directory search
首页 版本说明 从1.3升级到2.0 编译时配置的改变 运行时配置的改变 杂项变化 第三方模块 从 2.0 升级到 2.2 编译时配置的改变 运行时配置的改变 杂项变化 第三方模块 Apache 2.1/2.2 版本的新特性 核心增强 模块增强 程序增强 针对模块开发者的变化 Apache 2.0 版本的新特性 核心的增强 模块的增强 Apache许可证 参考手册 编译与安装 针对心急者的概述 要求 下载 解压 配置源代码树 编译 安装 配置 测试 升级 启动 Apache是怎样启动的 启动时发生错误 随系统启动时启动 额外信息 停止与重新启动 简介 立即停止 优雅重启 立即重启 优雅停止 附录:信号和竞争条件 运行时配置指令 主配置文件 配置文件的语法 模块 指令的作用域 .htaccess文件 配置段 配置段(容器)的类型 文件系统和网络空间 虚拟主机 代理 允许使用哪些指令? 配置段的合并 内容缓冲 简介 缓冲概述 安全方面的考虑 文件句柄缓冲 内存缓冲 磁盘缓冲 服务器全局配置 服务器标识 文件定位 限制资源的使用 日志文件 安全警告 错误日志 访问日志 日志滚动 管道日志 虚拟主机 其他日志文件 从URL到文件系统的映射 相关模块和指令 DocumentRoot DocumentRoot以外的文件 用户目录 URL重定向 反向代理 重写引擎 File Not Found 安全方面的提示 保持不断更新和升级 ServerRoot目录的权限 服务器端包含 关于CGI 未指定为脚本的CGI 指定为脚本的CGI 其他动态内容的来源 系统设置的保护 默认配置下服务器文件的保护 观察日志文件 动态共享对象(DSO) 实现 用法概要 背景知识 优点和缺点 内容协商 关于内容协商 Apache中的内容协商 协商的方法 打乱品质值 透明内容协商的扩展 超链和名称转换说明 缓冲说明 更多信息 自定义错误响应 行为 配置 自定义错误响应与重定向 地址和端口绑定 概述 针对IPv6的特殊考虑 怎样与虚拟主机协同工作 多路处理模块(MPM) 简介 选择一个MPM 默认的MPM 环境变量 设置环境变量 使用环境变量 用于特殊目的的环境变量 示例 处理器的使用 什么是处理器? 例子 程序员注意事项 过滤器 Apache2中的过滤器 智能过虑 使用过滤器 CGI脚本的Suexec执行 开始之前 suEXEC的安全模型 配置和安装suEXEC 启用和禁用suEXEC 使用suEXEC 调试suEXEC 谨防Jabberwock:警告和举例 性能调整 硬件和操作系统 运行时的配置 编译时的配置 附录:踪迹的详细分析 URL重写指南 mod_rewrite简介 实践方案 URL的规划 内容的处理 对访问的限制 其他 虚拟主机文档 总述 虚拟主机支持 配置指令 基于主机名的虚拟主机 基于域名的虚拟主机和基于IP的虚拟主机比较 使用基于域名的虚拟主机 与旧版浏览器的兼容性 基于IP地址的虚拟主机 系统需求 如何配置Apache 设置多个守护进程 配置拥有多个虚拟主机的单一守护进程 动态配置大量虚拟主机 动机 概述 简单的动态虚拟主机 一个实际的个人主页系统 在同一个服务器上架设多个主机的虚拟系统 更为有效的基于IP地址的虚拟主机 使用老版本的Apache 使用mod_rewrite实现简单的动态虚拟主机 使用mod_rewrite的个人主页系统 使用独立的虚拟主机配置文件 虚拟主机的普通配置示例 在一个IP地址上运行多个基于域名的web站点 在多于一个IP的情况下使用基于域名的虚拟主机 在不同的IP的地址(比如一个内部和一个外部地址)上提供相同的内容 在不同的端口上运行不同的站点 建立基于IP的虚拟主机 混用基于端口和基于IP的虚拟主机 混用基于域名和基于IP的虚拟主机 将虚拟主机和代理模块一起使用 使用默认虚拟主机 将一个基于域名的虚拟主机移植为一个基于IP的虚拟主机 使用ServerPath指令 深入讨论虚拟主机的匹配 解析配置文件 虚拟主机匹配 小技巧 文件描述符限制 关于DNS和Apache 一个简单示例 拒绝服务 "主服务器"地址 避免这些问题的小技巧 附录:进一步的提示 常见问题 概述 SSL/TLS 加密 概述 文档 mod_ssl 绪论 密码技术 证书 安全套接字层(SSL) 参考 兼容性 配置指令 环境变量 自定义日志功能 如何... 加密方案和强制性高等级安全 客户认证和访问控制 常见问题解答 About The Module Installation Configuration Certificates The SSL Protocol mod_ssl Support 如何.../指南 概述 认证 相关模块和指令 简介 先决条件 启用认证 允许多人访问 可能存在的问题 其他认证方法 更多信息 CGI动态页面 简介 配置Apache以允许CGI 编写CGI程序 程序还是不能运行! 幕后是怎样操作的? CGI模块/库 更多信息 服务器端包含 简介 什么是SSI? 配置服务器以允许SSI 基本SSI指令 附加的例子 我还能设置其它什么? 执行命令 高级SSI技术 总结 .htaccess文件 .htaccess文件 工作原理和使用方法 (不)使用.htaccess文件的场合 指令的生效 认证举例 服务器端包含(SSI)举例 CGI举例 疑难解答 用户网站目录 用户网站目录 用UserDir设置文件路径 限定哪些用户可以使用此功能 启用对每个用户都有效的cgi目录 允许用户改变配置 对特定平台的说明 概述 Microsoft Windows 其他平台 在Microsoft Windows中使用Apache 对操作系统的要求 下载 Apache for Windows 安装 Apache for Windows 配置 Apache for Windows 以服务方式运行 Apache for Windows 作为控制台程序运行Apache 测试安装 编译Windows下的Apache 系统要求 命令行编译 Developer Studio集成开发环境的工作区编译 项目组件 在Novell NetWare平台上使用Apache Requirements Downloading Apache for NetWare Installing Apache for NetWare Running Apache for NetWare Configuring Apache for NetWare Compiling Apache for NetWare 在HP-UX中运行Apache The Apache EBCDIC Port Overview of the Apache EBCDIC Port Design Goals Technical Solution Porting Notes Document Storage Notes Apache Modules' Status Third Party Modules' Status 服务器与支持程序 概述 httpd 语法 选项 ab 语法 选项 Bugs apachectl 语法 选项 apxs 语法 选项 举例 configure 语法 选项 环境变量 dbmmanage 语法 选项 Bugs htcacheclean 语法 选项 返回值 htdbm 语法 选项 Bugs 返回值 举例 安全方面的考虑 限制 htdigest 语法 选项 htpasswd 语法 选项 返回值 举例 安全方面的考虑 限制 logresolve 语法 选项 rotatelogs 语法 选项 Portability suexec 语法 选项 其他程序 log_server_status split-logfile 杂项文档 概述 相关标准 HTTP推荐标准 HTML推荐标准 认证 语言/国家代码 Apache 模块 描述模块的术语 说明 状态 源代码文件 模块标识符 兼容性 描述指令的术语 说明 语法 默认值(Default) 作用域(Context) 覆盖项(Override) 状态 模块(Module) 兼容性(Compatibility) Apache核心(Core)特性 AcceptFilter AcceptPathInfo AccessFileName AddDefaultCharset AddOutputFilterByType AllowEncodedSlashes AllowOverride AuthName AuthType CGIMapExtension ContentDigest DefaultType <Directory> <DirectoryMatch> DocumentRoot EnableMMAP EnableSendfile ErrorDocument ErrorLog FileETag <Files> <FilesMatch> ForceType HostnameLookups <IfDefine> <IfModule> Include KeepAlive KeepAliveTimeout <Limit> <LimitExcept> LimitInternalRecursion LimitRequestBody LimitRequestFields LimitRequestFieldSize LimitRequestLine LimitXMLRequestBody <Location> <LocationMatch> LogLevel MaxKeepAliveRequests NameVirtualHost Options Require RLimitCPU RLimitMEM RLimitNPROC Satisfy ScriptInterpreterSource ServerAdmin ServerAlias ServerName ServerPath ServerRoot ServerSignature ServerTokens SetHandler SetInputFilter SetOutputFilter TimeOut TraceEnable UseCanonicalName UseCanonicalPhysicalPort <VirtualHost> Apache MPM 公共指令 AcceptMutex CoreDumpDirectory EnableExceptionHook GracefulShutdownTimeout Group Listen ListenBackLog LockFile MaxClients MaxMemFree MaxRequestsPerChild MaxSpareThreads MinSpareThreads PidFile ReceiveBufferSize ScoreBoardFile SendBufferSize ServerLimit StartServers StartThreads ThreadLimit ThreadsPerChild ThreadStackSize User Apache MPM beos MaxRequestsPerThread CoreDumpDirectory Group Listen ListenBacklog MaxClients MaxMemFree MaxSpareThreads MinSpareThreads PidFile ReceiveBufferSize ScoreBoardFile SendBufferSize StartThreads User Apache MPM event AcceptMutex CoreDumpDirectory EnableExceptionHook Group Listen ListenBacklog LockFile MaxClients MaxMemFree MaxRequestsPerChild MaxSpareThreads MinSpareThreads PidFile ScoreBoardFile SendBufferSize ServerLimit StartServers ThreadLimit ThreadsPerChild ThreadStackSize User Apache MPM netware MaxThreads Listen ListenBacklog MaxMemFree MaxRequestsPerChild MaxSpareThreads MinSpareThreads ReceiveBufferSize SendBufferSize StartThreads ThreadStackSize Apache MPM os2 Group Listen ListenBacklog MaxRequestsPerChild MaxSpareThreads MinSpareThreads PidFile ReceiveBufferSize SendBufferSize StartServers User Apache MPM prefork 工作方式 MaxSpareServers MinSpareServers AcceptMutex CoreDumpDirectory EnableExceptionHook Group Listen ListenBacklog LockFile MaxClients MaxMemFree MaxRequestsPerChild PidFile ReceiveBufferSize ScoreBoardFile SendBufferSize ServerLimit StartServers User Apache MPM winnt Win32DisableAcceptEx CoreDumpDirectory Listen ListenBacklog MaxMemFree MaxRequestsPerChild PidFile ReceiveBufferSize ScoreBoardFile SendBufferSize ThreadLimit ThreadsPerChild ThreadStackSize Apache MPM worker 工作方式 AcceptMutex CoreDumpDirectory EnableExceptionHook Group Listen ListenBacklog LockFile MaxClients MaxMemFree MaxRequestsPerChild MaxSpareThreads MinSpareThreads PidFile ReceiveBufferSize ScoreBoardFile SendBufferSize ServerLimit StartServers ThreadLimit ThreadsPerChild ThreadStackSize User Apache Module mod_actions Action指令 Script指令 Apache Module mod_alias 处理顺序 Alias AliasMatch Redirect RedirectMatch RedirectPermanent RedirectTemp ScriptAlias ScriptAliasMatch Apache Module mod_asis 用法 Apache Module mod_auth_basic AuthBasicAuthoritative AuthBasicProvider Apache Module mod_auth_digest 使用摘要认证 配合 MS Internet Explorer 6 工作 AuthDigestAlgorithm AuthDigestDomain AuthDigestNcCheck AuthDigestNonceFormat AuthDigestNonceLifetime AuthDigestProvider AuthDigestQop AuthDigestShmemSize Apache Module mod_authn_alias 示例 <AuthnProviderAlias> Apache Module mod_authn_anon 示例 Anonymous Anonymous_LogEmail Anonymous_MustGiveEmail Anonymous_NoUserID Anonymous_VerifyEmail Apache Module mod_authn_dbd 配置示例 AuthDBDUserPWQuery AuthDBDUserRealmQuery Apache Module mod_authn_dbm AuthDBMType AuthDBMUserFile Apache Module mod_authn_default AuthDefaultAuthoritative Apache Module mod_authn_file AuthUserFile Apache Module mod_authnz_ldap Contents Operation The require Directives 举例 Using TLS Using SSL Using Microsoft FrontPage with mod_authnz_ldap AuthLDAPBindDN AuthLDAPBindPassword AuthLDAPCharsetConfig AuthLDAPCompareDNOnServer AuthLDAPDereferenceAliases AuthLDAPGroupAttribute AuthLDAPGroupAttributeIsDN