github.com/krum110487/go-htaccess@v0.0.0-20240316004156-60641c8e7598/tests/data/apache_2_2_34/manual/mod/mod_authnz_ldap.html.en (about) 1 <?xml version="1.0" encoding="ISO-8859-1"?> 2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 3 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head> 4 <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" /> 5 <!-- 6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7 This file is generated from xml source: DO NOT EDIT 8 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 9 --> 10 <title>mod_authnz_ldap - Apache HTTP Server Version 2.2</title> 11 <link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> 12 <link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> 13 <link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" /> 14 <script src="../style/scripts/prettify.min.js" type="text/javascript"> 15 </script> 16 17 <link href="../images/favicon.ico" rel="shortcut icon" /><link href="http://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html" rel="canonical" /></head> 18 <body> 19 <div id="page-header"> 20 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p> 21 <p class="apache">Apache HTTP Server Version 2.2</p> 22 <img alt="" src="../images/feather.gif" /></div> 23 <div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> 24 <div id="path"> 25 <a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.2</a> > <a href="./">Modules</a></div> 26 <div id="page-content"> 27 <div class="retired"><h4>Please note</h4> 28 <p> This document refers to a legacy release (<strong>2.2</strong>) of Apache httpd. The active release (<strong>2.4</strong>) is documented <a href="http://httpd.apache.org/docs/current">here</a>. If you have not already upgraded, please follow <a href="http://httpd.apache.org/docs/current/upgrading.html">this link</a> for more information.</p> 29 <p>You may follow <a href="http://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html">this link</a> to go to the current version of this document.</p></div><div id="preamble"><h1>Apache Module mod_authnz_ldap</h1> 30 <div class="toplang"> 31 <p><span>Available Languages: </span><a href="../en/mod/mod_authnz_ldap.html" title="English"> en </a> | 32 <a href="../fr/mod/mod_authnz_ldap.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p> 33 </div> 34 <table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Allows an LDAP directory to be used to store the database 35 for HTTP Basic authentication.</td></tr> 36 <tr><th><a href="module-dict.html#Status">Status:</a></th><td>Extension</td></tr> 37 <tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>authnz_ldap_module</td></tr> 38 <tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_authnz_ldap.c</td></tr> 39 <tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in version 2.1 and later</td></tr></table> 40 <h3>Summary</h3> 41 42 <p>This module provides authentication front-ends such as 43 <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code> to authenticate users through 44 an ldap directory.</p> 45 46 <p><code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> supports the following features:</p> 47 48 <ul> 49 <li>Known to support the <a href="http://www.openldap.org/">OpenLDAP SDK</a> (both 1.x 50 and 2.x), <a href="http://developer.novell.com/ndk/cldap.htm"> 51 Novell LDAP SDK</a> and the <a href="http://www.iplanet.com/downloads/developer/">iPlanet 52 (Netscape)</a> SDK.</li> 53 54 <li>Complex authorization policies can be implemented by 55 representing the policy with LDAP filters.</li> 56 57 <li>Uses extensive caching of LDAP operations via <a href="mod_ldap.html">mod_ldap</a>.</li> 58 59 <li>Support for LDAP over SSL (requires the Netscape SDK) or 60 TLS (requires the OpenLDAP 2.x SDK or Novell LDAP SDK).</li> 61 </ul> 62 63 <p>When using <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code>, this module is invoked 64 via the <code class="directive"><a href="../mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code> 65 directive with the <code>ldap</code> value.</p> 66 </div> 67 <div id="quickview"><h3>Topics</h3> 68 <ul id="topics"> 69 <li><img alt="" src="../images/down.gif" /> <a href="#contents">Contents</a></li> 70 <li><img alt="" src="../images/down.gif" /> <a href="#operation">Operation</a></li> 71 <li><img alt="" src="../images/down.gif" /> <a href="#requiredirectives">The Require Directives</a></li> 72 <li><img alt="" src="../images/down.gif" /> <a href="#examples">Examples</a></li> 73 <li><img alt="" src="../images/down.gif" /> <a href="#usingtls">Using TLS</a></li> 74 <li><img alt="" src="../images/down.gif" /> <a href="#usingssl">Using SSL</a></li> 75 <li><img alt="" src="../images/down.gif" /> <a href="#exposed">Exposing Login Information</a></li> 76 <li><img alt="" src="../images/down.gif" /> <a href="#frontpage">Using Microsoft 77 FrontPage with mod_authnz_ldap</a></li> 78 </ul><h3 class="directives">Directives</h3> 79 <ul id="toc"> 80 <li><img alt="" src="../images/down.gif" /> <a href="#authldapbindauthoritative">AuthLDAPBindAuthoritative</a></li> 81 <li><img alt="" src="../images/down.gif" /> <a href="#authldapbinddn">AuthLDAPBindDN</a></li> 82 <li><img alt="" src="../images/down.gif" /> <a href="#authldapbindpassword">AuthLDAPBindPassword</a></li> 83 <li><img alt="" src="../images/down.gif" /> <a href="#authldapcharsetconfig">AuthLDAPCharsetConfig</a></li> 84 <li><img alt="" src="../images/down.gif" /> <a href="#authldapcomparednonserver">AuthLDAPCompareDNOnServer</a></li> 85 <li><img alt="" src="../images/down.gif" /> <a href="#authldapdereferencealiases">AuthLDAPDereferenceAliases</a></li> 86 <li><img alt="" src="../images/down.gif" /> <a href="#authldapgroupattribute">AuthLDAPGroupAttribute</a></li> 87 <li><img alt="" src="../images/down.gif" /> <a href="#authldapgroupattributeisdn">AuthLDAPGroupAttributeIsDN</a></li> 88 <li><img alt="" src="../images/down.gif" /> <a href="#authldapremoteuserattribute">AuthLDAPRemoteUserAttribute</a></li> 89 <li><img alt="" src="../images/down.gif" /> <a href="#authldapremoteuserisdn">AuthLDAPRemoteUserIsDN</a></li> 90 <li><img alt="" src="../images/down.gif" /> <a href="#authldapurl">AuthLDAPUrl</a></li> 91 <li><img alt="" src="../images/down.gif" /> <a href="#authzldapauthoritative">AuthzLDAPAuthoritative</a></li> 92 </ul> 93 <h3>See also</h3> 94 <ul class="seealso"> 95 <li><code class="module"><a href="../mod/mod_ldap.html">mod_ldap</a></code></li> 96 <li><code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code></li> 97 <li><code class="module"><a href="../mod/mod_authz_user.html">mod_authz_user</a></code></li> 98 <li><code class="module"><a href="../mod/mod_authz_groupfile.html">mod_authz_groupfile</a></code></li> 99 </ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div> 100 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 101 <div class="section"> 102 <h2><a name="contents" id="contents">Contents</a></h2> 103 104 <ul> 105 <li> 106 <a href="#operation">Operation</a> 107 108 <ul> 109 <li><a href="#authenphase">The Authentication 110 Phase</a></li> 111 112 <li><a href="#authorphase">The Authorization 113 