diff options
Diffstat (limited to 'docs/manual/mod/mod_authnz_ldap.html.en')
| -rw-r--r-- | docs/manual/mod/mod_authnz_ldap.html.en | 150 |
1 files changed, 90 insertions, 60 deletions
diff --git a/docs/manual/mod/mod_authnz_ldap.html.en b/docs/manual/mod/mod_authnz_ldap.html.en index aadcffcb..3d5c4ace 100644 --- a/docs/manual/mod/mod_authnz_ldap.html.en +++ b/docs/manual/mod/mod_authnz_ldap.html.en @@ -65,6 +65,7 @@ for HTTP Basic authentication.</td></tr> <li><img alt="" src="../images/down.gif" /> <a href="#authldapdereferencealiases">AuthLDAPDereferenceAliases</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#authldapgroupattribute">AuthLDAPGroupAttribute</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#authldapgroupattributeisdn">AuthLDAPGroupAttributeIsDN</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#authldapremoteuserattribute">AuthLDAPRemoteUserAttribute</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#authldapremoteuserisdn">AuthLDAPRemoteUserIsDN</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#authldapurl">AuthLDAPUrl</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#authzldapauthoritative">AuthzLDAPAuthoritative</a></li> @@ -73,7 +74,7 @@ for HTTP Basic authentication.</td></tr> <ul id="topics"> <li><img alt="" src="../images/down.gif" /> <a href="#contents">Contents</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#operation">Operation</a></li> -<li><img alt="" src="../images/down.gif" /> <a href="#requiredirectives">The require Directives</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#requiredirectives">The Require Directives</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#examples">Examples</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#usingtls">Using TLS</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#usingssl">Using SSL</a></li> @@ -104,15 +105,15 @@ for HTTP Basic authentication.</td></tr> </li> <li> - <a href="#requiredirectives">The require Directives</a> + <a href="#requiredirectives">The Require Directives</a> <ul> - <li><a href="#reqvaliduser">require valid-user</a></li> - <li><a href="#requser">require ldap-user</a></li> - <li><a href="#reqgroup">require ldap-group</a></li> - <li><a href="#reqdn">require ldap-dn</a></li> - <li><a href="#reqattribute">require ldap-attribute</a></li> - <li><a href="#reqfilter">require ldap-filter</a></li> + <li><a href="#reqvaliduser">Require valid-user</a></li> + <li><a href="#requser">Require ldap-user</a></li> + <li><a href="#reqgroup">Require ldap-group</a></li> + <li><a href="#reqdn">Require ldap-dn</a></li> + <li><a href="#reqattribute">Require ldap-attribute</a></li> + <li><a href="#reqfilter">Require ldap-filter</a></li> </ul> </li> @@ -220,40 +221,46 @@ for HTTP Basic authentication.</td></tr> directives to determine if the credentials are acceptable:</p> <ul> - <li>Grant access if there is a <a href="#reqgroup"><code>require ldap-user</code></a> directive, and the + <li>Grant access if there is a <a href="#reqgroup"><code>Require ldap-user</code></a> directive, and the username in the directive matches the username passed by the client.</li> - <li>Grant access if there is a <a href="#reqdn"><code>require + <li>Grant access if there is a <a href="#reqdn"><code>Require ldap-dn</code></a> directive, and the DN in the directive matches the DN fetched from the LDAP directory.</li> - <li>Grant access if there is a <a href="#reqgroup"><code>require ldap-group</code></a> directive, and + <li>Grant access if there is a <a href="#reqgroup"><code>Require ldap-group</code></a> directive, and the DN fetched from the LDAP directory (or the username passed by the client) occurs in the LDAP group.</li> <li>Grant access if there is a <a href="#reqattribute"> - <code>require ldap-attribute</code></a> + <code>Require ldap-attribute</code></a> directive, and the attribute fetched from the LDAP directory matches the given value.</li> <li>Grant access if there is a <a href="#reqfilter"> - <code>require ldap-filter</code></a> + <code>Require ldap-filter</code></a> directive, and the search filter successfully finds a single user object that matches the dn of the authenticated user.