AuthLDAPRemoteUserIsDN AuthLDAPUrl AuthzLDAPAuthoritative Apache Module mod_authz_dbm AuthDBMGroupFile AuthzDBMAuthoritative AuthzDBMType Apache Module mod_authz_default AuthzDefaultAuthoritative Apache Module mod_authz_groupfile AuthGroupFile AuthzGroupFileAuthoritative Apache Module mod_authz_host Allow Deny Order Apache Module mod_authz_owner 配置示例 AuthzOwnerAuthoritative Apache Module mod_authz_user AuthzUserAuthoritative Apache Module mod_autoindex Autoindex Request Query Arguments AddAlt AddAltByEncoding AddAltByType AddDescription AddIcon AddIconByEncoding AddIconByType DefaultIcon HeaderName IndexIgnore IndexOptions IndexOrderDefault IndexStyleSheet ReadmeName Apache Module mod_cache Related Modules and Directives 配置示例 CacheDefaultExpire CacheDisable CacheEnable CacheIgnoreCacheControl CacheIgnoreHeaders CacheIgnoreNoLastMod CacheLastModifiedFactor CacheMaxExpire CacheStoreNoStore CacheStorePrivate Apache Module mod_cern_meta MetaDir MetaFiles MetaSuffix Apache Module mod_cgi CGI 环境变量 CGI 脚本的调试 ScriptLog ScriptLogBuffer ScriptLogLength Apache Module mod_cgid ScriptSock ScriptLog ScriptLogBuffer ScriptLogLength Apache Module mod_charset_lite Common Problems CharsetDefault CharsetOptions CharsetSourceEnc Apache Module mod_dav Enabling WebDAV Security Issues Complex Configurations Dav DavDepthInfinity DavMinTimeout Apache Module mod_dav_fs DavLockDB Apache Module mod_dav_lock DavGenericLockDB Apache Module mod_dbd Connection Pooling Apache DBD API SQL Prepared Statements DBDExptime DBDKeep DBDMax DBDMin DBDParams DBDPersist DBDPrepareSQL DBDriver Apache Module mod_deflate 配置举例 启用压缩 代理服务器 DeflateBufferSize DeflateCompressionLevel DeflateFilterNote DeflateMemLevel DeflateWindowSize Apache Module mod_dir DirectoryIndex DirectorySlash Apache Module mod_disk_cache CacheDirLength CacheDirLevels CacheMaxFileSize CacheMinFileSize CacheRoot Apache Module mod_dumpio 启用dumpio支持 DumpIOInput DumpIOOutput Apache Module mod_echo ProtocolEcho Apache Module mod_env PassEnv SetEnv UnsetEnv Apache Module mod_example Compiling the example module Using the mod_example Module Example Apache Module mod_expires 交替间隔语法 ExpiresActive ExpiresByType ExpiresDefault Apache Module mod_ext_filter 举例 ExtFilterDefine ExtFilterOptions Apache Module mod_file_cache Using mod_file_cache CacheFile MMapFile Apache Module mod_filter Smart Filtering Filter Declarations Configuring the Chain Examples Protocol Handling FilterChain FilterDeclare FilterProtocol FilterProvider FilterTrace Apache Module mod_headers 处理顺序 前处理和后处理 举例 Header RequestHeader Apache Module mod_ident IdentityCheck IdentityCheckTimeout Apache Module mod_imagemap New Features Imagemap File Example Mapfile Referencing your mapfile ImapBase ImapDefault ImapMenu Apache Module mod_include Enabling Server-Side Includes PATH_INFO with Server Side Includes Basic Elements Include Variables Variable Substitution Flow Control Elements SSIEndTag SSIErrorMsg SSIStartTag SSITimeFormat SSIUndefinedEcho XBitHack Apache Module mod_info 安全问题 选择哪些信息可以被显示 已知的局限 AddModuleInfo Apache Module mod_isapi 用法 附加注释 程序员注记 ISAPIAppendLogToErrors ISAPIAppendLogToQuery ISAPICacheFile ISAPIFakeAsync ISAPILogNotSupported ISAPIReadAheadBuffer Apache Module mod_ldap 示例配置 LDAP 连接池 LDAP 缓冲 使用SSL/TLS SSL/TLS 证书 LDAPCacheEntries LDAPCacheTTL LDAPConnectionTimeout LDAPOpCacheEntries LDAPOpCacheTTL LDAPSharedCacheFile LDAPSharedCacheSize LDAPTrustedClientCert LDAPTrustedGlobalCert LDAPTrustedMode LDAPVerifyServerCert Apache Module mod_log_config 定制日志文件格式 安全考虑 BufferedLogs CookieLog CustomLog LogFormat TransferLog Apache Module mod_log_forensic 定制日志文件格式 安全考虑 ForensicLog Apache Module mod_logio 定制日志文件格式 Apache Module mod_mem_cache MCacheMaxObjectCount MCacheMaxObjectSize MCacheMaxStreamingBuffer