthLDAPURL ldap://ldap.example.com/o=Example?uid +Require ldap-group cn=%{SERVER_NAME}, o=Example</pre> </li> @@ -581,10 +578,8 @@ Require ldap-group cn=Administrators, o=Example of <code>qpagePagerID</code>. The example will grant access only to people (authenticated via their UID) who have alphanumeric pagers: -<pre class="prettyprint lang-config"> -AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(qpagePagerID=*) -Require valid-user -</pre> +<pre class="prettyprint lang-config">AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(qpagePagerID=*) +Require valid-user</pre> </li> @@ -598,10 +593,8 @@ Require valid-user a pager, plus grant access to Joe Manager, who doesn't have a pager, but does need to access the same resource:</p> -<pre class="prettyprint lang-config"> -AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(|(qpagePagerID=*)(uid=jmanager)) -Require valid-user -</pre> +<pre class="prettyprint lang-config">AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(|(qpagePagerID=*)(uid=jmanager)) +Require valid-user</pre> <p>This last may look confusing at first, so it helps to @@ -691,11 +684,9 @@ Require valid-user subtree search for the attribute <em>userPrincipalName</em>, with an empty search root, like so:</p> -<pre class="prettyprint lang-config"> -AuthLDAPBindDN apache@example.com +<pre class="prettyprint lang-config">AuthLDAPBindDN apache@example.com AuthLDAPBindPassword password -AuthLDAPURL ldap://10.0.0.1:3268/?userPrincipalName?sub -</pre> +AuthLDAPURL ldap://10.0.0.1:3268/?userPrincipalName?sub</pre> <p>Users will need to enter their User Principal Name as a login, in @@ -719,11 +710,9 @@ AuthLDAPURL ldap://10.0.0.1:3268/?userPrincipalName?sub authentication to it is a matter of adding the following directives to <em>every</em> <code>.htaccess</code> file that gets created in the web</p> -<pre class="prettyprint lang-config"> -AuthLDAPURL "the url" +<pre class="prettyprint lang-config">AuthLDAPURL "the url" AuthGroupFile mygroupfile -Require group mygroupfile -</pre> +Require group mygroupfile</pre> <h3><a name="howitworks" id="howitworks">How It Works</a></h3> @@ -859,6 +848,7 @@ authorization</td></tr> <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td><em>exec:</em> was added in 2.4.6.</td></tr> </table> <p>A bind password to use in conjunction with the bind DN. Note that the bind password is probably sensitive data, and should be @@ -868,16 +858,14 @@ authorization</td></tr> <p>If the value begins with exec: the resulting command will be executed and the first line returned to standard output by the program will be used as the password.</p> -<div class="example"><pre> -#Password used as-is +<div class="example"><pre>#Password used as-is AuthLDAPBindPassword secret #Run /path/to/program to get my password AuthLDAPBindPassword exec:/path/to/program #Run /path/to/otherProgram and provide arguments -AuthLDAPBindPassword "exec:/path/to/otherProgram argument1" -</pre></div> +AuthLDAPBindPassword "exec:/path/to/otherProgram argument1"</pre></div> </div> @@ -928,7 +916,7 @@ AuthLDAPBindPassword "exec:/path/to/otherProgram argument1" authorization checks use comparisons.</p> <p>This directive only has effect on the comparisons performed during - nested group processing when <code class="directive"><a href="# authldapsearchasuser"> + nested group processing when <code class="directive"><a href="#authldapsearchasuser"> AuthLDAPSearchAsUser</a></code> is also enabled.</p> <p> This directive should only be used when your LDAP server doesn't @@ -1044,7 +1032,7 @@ own username, instead of anonymously or with hard-coded credentials for the serv search.</p> <p> If the verbatim username can't directly bind, but needs some - cosmetic transformation, see <code class="directive"><a href="# authldapinitialbindpattern"> + cosmetic transformation, see <code class="directive"><a href="#authldapinitialbindpattern"> AuthLDAPInitialBindPattern</a></code>.</p> <p> This directive should only be used when your LDAP server doesn't @@ -1090,9 +1078,9 @@ to perform a DN lookup</td></tr> <code class="directive"><a href="#authldapbinddn">AuthLDAPBindDN</a></code>. </p> - <pre class="prettyprint lang-config"> AuthLDAPInitialBindPattern (.+) $1@example.com </pre> + <pre class="prettyprint lang-config">AuthLDAPInitialBindPattern (.+) $1@example.com</pre> - <pre class="prettyprint lang-config"> AuthLDAPInitialBindPattern (.+) cn=$1,dc=example,dc=com</pre> + <pre class="prettyprint lang-config">AuthLDAPInitialBindPattern (.+) cn=$1,dc=example,dc=com</pre> <div class="note"><h3>Not available with authorization-only</h3> @@ -1206,7 +1194,7 @@ environment variable</td></tr> checks use searches.</p> <p>This directive only has effect on the comparisons performed during - nested group processing when <code class="directive"><a href="# authldapcompareasuser"> + nested group processing when <code class="directive"><a href="#authldapcompareasuser"> AuthLDAPCompareAsUser</a></code> is also enabled.</p> <p> This directive should only be used when your LDAP server doesn't @@ -1412,7 +1400,7 @@ var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap. } })(window, document); //--><!]]></script></div><div id="footer"> -<p class="apache">Copyright 2013 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> +<p class="apache">Copyright 2014 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- if (typeof(prettyPrint) !== 'undefined') { prettyPrint(); |