Phase</a></li> 114 </ul> 115 </li> 116 117 <li> 118 <a href="#requiredirectives">The Require Directives</a> 119 120 <ul> 121 <li><a href="#requser">Require ldap-user</a></li> 122 <li><a href="#reqgroup">Require ldap-group</a></li> 123 <li><a href="#reqdn">Require ldap-dn</a></li> 124 <li><a href="#reqattribute">Require ldap-attribute</a></li> 125 <li><a href="#reqfilter">Require ldap-filter</a></li> 126 </ul> 127 </li> 128 129 <li><a href="#examples">Examples</a></li> 130 <li><a href="#usingtls">Using TLS</a></li> 131 <li><a href="#usingssl">Using SSL</a></li> 132 <li><a href="#exposed">Exposing Login Information</a></li> 133 <li> 134 <a href="#frontpage">Using Microsoft FrontPage with 135 <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code></a> 136 137 <ul> 138 <li><a href="#howitworks">How It Works</a></li> 139 <li><a href="#fpcaveats">Caveats</a></li> 140 </ul> 141 </li> 142 </ul> 143 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 144 <div class="section"> 145 <h2><a name="operation" id="operation">Operation</a></h2> 146 147 <p>There are two phases in granting access to a user. The first 148 phase is authentication, in which the <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> 149 authentication provider verifies that the user's credentials are valid. 150 This is also called the <em>search/bind</em> phase. The second phase is 151 authorization, in which <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> determines 152 if the authenticated user is allowed access to the resource in 153 question. This is also known as the <em>compare</em> 154 phase.</p> 155 156 <p><code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> registers both an authn_ldap authentication 157 provider and an authz_ldap authorization handler. The authn_ldap 158 authentication provider can be enabled through the 159 <code class="directive"><a href="../mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code> directive 160 using the <code>ldap</code> value. The authz_ldap handler extends the 161 <code class="directive"><a href="../mod/core.html#require">Require</a></code> directive's authorization types 162 by adding <code>ldap-user</code>, <code>ldap-dn</code> and <code>ldap-group</code> 163 values.</p> 164 165 <h3><a name="authenphase" id="authenphase">The Authentication 166 Phase</a></h3> 167 168 <p>During the authentication phase, <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> 169 searches for an entry in the directory that matches the username 170 that the HTTP client passes. If a single unique match is found, 171 then <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> attempts to bind to the 172 directory server using the DN of the entry plus the password 173 provided by the HTTP client. Because it does a search, then a 174 bind, it is often referred to as the search/bind phase. Here are 175 the steps taken during the search/bind phase.</p> 176 177 <ol> 178 <li>Generate a search filter by combining the attribute and 179 filter provided in the <code class="directive"><a href="#authldapurl">AuthLDAPURL</a></code> directive with 180 the username passed by the HTTP client.</li> 181 182 <li>Search the directory using the generated filter. If the 183 search does not return exactly one entry, deny or decline 184 access.</li> 185 186 <li>Fetch the distinguished name of the entry retrieved from 187 the search and attempt to bind to the LDAP server using the 188 DN and the password passed by the HTTP client. If the bind is 189 unsuccessful, deny or decline access.</li> 190 </ol> 191 192 <p>The following directives are used during the search/bind 193 phase</p> 194 195 <table> 196 197 <tr> 198 <td><code class="directive"><a href="#authldapurl">AuthLDAPURL</a></code></td> 199 200 <td>Specifies the LDAP server, the 201 base DN, the attribute to use in the search, as well as the 202 extra search filter to use.</td> 203 </tr> 204 205 <tr> 206 <td><code class="directive"><a href="#authldapbinddn">AuthLDAPBindDN</a></code></td> 207 208 <td>An optional DN to bind with 209 during the search phase.</td> 210 </tr> 211 212 <tr> 213 <td><code class="directive"><a href="#authldapbindpassword">AuthLDAPBindPassword</a></code></td> 214 215 <td>An optional password to bind 216 with during the search phase.</td> 217 </tr> 218 </table> 219 220 221 <h3><a name="authorphase" id="authorphase">The Authorization Phase</a></h3> 222 223 <p>During the authorization phase, <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> 224 attempts to determine if the user is authorized to access the 225 resource. Many of these checks require 226 <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> to do a compare operation on the 227 LDAP server. This is why this phase is often referred to as the 228 compare phase. <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> accepts the 229 following <code class="directive"><a href="../mod/core.html#require">Require</a></code> 230 directives to determine if the credentials are acceptable:</p> 231 232 <ul> 233 <li>Grant access if there is a <a href="#reqgroup"><code>Require ldap-user</code></a> directive, and the 234 username in the directive matches the username passed by the 235 client.</li> 236 237 <li>Grant access if there is a <a href="#reqdn"><code>Require 238 ldap-dn</code></a> directive, and the DN in the directive matches 239 the DN fetched from the LDAP directory.</li> 240 241 <li>Grant access if there is a <a href="#reqgroup"><code>Require ldap-group</code></a> directive, and 242 the DN fetched from the LDAP directory (or the username 243 passed by the client) occurs in the LDAP group.</li> 244 245 <li>Grant access if there is a <a href="#reqattribute"> 246 <code>Require ldap-attribute</code></a> 247 directive, and the attribute fetched from the LDAP directory 248 matches the given value.</li> 249 250 <li>Grant access if there is a <a href="#reqfilter"> 251 <code>Require ldap-filter</code></a> 252 directive, and the search filter successfully finds a single user 253 object that matches the dn of the authenticated user.</li> 254 255 <li>otherwise, deny or decline access</li> 256 </ul> 257 258 <p>Other <code class="directive"><a href="../mod/core.html#require">Require</a></code> values may also 259 be used which may require loading additional authorization modules. 260 Note that if you use a <code class="directive"><a href="../mod/core.html#require">Require</a></code> 261 value from another authorization module, you will need to ensure that 262 <code class="directive"><a href="#authzldapauthoritative">AuthzLDAPAuthoritative</a></code> 263 is set to <code>off</code> to allow the authorization phase to fall 264 back to the module providing the alternate 265 <code class="directive"><a href="../mod/core.html#require">Require</a></code> value. When no 266 LDAP-specific <code class="directive"><a href="../mod/core.html#require">Require</a></code> directives 267 are used, authorization is allowed to fall back to other modules 268 as if <code class="directive"><a href="#authzldapauthoritative">AuthzLDAPAuthoritative</a></code> 269 was set to <code>off</code>. </p> 270 271 <ul> 272 <li>Grant access to all successfully authenticated users if 273 there is a <a href="#requser"><code>Require valid-user</code></a> 274 directive. (requires <code class="module"><a href="../mod/mod_authz_user.html">mod_authz_user</a></code>)</li> 275 276 <li>Grant access if there is a <a href="#reqgroup"><code>Require group</code></a> directive, and 277 <code class="module"><a href="../mod/mod_authz_groupfile.html">mod_authz_groupfile</a></code> has been loaded with the 278 <code class="directive"><a href="../mod/mod_authz_groupfile.html#authgroupfile">AuthGroupFile</a></code> 279 directive set.