MCacheMinObjectSize MCacheRemovalAlgorithm MCacheSize Apache Module mod_mime 带多扩展名的文件 内容编码 字符集和语言 AddCharset AddEncoding AddHandler AddInputFilter AddLanguage AddOutputFilter AddType DefaultLanguage ModMimeUsePathInfo MultiviewsMatch RemoveCharset RemoveEncoding RemoveHandler RemoveInputFilter RemoveLanguage RemoveOutputFilter RemoveType TypesConfig Apache Module mod_mime_magic "Magic文件"的格式 性能问题 注意 MimeMagicFile Apache Module mod_negotiation 类型表 MultiViews CacheNegotiatedDocs ForceLanguagePriority LanguagePriority Apache Module mod_nw_ssl NWSSLTrustedCerts NWSSLUpgradeable SecureListen Apache Module mod_proxy 正向和反向代理 简单示例 控制对代理服务器的访问 缓慢启动 局域网代理 协议调整 请求体 AllowCONNECT NoProxy <Proxy> ProxyBadHeader ProxyBlock ProxyDomain ProxyErrorOverride ProxyIOBufferSize <ProxyMatch> ProxyMaxForwards ProxyPass ProxyPassReverse ProxyPassReverseCookieDomain ProxyPassReverseCookiePath ProxyPreserveHost ProxyReceiveBufferSize ProxyRemote ProxyRemoteMatch ProxyRequests ProxyTimeout ProxyVia Apache Module mod_proxy_ajp Overview of the protocol Basic Packet Structure Request Packet Structure Response Packet Structure Apache Module mod_proxy_balancer Load balancer scheduler algorithm Request Counting Algorithm Weighted Traffic Counting Algorithm Enabling Balancer Manager Support Apache Module mod_proxy_connect Apache Module mod_proxy_ftp 为什么xxx类型的文件不能从FTP下载? 如何强制文件xxx使用FTP的ASCII形式下载? 我如何使用FTP上传? 我如何能访问我自己home目录以外的FTP文件? 我如何才能在浏览器的URL框中隐藏FTP的明文密码? Apache Module mod_proxy_http Apache Module mod_rewrite 特殊字符的引用 环境变量 实用方案 RewriteBase RewriteCond RewriteEngine RewriteLock RewriteLog RewriteLogLevel RewriteMap RewriteOptions RewriteRule Apache Module mod_setenvif BrowserMatch BrowserMatchNoCase SetEnvIf SetEnvIfNoCase Apache Module mod_so 为Windows创建可加载模块 LoadFile LoadModule Apache Module mod_speling CheckSpelling Apache Module mod_ssl 环境变量 Custom Log Formats SSLCACertificateFile SSLCACertificatePath SSLCADNRequestFile SSLCADNRequestPath SSLCARevocationFile SSLCARevocationPath SSLCertificateChainFile SSLCertificateFile SSLCertificateKeyFile SSLCipherSuite SSLCryptoDevice SSLEngine SSLHonorCipherOrder SSLMutex SSLOptions SSLPassPhraseDialog SSLProtocol SSLProxyCACertificateFile SSLProxyCACertificatePath SSLProxyCARevocationFile SSLProxyCARevocationPath SSLProxyCipherSuite SSLProxyEngine SSLProxyMachineCertificateFile SSLProxyMachineCertificatePath SSLProxyProtocol SSLProxyVerify SSLProxyVerifyDepth SSLRandomSeed SSLRequire SSLRequireSSL SSLSessionCache SSLSessionCacheTimeout SSLUserName SSLVerifyClient SSLVerifyDepth Apache Module mod_status Enabling Status Support 自动更新 Machine Readable Status File ExtendedStatus Apache Module mod_suexec SuexecUserGroup Apache Module mod_unique_id Theory Apache Module mod_userdir UserDir Apache Module mod_usertrack Logging 2-digit or 4-digit dates for cookies? CookieDomain CookieExpires CookieName CookieStyle CookieTracking Apache Module mod_version <IfVersion> Apache Module mod_vhost_alias 目录名称的转换 示例 VirtualDocumentRoot VirtualDocumentRootIP VirtualScriptAlias VirtualScriptAliasIP 开发者文档 Overview Topics External Resources Apache API notes Basic concepts How handlers work Resource allocation and resource pools Configuration Debugging Memory Allocation in APR Available debugging options Allowable Combinations Activating Debugging Options Documenting Apache 2.0 Apache 2.0 Hook Functions Creating a hook function Hooking the hook Converting Modules from Apache 1.3 to Apache 2.0 The easier changes ... The messier changes... Request Processing in Apache 2.0 The Request Processing Cycle The Request Parsing Phase The Security Phase The Preparation Phase The Handler Phase How Filters Work in Apache 2.0 Filter Types How are filters inserted? Asis Explanations 词汇和索引 词汇表 模块索引 指令索引 指令速查 译者声明
characters