</li> <li>otherwise, deny or decline access</li> </ul> - <p>Other <code class="directive"><a href="../mod/core.html#require">Require</a></code> values may also be - used which may require loading additional authorization modules.</p> + <p>Other <code class="directive"><a href="../mod/core.html#require">Require</a></code> values may also + be used which may require loading additional authorization modules. + Note that if you use a <code class="directive"><a href="../mod/core.html#require">Require</a></code> + value from another authorization module, you will need to ensure that + <code class="directive"><a href="#authzldapauthoritative">AuthzLDAPAuthoritative</a></code> + is set to <code>off</code> to allow the authorization phase to fall + back to the module providing the alternate + <code class="directive"><a href="../mod/core.html#require">Require</a></code> value.</p> <ul> - <li>Grant access if there is a <a href="#requser"><code>require + <li>Grant access if there is a <a href="#requser"><code>Require valid-user</code></a> directive. (requires <code class="module"><a href="../mod/mod_authz_user.html">mod_authz_user</a></code>)</li> - <li>Grant access if there is a <a href="#reqgroup"><code>require group</code></a> directive, and + <li>Grant access if there is a <a href="#reqgroup"><code>Require group</code></a> directive, and <code class="module"><a href="../mod/mod_authz_groupfile.html">mod_authz_groupfile</a></code> has been loaded with the <code class="directive"><a href="../mod/mod_authz_groupfile.html#authgroupfile">AuthGroupFile</a></code> directive set.</li> @@ -271,7 +278,7 @@ for HTTP Basic authentication.</td></tr> <td><code class="directive"><a href="#authldapurl">AuthLDAPURL</a></code> </td> <td>The attribute specified in the - URL is used in compare operations for the <code>require + URL is used in compare operations for the <code>Require ldap-user</code> operation.</td> </tr> @@ -279,14 +286,14 @@ for HTTP Basic authentication.</td></tr> <td><code class="directive"><a href="#authldapcomparednonserver">AuthLDAPCompareDNOnServer</a></code></td> <td>Determines the behavior of the - <code>require ldap-dn</code> directive.</td> + <code>Require ldap-dn</code> directive.</td> </tr> <tr> <td><code class="directive"><a href="#authldapgroupattribute">AuthLDAPGroupAttribute</a></code></td> <td>Determines the attribute to - use for comparisons in the <code>require ldap-group</code> + use for comparisons in the <code>Require ldap-group</code> directive.</td> </tr> @@ -295,13 +302,13 @@ for HTTP Basic authentication.</td></tr> <td>Specifies whether to use the user DN or the username when doing comparisons for the - <code>require ldap-group</code> directive.</td> + <code>Require ldap-group</code> directive.</td> </tr> </table> </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> <div class="section"> -<h2><a name="requiredirectives" id="requiredirectives">The require Directives</a></h2> +<h2><a name="requiredirectives" id="requiredirectives">The Require Directives</a></h2> <p>Apache's <code class="directive"><a href="../mod/core.html#require">Require</a></code> directives are used during the authorization phase to ensure that @@ -311,7 +318,7 @@ for HTTP Basic authentication.</td></tr> <code>ldap-filter</code>. Other authorization types may also be used but may require that additional authorization modules be loaded.</p> -<h3><a name="reqvaliduser" id="reqvaliduser">require valid-user</a></h3> +<h3><a name="reqvaliduser" id="reqvaliduser">Require valid-user</a></h3> <p>If this directive exists, <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> grants access to any user that has successfully authenticated during the @@ -321,42 +328,42 @@ for HTTP Basic authentication.</td></tr> directive be set to off.