</li> 280 281 <li>others...</li> 282 </ul> 283 284 285 <p><code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> uses the following directives during the 286 compare phase:</p> 287 288 <table> 289 290 <tr> 291 <td><code class="directive"><a href="#authldapurl">AuthLDAPURL</a></code> </td> 292 293 <td>The attribute specified in the 294 URL is used in compare operations for the <code>Require 295 ldap-user</code> operation.</td> 296 </tr> 297 298 <tr> 299 <td><code class="directive"><a href="#authldapcomparednonserver">AuthLDAPCompareDNOnServer</a></code></td> 300 301 <td>Determines the behavior of the 302 <code>Require ldap-dn</code> directive.</td> 303 </tr> 304 305 <tr> 306 <td><code class="directive"><a href="#authldapgroupattribute">AuthLDAPGroupAttribute</a></code></td> 307 308 <td>Determines the attribute to 309 use for comparisons in the <code>Require ldap-group</code> 310 directive.</td> 311 </tr> 312 313 <tr> 314 <td><code class="directive"><a href="#authldapgroupattributeisdn">AuthLDAPGroupAttributeIsDN</a></code></td> 315 316 <td>Specifies whether to use the 317 user DN or the username when doing comparisons for the 318 <code>Require ldap-group</code> directive.</td> 319 </tr> 320 </table> 321 322 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 323 <div class="section"> 324 <h2><a name="requiredirectives" id="requiredirectives">The Require Directives</a></h2> 325 326 <p>Apache's <code class="directive"><a href="../mod/core.html#require">Require</a></code> 327 directives are used during the authorization phase to ensure that 328 a user is allowed to access a resource. mod_authnz_ldap extends the 329 authorization types with <code>ldap-user</code>, <code>ldap-dn</code>, 330 <code>ldap-group</code>, <code>ldap-attribute</code> and 331 <code>ldap-filter</code>. Other authorization types may also be 332 used but may require that additional authorization modules be loaded.</p> 333 334 <h3><a name="requser" id="requser">Require ldap-user</a></h3> 335 336 <p>The <code>Require ldap-user</code> directive specifies what 337 usernames can access the resource. Once 338 <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> has retrieved a unique DN from the 339 directory, it does an LDAP compare operation using the username 340 specified in the <code>Require ldap-user</code> to see if that username 341 is part of the just-fetched LDAP entry. Multiple users can be 342 granted access by putting multiple usernames on the line, 343 separated with spaces. If a username has a space in it, then it 344 must be surrounded with double quotes. Multiple users can also be 345 granted access by using multiple <code>Require ldap-user</code> 346 directives, with one user per line. For example, with a <code class="directive"><a href="#authldapurl">AuthLDAPURL</a></code> of 347 <code>ldap://ldap/o=Airius?cn</code> (i.e., <code>cn</code> is 348 used for searches), the following Require directives could be used 349 to restrict access:</p> 350 <div class="example"><p><code> 351 Require ldap-user "Barbara Jenson"<br /> 352 Require ldap-user "Fred User"<br /> 353 Require ldap-user "Joe Manager"<br /> 354 </code></p></div> 355 356 <p>Because of the way that <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> handles this 357 directive, Barbara Jenson could sign on as <em>Barbara 358 Jenson</em>, <em>Babs Jenson</em> or any other <code>cn</code> that 359 she has in her LDAP entry. Only the single <code>Require 360 ldap-user</code> line is needed to support all values of the attribute 361 in the user's entry.</p> 362 363 <p>If the <code>uid</code> attribute was used instead of the 364 <code>cn</code> attribute in the URL above, the above three lines 365 could be condensed to</p> 366 <div class="example"><p><code>Require ldap-user bjenson fuser jmanager</code></p></div> 367 368 369 <h3><a name="reqgroup" id="reqgroup">Require ldap-group</a></h3> 370 371 <p>This directive specifies an LDAP group whose members are 372 allowed access. It takes the distinguished name of the LDAP 373 group. Note: Do not surround the group name with quotes. 374 For example, assume that the following entry existed in 375 the LDAP directory:</p> 376 <div class="example"><p><code> 377 dn: cn=Administrators, o=Airius<br /> 378 objectClass: groupOfUniqueNames<br /> 379 uniqueMember: cn=Barbara Jenson, o=Airius<br /> 380 uniqueMember: cn=Fred User, o=Airius<br /> 381 </code></p></div> 382 383 <p>The following directive would grant access to both Fred and 384 Barbara:</p> 385 <div class="example"><p><code>Require ldap-group cn=Administrators, o=Airius</code></p></div> 386 387 <p>Behavior of this directive is modified by the <code class="directive"><a href="#authldapgroupattribute">AuthLDAPGroupAttribute</a></code> and 388 <code class="directive"><a href="#authldapgroupattributeisdn">AuthLDAPGroupAttributeIsDN</a></code> 389 directives.</p> 390 391 392 <h3><a name="reqdn" id="reqdn">Require ldap-dn</a></h3> 393 394 <p>The <code>Require ldap-dn</code> directive allows the administrator 395 to grant access based on distinguished names. It specifies a DN 396 that must match for access to be granted. If the distinguished 397 name that was retrieved from the directory server matches the 398 distinguished name in the <code>Require ldap-dn</code>, then 399 authorization is granted. Note: do not surround the distinguished 400 name with quotes.</p> 401 402 <p>The following directive would grant access to a specific 403 DN:</p> 404 <div class="example"><p><code>Require ldap-dn cn=Barbara Jenson, o=Airius</code></p></div> 405 406 <p>Behavior of this directive is modified by the <code class="directive"><a href="#authldapcomparednonserver">AuthLDAPCompareDNOnServer</a></code> 407 directive.</p> 408 409 410 <h3><a name="reqattribute" id="reqattribute">Require ldap-attribute</a></h3> 411 412 <p>The <code>Require ldap-attribute</code> directive allows the 413 administrator to grant access based on attributes of the authenticated 414 user in the LDAP directory. If the attribute in the directory 415 matches the value given in the configuration, access is granted.</p> 416 417 <p>The following directive would grant access to anyone with 418 the attribute employeeType = active</p> 419 420 <div class="example"><p><code>Require ldap-attribute employeeType=active</code></p></div> 421 422 <p>Multiple attribute/value pairs can be specified on the same line 423 separated by spaces or they can be specified in multiple 424 <code>Require ldap-attribute</code> directives. The effect of listing 425 multiple attribute/values pairs is an OR operation. Access will be 426 granted if any of the listed attribute values match the value of the 427 corresponding attribute in the user object. If the value of the 428 attribute contains a space, only the value must be within double quotes.