Apache模块 mod_authnz_ldap

说明 允许使用一个LDAP目录存储用户名和密码数据库来执行基本认证和授权
状态 扩展(E)
模块名 authnz_ldap_module
源文件 mod_authnz_ldap.c
兼容性 仅在 Apache 2.1 及以后的版本中可用

概述

This module provides authentication front-ends such as mod_auth_basic to authenticate users through an ldap directory.

mod_authnz_ldap supports the following features:

  • Known to support the OpenLDAP SDK (both 1.x and 2.x), Novell LDAP SDK and the iPlanet (Netscape) SDK.
  • Complex authorization policies can be implemented by representing the policy with LDAP filters.
  • Uses extensive caching of LDAP operations via mod_ldap.
  • Support for LDAP over SSL (requires the Netscape SDK) or TLS (requires the OpenLDAP 2.x SDK or Novell LDAP SDK).

When using mod_auth_basic, this module is invoked via the AuthBasicProvider directive with the ldap value.

Contents

  • Operation
    • The Authentication Phase
    • The Authorization Phase
  • The require Directives
    • require valid-user
    • require ldap-user
    • require ldap-group
    • require ldap-dn
    • require ldap-attribute
    • require ldap-filter
  • Examples
  • Using TLS
  • Using SSL
  • Using Microsoft FrontPage with mod_authnz_ldap
    • How It Works
    • Caveats

Operation

There are two phases in granting access to a user. The first phase is authentication, in which the mod_authnz_ldap authentication provider verifies that the user's credentials are valid. This is also called the search/bind phase. The second phase is authorization, in which mod_authnz_ldap determines if the authenticated user is allowed access to the resource in question. This is also known as the compare phase.

mod_authnz_ldap registers both an authn_ldap authentication provider and an authz_ldap authorization handler. The authn_ldap authentication provider can be enabled through the AuthBasicProvider directive using the ldap value. The authz_ldap handler extends the Require directive's authorization types by adding ldap-user, ldap-dnldap-group values.

The Authentication Phase

During the authentication phase, mod_authnz_ldap searches for an entry in the directory that matches the username that the HTTP client passes. If a single unique match is found, then mod_authnz_ldap attempts to bind to the directory server using the DN of the entry plus the password provided by the HTTP client. Because it does a search, then a bind, it is often referred to as the search/bind phase. Here are the steps taken during the search/bind phase.

  1. Generate a search filter by combining the attribute and filter provided in the AuthLDAPURL directive with the username passed by the HTTP client.
  2. Search the directory using the generated filter. If the search does not return exactly one entry, deny or decline access.
  3. Fetch the distinguished name of the entry retrieved from the search and attempt to bind to the LDAP server using the DN and the password passed by the HTTP client. If the bind is unsuccessful, deny or decline access.

The following directives are used during the search/bind phase

AuthLDAPURL Specifies the LDAP server, the base DN, the attribute to use in the search, as well as the extra search filter to use.
AuthLDAPBindDN An optional DN to bind with during the search phase.
AuthLDAPBindPassword An optional password to bind with during the search phase.

The Authorization Phase

During the authorization phase, mod_authnz_ldap attempts to determine if the user is authorized to access the resource. Many of these checks require mod_authnz_ldap to do a compare operation on the LDAP server. This is why this phase is often referred to as the compare phase. mod_authnz_ldap accepts the following Require directives to determine if the credentials are acceptable:

  • Grant access if there is a require ldap-user directive, and the username in the directive matches the username passed by the client.
  • Grant access if there is a require ldap-dn directive, and the DN in the directive matches the DN fetched from the LDAP directory.
  • Grant access if there is a require ldap-group directive, and the DN fetched from the LDAP directory (or the username passed by the client) occurs in the LDAP group.
  • Grant access if there is a require ldap-attribute directive, and the attribute fetched from the LDAP directory matches the given value.
  • Grant access if there is a require ldap-filter directive, and the search filter successfully finds a single user object that matches the dn of the authenticated user.
  • otherwise, deny or decline access

Other Require values may also be used which may require loading additional authorization modules.

  • Grant access if there is a require valid-user directive. (requires mod_authz_user)
  • Grant access if there is a require group directive, and mod_authz_groupfile has been loaded with the AuthGroupFile directive set.
  • others...

mod_authnz_ldap uses the following directives during the compare phase:

AuthLDAPURL The attribute specified in the URL is used in compare operations for the require ldap-user operation.
AuthLDAPCompareDNOnServer Determines the behavior of the require ldap-dn directive.
AuthLDAPGroupAttribute Determines the attribute to use for comparisons in the require ldap-group directive.
AuthLDAPGroupAttributeIsDN Specifies whether to use the user DN or the username when doing comparisons for the require ldap-group directive.