</p> -<h3><a name="requser" id="requser">require ldap-user</a></h3> +<h3><a name="requser" id="requser">Require ldap-user</a></h3> - <p>The <code>require ldap-user</code> directive specifies what + <p>The <code>Require ldap-user</code> directive specifies what usernames can access the resource. Once <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> has retrieved a unique DN from the directory, it does an LDAP compare operation using the username - specified in the <code>require ldap-user</code> to see if that username + specified in the <code>Require ldap-user</code> to see if that username is part of the just-fetched LDAP entry. Multiple users can be granted access by putting multiple usernames on the line, separated with spaces. If a username has a space in it, then it must be surrounded with double quotes. Multiple users can also be - granted access by using multiple <code>require ldap-user</code> + granted access by using multiple <code>Require ldap-user</code> directives, with one user per line. For example, with a <code class="directive"><a href="#authldapurl">AuthLDAPURL</a></code> of <code>ldap://ldap/o=Airius?cn</code> (i.e., <code>cn</code> is - used for searches), the following require directives could be used + used for searches), the following Require directives could be used to restrict access:</p> <div class="example"><p><code> -require ldap-user "Barbara Jenson"<br /> -require ldap-user "Fred User"<br /> -require ldap-user "Joe Manager"<br /> +Require ldap-user "Barbara Jenson"<br /> +Require ldap-user "Fred User"<br /> +Require ldap-user "Joe Manager"<br /> </code></p></div> <p>Because of the way that <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> handles this directive, Barbara Jenson could sign on as <em>Barbara Jenson</em>, <em>Babs Jenson</em> or any other <code>cn</code> that - she has in her LDAP entry. Only the single <code>require + she has in her LDAP entry. Only the single <code>Require ldap-user</code> line is needed to support all values of the attribute in the user's entry.</p> <p>If the <code>uid</code> attribute was used instead of the <code>cn</code> attribute in the URL above, the above three lines could be condensed to</p> -<div class="example"><p><code>require ldap-user bjenson fuser jmanager</code></p></div> +<div class="example"><p><code>Require ldap-user bjenson fuser jmanager</code></p></div> -<h3><a name="reqgroup" id="reqgroup">require ldap-group</a></h3> +<h3><a name="reqgroup" id="reqgroup">Require ldap-group</a></h3> <p>This directive specifies an LDAP group whose members are allowed access. It takes the distinguished name of the LDAP @@ -372,34 +379,34 @@ uniqueMember: cn=Fred User, o=Airius<br /> <p>The following directive would grant access to both Fred and Barbara:</p> -<div class="example"><p><code>require ldap-group cn=Administrators, o=Airius</code></p></div> +<div class="example"><p><code>Require ldap-group cn=Administrators, o=Airius</code></p></div> <p>Behavior of this directive is modified by the <code class="directive"><a href="#authldapgroupattribute">AuthLDAPGroupAttribute</a></code> and <code class="directive"><a href="#authldapgroupattributeisdn">AuthLDAPGroupAttributeIsDN</a></code> directives.</p> -<h3><a name="reqdn" id="reqdn">require ldap-dn</a></h3> +<h3><a name="reqdn" id="reqdn">Require ldap-dn</a></h3> - <p>The <code>require ldap-dn</code> directive allows the administrator + <p>The <code>Require ldap-dn</code> directive allows the administrator to grant access based on distinguished names. It specifies a DN that must match for access to be granted. If the distinguished name that was retrieved from the directory server matches the - distinguished name in the <code>require ldap-dn</code>, then + distinguished name in the <code>Require ldap-dn</code>, then authorization is granted. Note: do not surround the distinguished name with quotes.</p> <p>The following directive would grant access to a specific DN:</p> -<div class="example"><p><code>require ldap-dn cn=Barbara Jenson, o=Airius</code></p></div> +<div class="example"><p><code>Require ldap-dn cn=Barbara Jenson, o=Airius</code></p></div> <p>Behavior of this directive is modified by the <code class="directive"><a href="#authldapcomparednonserver">AuthLDAPCompareDNOnServer</a></code> directive.</p> -<h3><a name="reqattribute" id="reqattribute">require ldap-attribute</a></h3> +<h3><a name="reqattribute" id="reqattribute">Require ldap-attribute</a></h3> - <p>The <code>require ldap-attribute</code> directive allows the + <p>The <code>Require ldap-attribute</code> directive allows the administrator to grant access based on attributes of the authenticated user in the LDAP directory. If the attribute in the directory matches the value given in the configuration, access is granted.