</p> 429 430 <p>The following directive would grant access to anyone with 431 the city attribute equal to "San Jose" or status equal to "Active"</p> 432 433 <div class="example"><p><code>Require ldap-attribute city="San Jose" status=active</code></p></div> 434 435 436 437 <h3><a name="reqfilter" id="reqfilter">Require ldap-filter</a></h3> 438 439 <p>The <code>Require ldap-filter</code> directive allows the 440 administrator to grant access based on a complex LDAP search filter. 441 If the dn returned by the filter search matches the authenticated user 442 dn, access is granted.</p> 443 444 <p>The following directive would grant access to anyone having a cell phone 445 and is in the marketing department</p> 446 447 <div class="example"><p><code>Require ldap-filter &(cell=*)(department=marketing)</code></p></div> 448 449 <p>The difference between the <code>Require ldap-filter</code> directive and the 450 <code>Require ldap-attribute</code> directive is that <code>ldap-filter</code> 451 performs a search operation on the LDAP directory using the specified search 452 filter rather than a simple attribute comparison. If a simple attribute 453 comparison is all that is required, the comparison operation performed by 454 <code>ldap-attribute</code> will be faster than the search operation 455 used by <code>ldap-filter</code> especially within a large directory.</p> 456 457 458 459 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 460 <div class="section"> 461 <h2><a name="examples" id="examples">Examples</a></h2> 462 463 <ul> 464 <li> 465 Grant access to anyone who exists in the LDAP directory, 466 using their UID for searches. 467 <div class="example"><p><code> 468 AuthLDAPURL "ldap://ldap1.airius.com:389/ou=People, o=Airius?uid?sub?(objectClass=*)"<br /> 469 Require valid-user 470 </code></p></div> 471 </li> 472 473 <li> 474 The next example is the same as above; but with the fields 475 that have useful defaults omitted. Also, note the use of a 476 redundant LDAP server. 477 <div class="example"><p><code>AuthLDAPURL "ldap://ldap1.airius.com ldap2.airius.com/ou=People, o=Airius"<br /> 478 Require valid-user 479 </code></p></div> 480 </li> 481 482 <li> 483 The next example is similar to the previous one, but it 484 uses the common name instead of the UID. Note that this 485 could be problematical if multiple people in the directory 486 share the same <code>cn</code>, because a search on <code>cn</code> 487 <strong>must</strong> return exactly one entry. That's why 488 this approach is not recommended: it's a better idea to 489 choose an attribute that is guaranteed unique in your 490 directory, such as <code>uid</code>. 491 <div class="example"><p><code> 492 AuthLDAPURL "ldap://ldap.airius.com/ou=People, o=Airius?cn"<br /> 493 Require valid-user 494 </code></p></div> 495 </li> 496 497 <li> 498 Grant access to anybody in the Administrators group. The 499 users must authenticate using their UID. 500 <div class="example"><p><code> 501 AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid<br /> 502 Require ldap-group cn=Administrators, o=Airius 503 </code></p></div> 504 </li> 505 506 <li> 507 The next example assumes that everyone at Airius who 508 carries an alphanumeric pager will have an LDAP attribute 509 of <code>qpagePagerID</code>. The example will grant access 510 only to people (authenticated via their UID) who have 511 alphanumeric pagers: 512 <div class="example"><p><code> 513 AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(qpagePagerID=*)<br /> 514 Require valid-user 515 </code></p></div> 516 </li> 517 518 <li> 519 <p>The next example demonstrates the power of using filters 520 to accomplish complicated administrative requirements. 521 Without filters, it would have been necessary to create a 522 new LDAP group and ensure that the group's members remain 523 synchronized with the pager users. This becomes trivial 524 with filters. The goal is to grant access to anyone who has 525 a pager, plus grant access to Joe Manager, who doesn't 526 have a pager, but does need to access the same 527 resource:</p> 528 <div class="example"><p><code> 529 AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(|(qpagePagerID=*)(uid=jmanager))<br /> 530 Require valid-user 531 </code></p></div> 532 533 <p>This last may look confusing at first, so it helps to 534 evaluate what the search filter will look like based on who 535 connects, as shown below. If 536 Fred User connects as <code>fuser</code>, the filter would look 537 like</p> 538 539 <div class="example"><p><code>(&(|(qpagePagerID=*)(uid=jmanager))(uid=fuser))</code></p></div> 540 541 <p>The above search will only succeed if <em>fuser</em> has a 542 pager. When Joe Manager connects as <em>jmanager</em>, the 543 filter looks like</p> 544 545 <div class="example"><p><code>(&(|(qpagePagerID=*)(uid=jmanager))(uid=jmanager))</code></p></div> 546 547 <p>The above search will succeed whether <em>jmanager</em> 548 has a pager or not.</p> 549 </li> 550 </ul> 551 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 552 <div class="section"> 553 <h2><a name="usingtls" id="usingtls">Using TLS</a></h2> 554 555 <p>To use TLS, see the <code class="module"><a href="../mod/mod_ldap.html">mod_ldap</a></code> directives <code class="directive"><a href="../mod/mod_ldap.html#ldaptrustedclientcert">LDAPTrustedClientCert</a></code>, <code class="directive"><a href="../mod/mod_ldap.html#ldaptrustedglobalcert">LDAPTrustedGlobalCert</a></code> and <code class="directive"><a href="../mod/mod_ldap.html#ldaptrustedmode">LDAPTrustedMode</a></code>.</p> 556 557 <p>An optional second parameter can be added to the 558 <code class="directive"><a href="#authldapurl">AuthLDAPURL</a></code> to override 559 the default connection type set by <code class="directive"><a href="../mod/mod_ldap.html#ldaptrustedmode">LDAPTrustedMode</a></code>. 560 This will allow the connection established by an <em>ldap://</em> Url 561 to be upgraded to a secure connection on the same port.</p> 562 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 563 <div class="section"> 564 <h2><a name="usingssl" id="usingssl">Using SSL</a></h2> 565 566 <p>To use SSL, see the <code class="module"><a href="../mod/mod_ldap.html">mod_ldap</a></code> directives <code class="directive"><a href="../mod/mod_ldap.html#ldaptrustedclientcert">LDAPTrustedClientCert</a></code>, <code class="directive"><a href="../mod/mod_ldap.html#ldaptrustedglobalcert">LDAPTrustedGlobalCert</a></code> and <code class="directive"><a href="../mod/mod_ldap.html#ldaptrustedmode">LDAPTrustedMode</a></code>.</p> 567 568 <p>To specify a secure LDAP server, use <em>ldaps://</em> in the 569 <code class="directive"><a href="#authldapurl">AuthLDAPURL</a></code> 570 directive, instead of <em>ldap://</em>.