The require Directives

Apache's Require directives are used during the authorization phase to ensure that a user is allowed to access a resource. mod_authnz_ldap extends the authorization types with ldap-user, ldap-dn, ldap-group, ldap-attributeldap-filter. Other authorization types may also be used but may require that additional authorization modules be loaded.

require valid-user

If this directive exists, mod_authnz_ldap grants access to any user that has successfully authenticated during the search/bind phase. Requires that mod_authz_user be loaded and that the AuthzLDAPAuthoritative directive be set to off.

require ldap-user

require ldap-user directive specifies what usernames can access the resource. Once mod_authnz_ldap has retrieved a unique DN from the directory, it does an LDAP compare operation using the username specified in the require ldap-user to see if that username is part of the just-fetched LDAP entry. Multiple users can be granted access by putting multiple usernames on the line, separated with spaces. If a username has a space in it, then it must be surrounded with double quotes. Multiple users can also be granted access by using multiple require ldap-user directives, with one user per line. For example, with a AuthLDAPURL of ldap://ldap/o=Airius?cn (i.e., cn is used for searches), the following require directives could be used to restrict access:

require ldap-user "Barbara Jenson"
require ldap-user "Fred User"
require ldap-user "Joe Manager"

Because of the way that mod_authnz_ldap handles this directive, Barbara Jenson could sign on as Barbara Jenson, Babs Jenson or any other cn that she has in her LDAP entry. Only the single require ldap-user line is needed to support all values of the attribute in the user's entry.

If the uid attribute was used instead of the cn attribute in the URL above, the above three lines could be condensed to

require ldap-user bjenson fuser jmanager

require ldap-group

This directive specifies an LDAP group whose members are allowed access. It takes the distinguished name of the LDAP group. Note: Do not surround the group name with quotes. For example, assume that the following entry existed in the LDAP directory:

dn: cn=Administrators, o=Airius
objectClass: groupOfUniqueNames
uniqueMember: cn=Barbara Jenson, o=Airius
uniqueMember: cn=Fred User, o=Airius

The following directive would grant access to both Fred and Barbara:

require ldap-group cn=Administrators, o=Airius

Behavior of this directive is modified by the AuthLDAPGroupAttributeAuthLDAPGroupAttributeIsDN directives.

require ldap-dn

require ldap-dn directive allows the administrator to grant access based on distinguished names. It specifies a DN that must match for access to be granted. If the distinguished name that was retrieved from the directory server matches the distinguished name in the require ldap-dn, then authorization is granted. Note: do not surround the distinguished name with quotes.

The following directive would grant access to a specific DN:

require ldap-dn cn=Barbara Jenson, o=Airius

Behavior of this directive is modified by the AuthLDAPCompareDNOnServer directive.

require ldap-attribute

require ldap-attribute directive allows the administrator to grant access based on attributes of the authenticated user in the LDAP directory. If the attribute in the directory matches the value given in the configuration, access is granted.

The following directive would grant access to anyone with the attribute employeeType = active

require ldap-attribute employeeType=active

Multiple attribute/value pairs can be specified on the same line separated by spaces or they can be specified in multiple require ldap-attribute directives. The effect of listing multiple attribute/values pairs is an OR operation. Access will be granted if any of the listed attribute values match the value of the corresponding attribute in the user object. If the value of the attribute contains a space, only the value must be within double quotes.

The following directive would grant access to anyone with the city attribute equal to "San Jose" or status equal to "Active"

require ldap-attribute city="San Jose" status=active

require ldap-filter

require ldap-filter directive allows the administrator to grant access based on a complex LDAP search filter. If the dn returned by the filter search matches the authenticated user dn, access is granted.

The following directive would grant access to anyone having a cell phone and is in the marketing department

require ldap-filter &(cell=*)(department=marketing)

The difference between the require ldap-filter directive and the require ldap-attribute directive is that ldap-filter performs a search operation on the LDAP directory using the specified search filter rather than a simple attribute comparison. If a simple attribute comparison is all that is required, the comparison operation performed by ldap-attribute will be faster than the search operation used by ldap-filter especially within a large directory.

Examples

  • Grant access to anyone who exists in the LDAP directory, using their UID for searches.

    AuthLDAPURL ldap://ldap1.airius.com:389/ou=People, o=Airius?uid?sub?(objectClass=*)
    require valid-user

  • The next example is the same as above; but with the fields that have useful defaults omitted. Also, note the use of a redundant LDAP server.

    AuthLDAPURL ldap://ldap1.airius.com ldap2.airius.com/ou=People, o=Airius
    require valid-user

  • The next example is similar to the previous one, but it uses the common name instead of the UID. Note that this could be problematical if multiple people in the directory share the same cn, because a search on cn must return exactly one entry. That's why this approach is not recommended: it's a better idea to choose an attribute that is guaranteed unique in your directory, such as uid.

    AuthLDAPURL ldap://ldap.airius.com/ou=People, o=Airius?cn
    require valid-user

  • Grant access to anybody in the Administrators group. The users must authenticate using their UID.

    AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid
    require ldap-group cn=Administrators, o=Airius

  • The next example assumes that everyone at Airius who carries an alphanumeric pager will have an LDAP attribute of qpagePagerID. The example will grant access only to people (authenticated via their UID) who have alphanumeric pagers:

    AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(qpagePagerID=*)
    require valid-user

  • The next example demonstrates the power of using filters to accomplish complicated administrative requirements. Without filters, it would have been necessary to create a new LDAP group and ensure that the group's members remain synchronized with the pager users. This becomes trivial with filters. The goal is to grant access to anyone who has a pager, plus grant access to Joe Manager, who doesn't have a pager, but does need to access the same resource:

    AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(|(qpagePagerID=*)(uid=jmanager))
    require valid-user

    This last may look confusing at first, so it helps to evaluate what the search filter will look like based on who connects, as shown below. If Fred User connects as fuser, the filter would look like

    (&(|(qpagePagerID=*)(uid=jmanager))(uid=fuser))

    The above search will only succeed if fuser has a pager. When Joe Manager connects as jmanager, the filter looks like

    (&(|(qpagePagerID=*)(uid=jmanager))(uid=jmanager))

    The above search will succeed whether jmanager has a pager or not.