</p> @@ -407,11 +414,11 @@ uniqueMember: cn=Fred User, o=Airius<br /> <p>The following directive would grant access to anyone with the attribute employeeType = active</p> - <div class="example"><p><code>require ldap-attribute employeeType=active</code></p></div> + <div class="example"><p><code>Require ldap-attribute employeeType=active</code></p></div> <p>Multiple attribute/value pairs can be specified on the same line separated by spaces or they can be specified in multiple - <code>require ldap-attribute</code> directives. The effect of listing + <code>Require ldap-attribute</code> directives. The effect of listing multiple attribute/values pairs is an OR operation. Access will be granted if any of the listed attribute values match the value of the corresponding attribute in the user object. If the value of the @@ -420,13 +427,13 @@ uniqueMember: cn=Fred User, o=Airius<br /> <p>The following directive would grant access to anyone with the city attribute equal to "San Jose" or status equal to "Active"</p> - <div class="example"><p><code>require ldap-attribute city="San Jose" status=active</code></p></div> + <div class="example"><p><code>Require ldap-attribute city="San Jose" status=active</code></p></div> -<h3><a name="reqfilter" id="reqfilter">require ldap-filter</a></h3> +<h3><a name="reqfilter" id="reqfilter">Require ldap-filter</a></h3> - <p>The <code>require ldap-filter</code> directive allows the + <p>The <code>Require ldap-filter</code> directive allows the administrator to grant access based on a complex LDAP search filter. If the dn returned by the filter search matches the authenticated user dn, access is granted.</p> @@ -434,10 +441,10 @@ uniqueMember: cn=Fred User, o=Airius<br /> <p>The following directive would grant access to anyone having a cell phone and is in the marketing department</p> - <div class="example"><p><code>require ldap-filter &(cell=*)(department=marketing)</code></p></div> + <div class="example"><p><code>Require ldap-filter &(cell=*)(department=marketing)</code></p></div> - <p>The difference between the <code>require ldap-filter</code> directive and the - <code>require ldap-attribute</code> directive is that <code>ldap-filter</code> + <p>The difference between the <code>Require ldap-filter</code> directive and the + <code>Require ldap-attribute</code> directive is that <code>ldap-filter</code> performs a search operation on the LDAP directory using the specified search filter rather than a simple attribute comparison. If a simple attribute comparison is all that is required, the comparison operation performed by @@ -456,7 +463,7 @@ uniqueMember: cn=Fred User, o=Airius<br /> using their UID for searches. <div class="example"><p><code> AuthLDAPURL ldap://ldap1.airius.com:389/ou=People, o=Airius?uid?sub?(objectClass=*)<br /> -require valid-user +Require valid-user </code></p></div> </li> @@ -465,7 +472,7 @@ require valid-user that have useful defaults omitted. Also, note the use of a redundant LDAP server. <div class="example"><p><code>AuthLDAPURL ldap://ldap1.airius.com ldap2.airius.com/ou=People, o=Airius<br /> -require valid-user +Require valid-user </code></p></div> </li> @@ -480,7 +487,7 @@ require valid-user directory, such as <code>uid</code>. <div class="example"><p><code> AuthLDAPURL ldap://ldap.airius.com/ou=People, o=Airius?cn<br /> -require valid-user +Require valid-user </code></p></div> </li> @@ -489,7 +496,7 @@ require valid-user users must authenticate using their UID. <div class="example"><p><code> AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid<br /> -require ldap-group cn=Administrators, o=Airius +Require ldap-group cn=Administrators, o=Airius </code></p></div> </li> @@ -501,7 +508,7 @@ require ldap-group cn=Administrators, o=Airius alphanumeric pagers: <div class="example"><p><code> AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(qpagePagerID=*)<br /> -require valid-user +Require valid-user </code></p></div> </li> @@ -517,7 +524,7 @@ require valid-user resource:</p> <div class="example"><p><code> AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(|(qpagePagerID=*)(uid=jmanager))<br /> -require valid-user +Require valid-user </code></p></div> <p>This last may look confusing at first, so it helps to @@ -580,7 +587,7 @@ require valid-user AuthLDAPURL "the url" AuthzLDAPAuthoritative off AuthGroupFile <em>mygroupfile</em> -require group <em>mygroupfile</em> +Require group <em>mygroupfile</em> </pre></div> <p><code class="directive"><a href="#authzldapauthoritative">AuthzLDAPAuthoritative</a></code> @@ -591,9 +598,9 @@ require group <em>mygroupfile</em> <h3><a name="howitworks" id="howitworks">How It Works</a></h3> - <p>FrontPage restricts access to a web by adding the <code>require + <p>FrontPage restricts access to a web by adding the <code>Require valid-user</code> directive to the <code>.htaccess</code> - files. The <code>require valid-user</code> directive will succeed for + files. The <code>Require valid-user</code> directive will succeed for any user who is valid <em>as far as LDAP is concerned</em>. This means that anybody who has an entry in the LDAP directory is considered a valid user, whereas FrontPage @@ -716,7 +723,7 @@ require group <em>mygroupfile</em> <p>When set, <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> will use the LDAP server to compare the DNs. This is the only foolproof way to compare DNs. <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> will search the - directory for the DN specified with the <a href="#reqdn"><code>require dn</code></a> directive, then, + directory for the DN specified with the <a href="#reqdn"><code>Require dn</code></a> directive, then, retrieve the DN and compare it with the DN retrieved from the user entry. If this directive is not set, <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> simply does a string comparison. It @@ -783,6 +790,29 @@ group membership</td></tr> </div> <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="directive-section"><h2><a name="AuthLDAPRemoteUserAttribute" id="AuthLDAPRemoteUserAttribute">AuthLDAPRemoteUserAttribute</a> <a name="authldapremoteuserattribute" id="authldapremoteuserattribute">Directive</a></h2> +<table class="directive"> +<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Use the value of the attribute returned during the user +query to set the REMOTE_USER environment variable</td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthLDAPRemoteUserAttribute uid</code></td></tr> +<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr> +<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> +<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> +<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> +<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr> +</table> + <p>If this directive is set, the value of the + <code>REMOTE_USER</code> environment variable will be set to the + value of the attribute specified. Make sure that this attribute is + included in the list of attributes in the AuthLDAPUrl definition, + otherwise this directive will have no effect. This directive, if + present, takes precedence over AuthLDAPRemoteUserIsDN. This + directive is useful should you want people to log into a website + using an email address, but a backend application expects the + username as a userid.</p> + +</div> +<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> <div class="directive-section"><h2><a name="AuthLDAPRemoteUserIsDN" id="AuthLDAPRemoteUserIsDN">AuthLDAPRemoteUserIsDN</a> <a name="authldapremoteuserisdn" id="authldapremoteuserisdn">Directive</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Use the DN of the client username to set the REMOTE_USER @@ -935,6 +965,6 @@ authenticating the user if this one fails</td></tr> <div class="bottomlang"> <p><span>Available Languages: </span><a href="../en/mod/mod_authnz_ldap.html" title="English"> en </a></p> </div><div id="footer"> -<p class="apache">Copyright 2006 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> +<p class="apache">Copyright 2007 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div> </body></html>
\ No newline at end of file |