</p> 571 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 572 <div class="section"> 573 <h2><a name="exposed" id="exposed">Exposing Login Information</a></h2> 574 575 <p>When this module performs authentication, LDAP attributes specified 576 in the <code class="directive"><a href="#authldapurl">AuthLDAPUrl</a></code> 577 directive are placed in environment variables with the prefix "AUTHENTICATE_".</p> 578 579 <p>If the attribute field contains the username, common name 580 and telephone number of a user, a CGI program will have access to 581 this information without the need to make a second independent LDAP 582 query to gather this additional information.</p> 583 584 <p>This has the potential to dramatically simplify the coding and 585 configuration required in some web applications.</p> 586 587 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 588 <div class="section"> 589 <h2><a name="frontpage" id="frontpage">Using Microsoft 590 FrontPage with mod_authnz_ldap</a></h2> 591 592 <p>Normally, FrontPage uses FrontPage-web-specific user/group 593 files (i.e., the <code class="module"><a href="../mod/mod_authn_file.html">mod_authn_file</a></code> and 594 <code class="module"><a href="../mod/mod_authz_groupfile.html">mod_authz_groupfile</a></code> modules) to handle all 595 authentication. Unfortunately, it is not possible to just 596 change to LDAP authentication by adding the proper directives, 597 because it will break the <em>Permissions</em> forms in 598 the FrontPage client, which attempt to modify the standard 599 text-based authorization files.</p> 600 601 <p>Once a FrontPage web has been created, adding LDAP 602 authentication to it is a matter of adding the following 603 directives to <em>every</em> <code>.htaccess</code> file 604 that gets created in the web</p> 605 <div class="example"><pre>AuthLDAPURL "the url" 606 AuthGroupFile <em>mygroupfile</em> 607 Require group <em>mygroupfile</em> 608 </pre></div> 609 610 <h3><a name="howitworks" id="howitworks">How It Works</a></h3> 611 612 <p>FrontPage restricts access to a web by adding the <code>Require 613 valid-user</code> directive to the <code>.htaccess</code> 614 files. The <code>Require valid-user</code> directive will succeed for 615 any user who is valid <em>as far as LDAP is 616 concerned</em>. This means that anybody who has an entry in 617 the LDAP directory is considered a valid user, whereas FrontPage 618 considers only those people in the local user file to be 619 valid. By substituting the ldap-group with group file authorization, 620 Apache is allowed to consult the local user file (which is managed by 621 FrontPage) - instead of LDAP - when handling authorizing the user.</p> 622 623 <p>Once directives have been added as specified above, 624 FrontPage users will be able to perform all management 625 operations from the FrontPage client.</p> 626 627 628 <h3><a name="fpcaveats" id="fpcaveats">Caveats</a></h3> 629 630 <ul> 631 <li>When choosing the LDAP URL, the attribute to use for 632 authentication should be something that will also be valid 633 for putting into a <code class="module"><a href="../mod/mod_authn_file.html">mod_authn_file</a></code> user file. 634 The user ID is ideal for this.</li> 635 636 <li>When adding users via FrontPage, FrontPage administrators 637 should choose usernames that already exist in the LDAP 638 directory (for obvious reasons). Also, the password that the 639 administrator enters into the form is ignored, since Apache 640 will actually be authenticating against the password in the 641 LDAP database, and not against the password in the local user 642 file. This could cause confusion for web administrators.</li> 643 644 645 <li>Apache must be compiled with <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code>, 646 <code class="module"><a href="../mod/mod_authn_file.html">mod_authn_file</a></code> and 647 <code class="module"><a href="../mod/mod_authz_groupfile.html">mod_authz_groupfile</a></code> in order to 648 use FrontPage support. This is because Apache will still use 649 the <code class="module"><a href="../mod/mod_authz_groupfile.html">mod_authz_groupfile</a></code> group file for determine 650 the extent of a user's access to the FrontPage web.</li> 651 652 <li>The directives must be put in the <code>.htaccess</code> 653 files. Attempting to put them inside <code class="directive"><a href="../mod/core.html#location"><Location></a></code> or <code class="directive"><a href="../mod/core.html#directory"><Directory></a></code> directives won't work. This 654 is because <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> has to be able to grab 655 the <code class="directive"><a href="../mod/mod_authz_groupfile.html#authgroupfile">AuthGroupFile</a></code> 656 directive that is found in FrontPage <code>.htaccess</code> 657 files so that it knows where to look for the valid user list. If 658 the <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> directives aren't in the same 659 <code>.htaccess</code> file as the FrontPage directives, then 660 the hack won't work, because <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> will 661 never get a chance to process the <code>.htaccess</code> file, 662 and won't be able to find the FrontPage-managed user file.</li> 663 </ul> 664 665 </div> 666 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 667 <div class="directive-section"><h2><a name="AuthLDAPBindAuthoritative" id="AuthLDAPBindAuthoritative">AuthLDAPBindAuthoritative</a> <a name="authldapbindauthoritative" id="authldapbindauthoritative">Directive</a></h2> 668 <table class="directive"> 669 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Determines if other authentication providers are used when a user can be mapped to a DN but the server cannot successfully bind with the user's credentials.</td></tr> 670 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthLDAPBindAuthoritative<em>off|on</em></code></td></tr> 671 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthLDAPBindAuthoritative on</code></td></tr> 672 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 673 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> 674 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 675 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr> 676 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in versions later than 2.2.14</td></tr> 677 </table> 678 <p>By default, subsequent authentication providers are only queried if a 679 user cannot be mapped to a DN, but not if the user can be mapped to a DN and their 680 password cannot be verified with an LDAP bind. 681 If <code class="directive"><a href="#authldapbindauthoritative">AuthLDAPBindAuthoritative</a></code> 682 is set to <em>off</em>, other configured authentication modules will have 683 a chance to validate the user if the LDAP bind (with the current user's credentials) 684 fails for any reason.</p> 685 <p> This allows users present in both LDAP and 686 <code class="directive"><a href="../mod/mod_authn_file.html#authuserfile">AuthUserFile</a></code> to authenticate 687 when the LDAP server is available but the user's account is locked or password 688 is otherwise unusable.