Using TLS

To use TLS, see the mod_ldap directives LDAPTrustedClientCert, LDAPTrustedGlobalCertLDAPTrustedMode.

An optional second parameter can be added to the AuthLDAPURL to override the default connection type set by LDAPTrustedMode. This will allow the connection established by an ldap:// Url to be upgraded to a secure connection on the same port.

Using SSL

To use SSL, see the mod_ldap directives LDAPTrustedClientCert, LDAPTrustedGlobalCertLDAPTrustedMode.

To specify a secure LDAP server, use ldaps:// in the AuthLDAPURL directive, instead of ldap://.

Using Microsoft FrontPage with mod_authnz_ldap

Normally, FrontPage uses FrontPage-web-specific user/group files (i.e., the mod_authn_filemod_authz_groupfile modules) to handle all authentication. Unfortunately, it is not possible to just change to LDAP authentication by adding the proper directives, because it will break the Permissions forms in the FrontPage client, which attempt to modify the standard text-based authorization files.

Once a FrontPage web has been created, adding LDAP authentication to it is a matter of adding the following directives to every .htaccess file that gets created in the web

AuthLDAPURL            "the url"
AuthzLDAPAuthoritative off
AuthGroupFile mygroupfile
require group mygroupfile

AuthzLDAPAuthoritative must be off to allow mod_authnz_ldap to decline group authentication so that Apache will fall back to file authentication for checking group membership. This allows the FrontPage-managed group file to be used.

How It Works

FrontPage restricts access to a web by adding the require valid-user directive to the .htaccess files. The require valid-user directive will succeed for any user who is valid as far as LDAP is concerned. This means that anybody who has an entry in the LDAP directory is considered a valid user, whereas FrontPage considers only those people in the local user file to be valid. By substituting the ldap-group with group file authorization, Apache is allowed to consult the local user file (which is managed by FrontPage) - instead of LDAP - when handling authorizing the user.

Once directives have been added as specified above, FrontPage users will be able to perform all management operations from the FrontPage client.

Caveats

  • When choosing the LDAP URL, the attribute to use for authentication should be something that will also be valid for putting into a mod_authn_file user file. The user ID is ideal for this.
  • When adding users via FrontPage, FrontPage administrators should choose usernames that already exist in the LDAP directory (for obvious reasons). Also, the password that the administrator enters into the form is ignored, since Apache will actually be authenticating against the password in the LDAP database, and not against the password in the local user file. This could cause confusion for web administrators.
  • Apache must be compiled with mod_auth_basic, mod_authn_filemod_authz_groupfile in order to use FrontPage support. This is because Apache will still use the mod_authz_groupfile group file for determine the extent of a user's access to the FrontPage web.
  • The directives must be put in the .htaccess files. Attempting to put them inside <Location><Directory> directives won't work. This is because mod_authnz_ldap has to be able to grab the AuthGroupFile directive that is found in FrontPage .htaccess files so that it knows where to look for the valid user list. If the mod_authnz_ldap directives aren't in the same .htaccess file as the FrontPage directives, then the hack won't work, because mod_authnz_ldap will never get a chance to process the .htaccess file, and won't be able to find the FrontPage-managed user file.

AuthLDAPBindDN 指令

说明 Optional DN to use in binding to the LDAP server
语法 AuthLDAPBindDN distinguished-name
作用域 directory, .htaccess
覆盖项 AuthConfig
状态 扩展(E)
模块 mod_authnz_ldap

An optional DN used to bind to the server when searching for entries. If not provided, mod_authnz_ldap will use an anonymous bind.

AuthLDAPBindPassword 指令

说明 Password used in conjuction with the bind DN
语法 AuthLDAPBindPassword password
作用域 directory, .htaccess
覆盖项 AuthConfig
状态 扩展(E)
模块 mod_authnz_ldap

A bind password to use in conjunction with the bind DN. Note that the bind password is probably sensitive data, and should be properly protected. You should only use the AuthLDAPBindDNAuthLDAPBindPassword if you absolutely need them to search the directory.

AuthLDAPCharsetConfig 指令

说明 Language to charset conversion configuration file
语法 AuthLDAPCharsetConfig file-path
作用域 server config
状态 扩展(E)
模块 mod_authnz_ldap

AuthLDAPCharsetConfig directive sets the location of the language to charset conversion configuration file. File-path is relative to the ServerRoot. This file specifies the list of language extensions to character sets. Most administrators use the provided charset.conv file, which associates common language extensions to character sets.

The file contains lines in the following format:

Language-Extension charset [Language-String] ...

The case of the extension does not matter. Blank lines, and lines beginning with a hash character (#) are ignored.

AuthLDAPCompareDNOnServer 指令

说明 Use the LDAP server to compare the DNs
语法 AuthLDAPCompareDNOnServer on|off
默认值 AuthLDAPCompareDNOnServer on
作用域 directory, .htaccess
覆盖项 AuthConfig
状态 扩展(E)
模块 mod_authnz_ldap

When set, mod_authnz_ldap will use the LDAP server to compare the DNs. This is the only foolproof way to compare DNs. mod_authnz_ldap will search the directory for the DN specified with the require dn directive, then, retrieve the DN and compare it with the DN retrieved from the user entry. If this directive is not set, mod_authnz_ldap simply does a string comparison. It is possible to get false negatives with this approach, but it is much faster. Note the mod_ldap cache can speed up DN comparison in most situations.