</p> 689 690 <h3>See also</h3> 691 <ul> 692 <li><code class="directive"><a href="../mod/mod_authn_file.html#authuserfile">AuthUserFile</a></code></li> 693 <li><code class="directive"><a href="../mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code></li> 694 </ul> 695 </div> 696 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 697 <div class="directive-section"><h2><a name="AuthLDAPBindDN" id="AuthLDAPBindDN">AuthLDAPBindDN</a> <a name="authldapbinddn" id="authldapbinddn">Directive</a></h2> 698 <table class="directive"> 699 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Optional DN to use in binding to the LDAP server</td></tr> 700 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthLDAPBindDN <em>distinguished-name</em></code></td></tr> 701 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 702 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> 703 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 704 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr> 705 </table> 706 <p>An optional DN used to bind to the server when searching for 707 entries. If not provided, <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> will use 708 an anonymous bind.</p> 709 710 </div> 711 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 712 <div class="directive-section"><h2><a name="AuthLDAPBindPassword" id="AuthLDAPBindPassword">AuthLDAPBindPassword</a> <a name="authldapbindpassword" id="authldapbindpassword">Directive</a></h2> 713 <table class="directive"> 714 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Password used in conjuction with the bind DN</td></tr> 715 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthLDAPBindPassword <em>password</em></code></td></tr> 716 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 717 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> 718 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 719 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr> 720 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td><em>exec:</em> was added in 2.2.25.</td></tr> 721 </table> 722 <p>A bind password to use in conjunction with the bind DN. Note 723 that the bind password is probably sensitive data, and should be 724 properly protected. You should only use the <code class="directive"><a href="#authldapbinddn">AuthLDAPBindDN</a></code> and <code class="directive"><a href="#authldapbindpassword">AuthLDAPBindPassword</a></code> if you 725 absolutely need them to search the directory.</p> 726 727 <p>If the value begins with exec: the resulting command will be 728 executed and the first line returned to standard output by the 729 program will be used as the password.</p> 730 <div class="example"><pre>#Password used as-is 731 AuthLDAPBindPassword secret 732 733 #Run /path/to/program to get my password 734 AuthLDAPBindPassword exec:/path/to/program 735 736 #Run /path/to/otherProgram and provide arguments 737 AuthLDAPBindPassword "exec:/path/to/otherProgram argument1"</pre></div> 738 739 740 </div> 741 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 742 <div class="directive-section"><h2><a name="AuthLDAPCharsetConfig" id="AuthLDAPCharsetConfig">AuthLDAPCharsetConfig</a> <a name="authldapcharsetconfig" id="authldapcharsetconfig">Directive</a></h2> 743 <table class="directive"> 744 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Language to charset conversion configuration file</td></tr> 745 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthLDAPCharsetConfig <em>file-path</em></code></td></tr> 746 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 747 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 748 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr> 749 </table> 750 <p>The <code class="directive">AuthLDAPCharsetConfig</code> directive sets the location 751 of the language to charset conversion configuration file. <var>File-path</var> is relative 752 to the <code class="directive"><a href="../mod/core.html#serverroot">ServerRoot</a></code>. This file specifies 753 the list of language extensions to character sets. 754 Most administrators use the provided <code>charset.conv</code> 755 file, which associates common language extensions to character sets.</p> 756 757 <p>The file contains lines in the following format:</p> 758 759 <div class="example"><p><code> 760 <var>Language-Extension</var> <var>charset</var> [<var>Language-String</var>] ... 761 </code></p></div> 762 763 <p>The case of the extension does not matter. Blank lines, and lines 764 beginning with a hash character (<code>#</code>) are ignored.</p> 765 766 </div> 767 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 768 <div class="directive-section"><h2><a name="AuthLDAPCompareDNOnServer" id="AuthLDAPCompareDNOnServer">AuthLDAPCompareDNOnServer</a> <a name="authldapcomparednonserver" id="authldapcomparednonserver">Directive</a></h2> 769 <table class="directive"> 770 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Use the LDAP server to compare the DNs</td></tr> 771 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthLDAPCompareDNOnServer on|off</code></td></tr> 772 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthLDAPCompareDNOnServer on</code></td></tr> 773 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 774 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> 775 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 776 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr> 777 </table> 778 <p>When set, <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> will use the LDAP 779 server to compare the DNs. This is the only foolproof way to 780 compare DNs. <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> will search the 781 directory for the DN specified with the <a href="#reqdn"><code>Require dn</code></a> directive, then, 782 retrieve the DN and compare it with the DN retrieved from the user 783 entry. If this directive is not set, 784 <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> simply does a string comparison. It 785 is possible to get false negatives with this approach, but it is 786 much faster. Note the <code class="module"><a href="../mod/mod_ldap.html">mod_ldap</a></code> cache can speed up 787 DN comparison in most situations.</p> 788 789 </div> 790 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 791 <div class="directive-section"><h2><a name="AuthLDAPDereferenceAliases" id="AuthLDAPDereferenceAliases">AuthLDAPDereferenceAliases</a> <a name="authldapdereferencealiases" id="authldapdereferencealiases">Directive</a></h2> 792 <table class="directive"> 793 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>When will the module de-reference aliases</td></tr> 794 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthLDAPDereferenceAliases never|searching|finding|always</code></td></tr> 795 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthLDAPDereferenceAliases Always</code></td></tr> 796 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 797 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> 798 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 799 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr> 800 </table> 801 <p>This directive specifies when <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> will 802 de-reference aliases during LDAP operations. The default is 803 <code>always</code>.</p> 804 805 </div> 806 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 807 <div class="directive-section"><h2><a name="AuthLDAPGroupAttribute" id="AuthLDAPGroupAttribute">AuthLDAPGroupAttribute</a> <a name="authldapgroupattribute" id="authldapgroupattribute">Directive</a></h2> 808 <table class="directive"> 809 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>LDAP attributes used to check for group membership</td></tr> 810 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthLDAPGroupAttribute <em>attribute</em></code></td></tr> 811 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthLDAPGroupAttribute member uniquemember</code></td></tr> 812 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 813 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> 814 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 815 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr> 816 </table> 817 <p>This directive specifies which LDAP attributes are used to 818 check for group membership. Multiple attributes can be used by 819 specifying this directive multiple times. If not specified, 820 then <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> uses the <code>member</code> and 821 <code>uniquemember</code> attributes.</p> 822 823 </div> 824 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 825 <div class="directive-section"><h2><a name="AuthLDAPGroupAttributeIsDN" id="AuthLDAPGroupAttributeIsDN">AuthLDAPGroupAttributeIsDN</a> <a name="authldapgroupattributeisdn" id="authldapgroupattributeisdn">Directive</a></h2> 826 <table class="directive"> 827 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Use the DN of the client username when checking for 828 group membership</td></tr> 829 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthLDAPGroupAttributeIsDN on|off</code></td></tr> 830 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthLDAPGroupAttributeIsDN on</code></td></tr> 831 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 832 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> 833 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 834 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr> 835 </table> 836 <p>When set <code>on</code>, this directive says to use the 837 distinguished name of the client username when checking for group 838 membership. Otherwise, the username will be used. For example, 839 assume that the client sent the username <code>bjenson</code>, 840 which corresponds to the LDAP DN <code>cn=Babs Jenson, 841 o=Airius</code>. If this directive is set, 842 <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> will check if the group has 843 <code>cn=Babs Jenson, o=Airius</code> as a member. If this 844 directive is not set, then <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> will 845 check if the group has <code>bjenson</code> as a member.</p> 846 847 </div> 848 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 849 <div class="directive-section"><h2><a name="AuthLDAPRemoteUserAttribute" id="AuthLDAPRemoteUserAttribute">AuthLDAPRemoteUserAttribute</a> <a name="authldapremoteuserattribute" id="authldapremoteuserattribute">Directive</a></h2> 850 <table class="directive"> 851 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Use the value of the attribute returned during the user 852 query to set the REMOTE_USER environment variable</td></tr> 853 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthLDAPRemoteUserAttribute uid</code></td></tr> 854 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr> 855 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 856 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> 857 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 858 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr> 859 </table> 860 <p>If this directive is set, the value of the 861 <code>REMOTE_USER</code> environment variable will be set to the 862 value of the attribute specified. Make sure that this attribute is 863 included in the list of attributes in the AuthLDAPUrl definition, 864 otherwise this directive will have no effect. This directive, if 865 present, takes precedence over AuthLDAPRemoteUserIsDN. This 866 directive is useful should you want people to log into a website 867 using an email address, but a backend application expects the 868 username as a userid.</p> 869 870 </div> 871 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 872 <div class="directive-section"><h2><a name="AuthLDAPRemoteUserIsDN" id="AuthLDAPRemoteUserIsDN">AuthLDAPRemoteUserIsDN</a> <a name="authldapremoteuserisdn" id="authldapremoteuserisdn">Directive</a></h2> 873 <table class="directive"> 874 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Use the DN of the client username to set the REMOTE_USER 875 environment variable</td></tr> 876 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthLDAPRemoteUserIsDN on|off</code></td></tr> 877 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthLDAPRemoteUserIsDN off</code></td></tr> 878 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 879 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> 880 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 881 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr> 882 </table> 883 <p>If this directive is set to on, the value of the 884 <code>REMOTE_USER</code> environment variable will be set to the full 885 distinguished name of the authenticated user, rather than just 886 the username that was passed by the client. It is turned off by 887 default.</p> 888 889 </div> 890 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 891 <div class="directive-section"><h2><a name="AuthLDAPUrl" id="AuthLDAPUrl">AuthLDAPUrl</a> <a name="authldapurl" id="authldapurl">Directive</a></h2> 892 <table class="directive"> 893 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>URL specifying the LDAP search parameters</td></tr> 894 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthLDAPUrl <em>url [NONE|SSL|TLS|STARTTLS]</em></code></td></tr> 895 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 896 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> 897 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 898 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr> 899 </table> 900 <p>An RFC 2255 URL which specifies the LDAP search parameters 901 to use. The syntax of the URL is</p> 902 <div class="example"><p><code>ldap://host:port/basedn?attribute?scope?filter</code></p></div> 903 904 <dl> 905 <dt>ldap</dt> 906 907 <dd>For regular ldap, use the 908 string <code>ldap</code>. For secure LDAP, use <code>ldaps</code> 909 instead. Secure LDAP is only available if Apache was linked 910 to an LDAP library with SSL support.</dd> 911 912 <dt>host:port</dt> 913 914 <dd> 915 <p>The name/port of the ldap server (defaults to 916 <code>localhost:389</code> for <code>ldap</code>, and 917 <code>localhost:636</code> for <code>ldaps</code>). To 918 specify multiple, redundant LDAP servers, just list all 919 servers, separated by spaces. <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> 920 will try connecting to each server in turn, until it makes a 921 successful connection.</p> 922 923 <p>Once a connection has been made to a server, that 924 connection remains active for the life of the 925 <code class="program"><a href="../programs/httpd.html">httpd</a></code> process, or until the LDAP server goes 926 down.</p> 927 928 <p>If the LDAP server goes down and breaks an existing 929 connection, <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> will attempt to 930 re-connect, starting with the primary server, and trying 931 each redundant server in turn. Note that this is different 932 than a true round-robin search.</p> 933 </dd> 934 935 <dt>basedn</dt> 936 937 <dd>The DN of the branch of the 938 directory where all searches should start from. At the very 939 least, this must be the top of your directory tree, but 940 could also specify a subtree in the directory.</dd> 941 942 <dt>attribute</dt> 943 944 <dd>The attribute to search for. 945 Although RFC 2255 allows a comma-separated list of 946 attributes, only the first attribute will be used, no 947 matter how many are provided. If no attributes are 948 provided, the default is to use <code>uid</code>. It's a good 949 idea to choose an attribute that will be unique across all 950 entries in the subtree you will be using.</dd> 951 952 <dt>scope</dt> 953 954 <dd>The scope of the search. Can be either <code>one</code> or 955 <code>sub</code>. Note that a scope of <code>base</code> is 956 also supported by RFC 2255, but is not supported by this 957 module. If the scope is not provided, or if <code>base</code> scope 958 is specified, the default is to use a scope of 959 <code>sub</code>.</dd> 960 961 <dt>filter</dt> 962 963 <dd>A valid LDAP search filter. If 964 not provided, defaults to <code>(objectClass=*)</code>, which 965 will search for all objects in the tree. Filters are 966 limited to approximately 8000 characters (the definition of 967 <code>MAX_STRING_LEN</code> in the Apache source code). This 968 should be more than sufficient for any application.</dd> 969 </dl> 970 971 <p>When doing searches, the attribute, filter and username passed 972 by the HTTP client are combined to create a search filter that 973 looks like 974 <code>(&(<em>filter</em>)(<em>attribute</em>=<em>username</em>))</code>.</p> 975 976 <p>For example, consider an URL of 977 <code>ldap://ldap.airius.com/o=Airius?cn?sub?(posixid=*)</code>. When 978 a client attempts to connect using a username of <code>Babs 979 Jenson</code>, the resulting search filter will be 980 <code>(&(posixid=*)(cn=Babs Jenson))</code>.</p> 981 982 <p>An optional parameter can be added to allow the LDAP Url to override 983 the connection type. This parameter can be one of the following:</p> 984 985 <dl> 986 <dt>NONE</dt> 987 <dd>Establish an unsecure connection on the default LDAP port. This 988 is the same as <code>ldap://</code> on port 389.</dd> 989 <dt>SSL</dt> 990 <dd>Establish a secure connection on the default secure LDAP port. 991 This is the same as <code>ldaps://</code></dd> 992 <dt>TLS | STARTTLS</dt> 993 <dd>Establish an upgraded secure connection on the default LDAP port. 994 This connection will be initiated on port 389 by default and then 995 upgraded to a secure connection on the same port.</dd> 996 </dl> 997 998 <p>See above for examples of <code class="directive"><a href="#authldapurl">AuthLDAPURL</a></code> URLs.</p> 999 1000 <p> When <code class="directive"><a href="#authldapurl">AuthLDAPURL</a></code> 1001 is enabled in a particular context, but some other module has performed 1002 authentication for the request, the server will try to map the username to a DN 1003 during authorization regardless of whether or not LDAP-specific requirements 1004 are present. To ignore the failures to map a username to a DN during 1005 authorization, set <code class="directive"><a href="#authzldapauthoritative"> 1006 AuthzLDAPAuthoritative</a></code> to "off".</p> 1007 1008 </div> 1009 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 1010 <div class="directive-section"><h2><a name="AuthzLDAPAuthoritative" id="AuthzLDAPAuthoritative">AuthzLDAPAuthoritative</a> <a name="authzldapauthoritative" id="authzldapauthoritative">Directive</a></h2> 1011 <table class="directive"> 1012 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Prevent other authentication modules from 1013 authenticating the user if this one fails</td></tr> 1014 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthzLDAPAuthoritative on|off</code></td></tr> 1015 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthzLDAPAuthoritative on</code></td></tr> 1016 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 1017 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> 1018 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 1019 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr> 1020 </table> 1021 <p>Set to <code>off</code> if this module should let other 1022 authorization modules attempt to authorize the user, should 1023 authorization with this module fail. Control is only passed on 1024 to lower modules if there is no DN or rule that matches the 1025 supplied user name (as passed by the client).</p> 1026 <p> When no LDAP-specific <code class="directive"><a href="../mod/core.html#require">Require</a></code> directives 1027 are used, authorization is allowed to fall back to other modules 1028 as if <code class="directive"><a href="#authzldapauthoritative">AuthzLDAPAuthoritative</a></code> 1029 was set to <code>off</code>. </p> 1030 1031 </div> 1032 </div> 1033 <div class="bottomlang"> 1034 <p><span>Available Languages: </span><a href="../en/mod/mod_authnz_ldap.html" title="English"> en </a> | 1035 <a href="../fr/mod/mod_authnz_ldap.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p> 1036 </div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> 1037 <script type="text/javascript"><!--//--><![CDATA[//><!-- 1038 var comments_shortname = 'httpd'; 1039 var comments_identifier = 'http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html'; 1040 (function(w, d) { 1041 if (w.location.hostname.toLowerCase() == "httpd.apache.org") { 1042 d.write('<div id="comments_thread"><\/div>'); 1043 var s = d.createElement('script'); 1044 s.type = 'text/javascript'; 1045 s.async = true; 1046 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier; 1047 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s); 1048 } 1049 else { 1050 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>'); 1051 } 1052 })(window, document); 1053 //--><!]]></script></div><div id="footer"> 1054 <p class="apache">Copyright 2017 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> 1055 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- 1056 if (typeof(prettyPrint) !== 'undefined') { 1057 prettyPrint(); 1058 } 1059 //--><!]]></script> 1060 </body></html>