AuthLDAPDereferenceAliases 指令

说明 When will the module de-reference aliases
语法 AuthLDAPDereferenceAliases never|searching|finding|always
默认值 AuthLDAPDereferenceAliases Always
作用域 directory, .htaccess
覆盖项 AuthConfig
状态 扩展(E)
模块 mod_authnz_ldap

This directive specifies when mod_authnz_ldap will de-reference aliases during LDAP operations. The default is always.

AuthLDAPGroupAttribute 指令

说明 LDAP attributes used to check for group membership
语法 AuthLDAPGroupAttribute attribute
作用域 directory, .htaccess
覆盖项 AuthConfig
状态 扩展(E)
模块 mod_authnz_ldap

This directive specifies which LDAP attributes are used to check for group membership. Multiple attributes can be used by specifying this directive multiple times. If not specified, then mod_authnz_ldap uses the memberuniquemember attributes.

AuthLDAPGroupAttributeIsDN 指令

说明 Use the DN of the client username when checking for group membership
语法 AuthLDAPGroupAttributeIsDN on|off
默认值 AuthLDAPGroupAttributeIsDN on
作用域 directory, .htaccess
覆盖项 AuthConfig
状态 扩展(E)
模块 mod_authnz_ldap

When set on, this directive says to use the distinguished name of the client username when checking for group membership. Otherwise, the username will be used. For example, assume that the client sent the username bjenson, which corresponds to the LDAP DN cn=Babs Jenson, o=Airius. If this directive is set, mod_authnz_ldap will check if the group has cn=Babs Jenson, o=Airius as a member. If this directive is not set, then mod_authnz_ldap will check if the group has bjenson as a member.

AuthLDAPRemoteUserIsDN 指令

说明 Use the DN of the client username to set the REMOTE_USER environment variable
语法 AuthLDAPRemoteUserIsDN on|off
默认值 AuthLDAPRemoteUserIsDN off
作用域 directory, .htaccess
覆盖项 AuthConfig
状态 扩展(E)
模块 mod_authnz_ldap

If this directive is set to on, the value of the REMOTE_USER environment variable will be set to the full distinguished name of the authenticated user, rather than just the username that was passed by the client. It is turned off by default.

AuthLDAPUrl 指令

说明 URL specifying the LDAP search parameters
语法 AuthLDAPUrl url [NONE|SSL|TLS|STARTTLS]
作用域 directory, .htaccess
覆盖项 AuthConfig
状态 扩展(E)
模块 mod_authnz_ldap

An RFC 2255 URL which specifies the LDAP search parameters to use. The syntax of the URL is

ldap://host:port/basedn?attribute?scope?filter

ldap
For regular ldap, use the string ldap. For secure LDAP, use ldaps instead. Secure LDAP is only available if Apache was linked to an LDAP library with SSL support.
host:port

The name/port of the ldap server (defaults to localhost:389 for ldap, and localhost:636 for ldaps). To specify multiple, redundant LDAP servers, just list all servers, separated by spaces. mod_authnz_ldap will try connecting to each server in turn, until it makes a successful connection.

Once a connection has been made to a server, that connection remains active for the life of the httpd process, or until the LDAP server goes down.

If the LDAP server goes down and breaks an existing connection, mod_authnz_ldap will attempt to re-connect, starting with the primary server, and trying each redundant server in turn. Note that this is different than a true round-robin search.

basedn
The DN of the branch of the directory where all searches should start from. At the very least, this must be the top of your directory tree, but could also specify a subtree in the directory.
attribute
The attribute to search for. Although RFC 2255 allows a comma-separated list of attributes, only the first attribute will be used, no matter how many are provided. If no attributes are provided, the default is to use uid. It's a good idea to choose an attribute that will be unique across all entries in the subtree you will be using.
scope
The scope of the search. Can be either onesub. Note that a scope of base is also supported by RFC 2255, but is not supported by this module. If the scope is not provided, or if base scope is specified, the default is to use a scope of sub.
filter
A valid LDAP search filter. If not provided, defaults to (objectClass=*), which will search for all objects in the tree. Filters are limited to approximately 8000 characters (the definition of MAX_STRING_LEN in the Apache source code). This should be than sufficient for any application.

When doing searches, the attribute, filter and username passed by the HTTP client are combined to create a search filter that looks like (&(filter)(attribute=username)).

For example, consider an URL of ldap://ldap.airius.com/o=Airius?cn?sub?(posixid=*). When a client attempts to connect using a username of Babs Jenson, the resulting search filter will be (&(posixid=*)(cn=Babs Jenson)).

An optional parameter can be added to allow the LDAP Url to override the connection type. This parameter can be one of the following:

NONE
Establish an unsecure connection on the default LDAP port. This is the same as ldap:// on port 389.
SSL
Establish a secure connection on the default secure LDAP port. This is the same as ldaps://
TLS | STARTTLS
Establish an upgraded secure connection on the default LDAP port. This connection will be initiated on port 389 by default and then upgraded to a secure connection on the same port.

See above for examples of AuthLDAPURL URLs.

AuthzLDAPAuthoritative 指令

说明 Prevent other authentication modules from authenticating the user if this one fails
语法 AuthzLDAPAuthoritative on|off
默认值 AuthzLDAPAuthoritative on
作用域 directory, .htaccess
覆盖项 AuthConfig
状态 扩展(E)
模块 mod_authnz_ldap

Set to off if this module should let other authentication modules attempt to authenticate the user, should authentication with this module fail. Control is only passed on to lower modules if there is no DN or rule that matches the supplied user name (as passed by the client).

Previous article: Next article: