github.com/krum110487/go-htaccess@v0.0.0-20240316004156-60641c8e7598/tests/data/apache_2_2_34/manual/mod/mod_ldap.html.en (about) 1 <?xml version="1.0" encoding="ISO-8859-1"?> 2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 3 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head> 4 <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" /> 5 <!-- 6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7 This file is generated from xml source: DO NOT EDIT 8 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 9 --> 10 <title>mod_ldap - Apache HTTP Server Version 2.2</title> 11 <link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> 12 <link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> 13 <link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" /> 14 <script src="../style/scripts/prettify.min.js" type="text/javascript"> 15 </script> 16 17 <link href="../images/favicon.ico" rel="shortcut icon" /><link href="http://httpd.apache.org/docs/current/mod/mod_ldap.html" rel="canonical" /></head> 18 <body> 19 <div id="page-header"> 20 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p> 21 <p class="apache">Apache HTTP Server Version 2.2</p> 22 <img alt="" src="../images/feather.gif" /></div> 23 <div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> 24 <div id="path"> 25 <a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.2</a> > <a href="./">Modules</a></div> 26 <div id="page-content"> 27 <div class="retired"><h4>Please note</h4> 28 <p> This document refers to a legacy release (<strong>2.2</strong>) of Apache httpd. The active release (<strong>2.4</strong>) is documented <a href="http://httpd.apache.org/docs/current">here</a>. If you have not already upgraded, please follow <a href="http://httpd.apache.org/docs/current/upgrading.html">this link</a> for more information.</p> 29 <p>You may follow <a href="http://httpd.apache.org/docs/current/mod/mod_ldap.html">this link</a> to go to the current version of this document.</p></div><div id="preamble"><h1>Apache Module mod_ldap</h1> 30 <div class="toplang"> 31 <p><span>Available Languages: </span><a href="../en/mod/mod_ldap.html" title="English"> en </a></p> 32 </div> 33 <table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>LDAP connection pooling and result caching services for use 34 by other LDAP modules</td></tr> 35 <tr><th><a href="module-dict.html#Status">Status:</a></th><td>Extension</td></tr> 36 <tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>ldap_module</td></tr> 37 <tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>util_ldap.c</td></tr> 38 <tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in version 2.0.41 and later</td></tr></table> 39 <h3>Summary</h3> 40 41 <p>This module was created to improve the performance of 42 websites relying on backend connections to LDAP servers. In 43 addition to the functions provided by the standard LDAP 44 libraries, this module adds an LDAP connection pool and an LDAP 45 shared memory cache.</p> 46 47 <p>To enable this module, LDAP support must be compiled into 48 apr-util. This is achieved by adding the <code>--with-ldap</code> 49 flag to the <code class="program"><a href="../programs/configure.html">configure</a></code> script when building 50 Apache.</p> 51 52 <p>SSL/TLS support is dependent on which LDAP toolkit has been 53 linked to <a class="glossarylink" href="../glossary.html#apr" title="see glossary">APR</a>. As of this writing, APR-util supports: 54 <a href="http://www.openldap.org/">OpenLDAP SDK</a> (2.x or later), 55 <a href="http://developer.novell.com/ndk/cldap.htm">Novell LDAP 56 SDK</a>, <a href="http://www.mozilla.org/directory/csdk.html"> 57 Mozilla LDAP SDK</a>, native Solaris LDAP SDK (Mozilla based), 58 native Microsoft LDAP SDK, or the 59 <a href="http://www.iplanet.com/downloads/developer/">iPlanet 60 (Netscape)</a> SDK. See the <a href="http://apr.apache.org">APR</a> 61 website for details.</p> 62 63 </div> 64 <div id="quickview"><h3>Topics</h3> 65 <ul id="topics"> 66 <li><img alt="" src="../images/down.gif" /> <a href="#exampleconfig">Example Configuration</a></li> 67 <li><img alt="" src="../images/down.gif" /> <a href="#pool">LDAP Connection Pool</a></li> 68 <li><img alt="" src="../images/down.gif" /> <a href="#cache">LDAP Cache</a></li> 69 <li><img alt="" src="../images/down.gif" /> <a href="#usingssltls">Using SSL/TLS</a></li> 70 <li><img alt="" src="../images/down.gif" /> <a href="#settingcerts">SSL/TLS Certificates</a></li> 71 </ul><h3 class="directives">Directives</h3> 72 <ul id="toc"> 73 <li><img alt="" src="../images/down.gif" /> <a href="#ldapcacheentries">LDAPCacheEntries</a></li> 74 <li><img alt="" src="../images/down.gif" /> <a href="#ldapcachettl">LDAPCacheTTL</a></li> 75 <li><img alt="" src="../images/down.gif" /> <a href="#ldapconnectiontimeout">LDAPConnectionTimeout</a></li> 76 <li><img alt="" src="../images/down.gif" /> <a href="#ldapopcacheentries">LDAPOpCacheEntries</a></li> 77 <li><img alt="" src="../images/down.gif" /> <a href="#ldapopcachettl">LDAPOpCacheTTL</a></li> 78 <li><img alt="" src="../images/down.gif" /> <a href="#ldapsharedcachefile">LDAPSharedCacheFile</a></li> 79 <li><img alt="" src="../images/down.gif" /> <a href="#ldapsharedcachesize">LDAPSharedCacheSize</a></li> 80 <li><img alt="" src="../images/down.gif" /> <a href="#ldaptrustedclientcert">LDAPTrustedClientCert</a></li> 81 <li><img alt="" src="../images/down.gif" /> <a href="#ldaptrustedglobalcert">LDAPTrustedGlobalCert</a></li> 82 <li><img alt="" src="../images/down.gif" /> <a href="#ldaptrustedmode">LDAPTrustedMode</a></li> 83 <li><img alt="" src="../images/down.gif" /> <a href="#ldapverifyservercert">LDAPVerifyServerCert</a></li> 84 </ul> 85 <ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div> 86 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 87 <div class="section"> 88 <h2><a name="exampleconfig" id="exampleconfig">Example Configuration</a></h2> 89 <p>The following is an example configuration that uses 90 <code class="module"><a href="../mod/mod_ldap.html">mod_ldap</a></code> to increase the performance of HTTP Basic 91 authentication provided by <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code>.</p> 92 93 <div class="example"><p><code> 94 # Enable the LDAP connection pool and shared<br /> 95 # memory cache. Enable the LDAP cache status<br /> 96 # handler. Requires that mod_ldap and mod_authnz_ldap<br /> 97 # be loaded. Change the "yourdomain.example.com" to<br /> 98 # match your domain.<br /> 99 <br /> 100 LDAPSharedCacheSize 500000<br /> 101 LDAPCacheEntries 1024<br /> 102 LDAPCacheTTL 600<br /> 103 LDAPOpCacheEntries 1024<br /> 104 LDAPOpCacheTTL 600<br /> 105 <br /> 106 <Location /ldap-status><br /> 107 <span class="indent"> 108 SetHandler ldap-status<br /> 109 Order deny,allow<br /> 110 Deny from all<br /> 111 Allow from yourdomain.example.com<br /> 112 AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one<br /> 113 AuthzLDAPAuthoritative off<br /> 114 Require valid-user<br /> 115 </span> 116 </Location> 117 </code></p></div> 118 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 119 <div class="section"> 120 <h2><a name="pool" id="pool">LDAP Connection Pool</a></h2> 121 122 <p>LDAP connections are pooled from request to request. This 123 allows the LDAP server to remain connected and bound ready for 124 the next request, without the need to unbind/connect/rebind. 125 The performance advantages are similar to the effect of HTTP 126 keepalives.</p> 127 128 <p>On a busy server it is possible that many requests will try 129 and access the same LDAP server connection simultaneously. 130 Where an LDAP connection is in use, Apache will create a new 131 connection alongside the original one. This ensures that the 132 connection pool does not become a bottleneck.</p> 133 134 <p>There is no need to manually enable connection pooling in 135 the Apache configuration. Any module using this module for 136 access to LDAP services will share the connection pool.</p> 137 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 138 <div class="section"> 139 <h2><a name="cache" id="cache">LDAP Cache</a></h2> 140 141 <p>For improved performance, <code class="module"><a href="../mod/mod_ldap.html">mod_ldap</a></code> uses an aggressive 142 caching strategy to minimize the number of times that the LDAP 143 server must be contacted. Caching can easily double or triple 144 the throughput of Apache when it is serving pages protected 145 with mod_authnz_ldap. In addition, the load on the LDAP server 146 will be significantly decreased.</p> 147 148 <p><code class="module"><a href="../mod/mod_ldap.html">mod_ldap</a></code> supports two types of LDAP caching during 149 the search/bind phase with a <em>search/bind cache</em> and 150 during the compare phase with two <em>operation 151 caches</em>. Each LDAP URL that is used by the server has 152 its own set of these three caches.</p> 153 154 <h3><a name="search-bind" id="search-bind">The Search/Bind Cache</a></h3> 155 <p>The process of doing a search and then a bind is the 156 most time-consuming aspect of LDAP operation, especially if 157 the directory is large. The search/bind cache is used to 158 cache all searches that resulted in successful binds. 159 Negative results (<em>i.e.</em>, unsuccessful searches, or searches 160 that did not result in a successful bind) are not cached. 161 The rationale behind this decision is that connections with 162 invalid credentials are only a tiny percentage of the total 163 number of connections, so by not caching invalid 164 credentials, the size of the cache is reduced.</p> 165 166 <p><code class="module"><a href="../mod/mod_ldap.html">mod_ldap</a></code> stores the username, the DN 167 retrieved, the password used to bind, and the time of the bind 168 in the cache. Whenever a new connection is initiated with the 169 same username, <code class="module"><a href="../mod/mod_ldap.html">mod_ldap</a></code> compares the password 170 of the new connection with the password in the cache. If the 171 passwords match, and if the cached entry is not too old, 172 <code class="module"><a href="../mod/mod_ldap.html">mod_ldap</a></code> bypasses the search/bind phase.</p> 173 174 <p>The search and bind cache is controlled with the <code class="directive"><a href="#ldapcacheentries">LDAPCacheEntries</a></code> and <code class="directive"><a href="#ldapcachettl">LDAPCacheTTL</a></code> directives.</p> 175 176 177 <h3><a name="opcaches" id="opcaches">Operation Caches</a></h3> 178 <p>During attribute and distinguished name comparison 179 functions, <code class="module"><a href="../mod/mod_ldap.html">mod_ldap</a></code> uses two operation caches 180 to cache the compare operations. The first compare cache is 181 used to cache the results of compares done to test for LDAP 182 group membership. The second compare cache is used to cache 183 the results of comparisons done between distinguished 184 names.</p> 185 186 <p>The behavior of both of these caches is controlled with 187 the <code class="directive"><a href="#ldapopcacheentries">LDAPOpCacheEntries</a></code> 188 and <code class="directive"><a href="#ldapopcachettl">LDAPOpCacheTTL</a></code> 189 directives.</p> 190 191 192 <h3><a name="monitoring" id="monitoring">Monitoring the Cache</a></h3> 193 <p><code class="module"><a href="../mod/mod_ldap.html">mod_ldap</a></code> has a content handler that allows 194 administrators to monitor the cache performance. The name of 195 the content handler is <code>ldap-status</code>, so the 196 following directives could be used to access the 197 <code class="module"><a href="../mod/mod_ldap.html">mod_ldap</a></code> cache information:</p> 198 199 <div class="example"><p><code> 200 <Location /server/cache-info><br /> 201 <span class="indent"> 202 SetHandler ldap-status<br /> 203 </span> 204 </Location> 205 </code></p></div> 206 207 <p>By fetching the URL <code>http://servername/cache-info</code>, 208 the administrator can get a status report of every cache that is used 209 by <code class="module"><a href="../mod/mod_ldap.html">mod_ldap</a></code> cache. Note that if Apache does not 210 support shared memory, then each <code class="program"><a href="../programs/httpd.html">httpd</a></code> instance has its 211 own cache, so reloading the URL will result in different 212 information each time, depending on which <code class="program"><a href="../programs/httpd.html">httpd</a></code> 213 instance processes the request.</p> 214 215 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 216 <div class="section"> 217 <h2><a name="usingssltls" id="usingssltls">Using SSL/TLS</a></h2> 218 219 <p>The ability to create an SSL and TLS connections to an LDAP server 220 is defined by the directives 221 <code class="directive"><a href="#ldaptrustedglobalcert">LDAPTrustedGlobalCert</a></code>, 222 <code class="directive"><a href="#ldaptrustedclientcert">LDAPTrustedClientCert</a></code> and 223 <code class="directive"><a href="#ldaptrustedmode">LDAPTrustedMode</a></code>. 224 These directives specify the CA and 225 optional client certificates to be used, as well as the type of 226 encryption to be used on the connection (none, SSL or TLS/STARTTLS).</p> 227 228 <div class="example"><p><code> 229 # Establish an SSL LDAP connection on port 636. Requires that <br /> 230 # mod_ldap and mod_authnz_ldap be loaded. Change the <br /> 231 # "yourdomain.example.com" to match your domain.<br /> 232 <br /> 233 LDAPTrustedGlobalCert CA_DER /certs/certfile.der<br /> 234 <br /> 235 <Location /ldap-status><br /> 236 <span class="indent"> 237 SetHandler ldap-status<br /> 238 Order deny,allow<br /> 239 Deny from all<br /> 240 Allow from yourdomain.example.com<br /> 241 AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one<br /> 242 AuthzLDAPAuthoritative off<br /> 243 Require valid-user<br /> 244 </span> 245 </Location> 246 </code></p></div> 247 248 <div class="example"><p><code> 249 # Establish a TLS LDAP connection on port 389. Requires that <br /> 250 # mod_ldap and mod_authnz_ldap be loaded. Change the <br /> 251 # "yourdomain.example.com" to match your domain.<br /> 252 <br /> 253 LDAPTrustedGlobalCert CA_DER /certs/certfile.der<br /> 254 <br /> 255 <Location /ldap-status><br /> 256 <span class="indent"> 257 SetHandler ldap-status<br /> 258 Order deny,allow<br /> 259 Deny from all<br /> 260 Allow from yourdomain.example.com<br /> 261 AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one TLS<br /> 262 AuthzLDAPAuthoritative off<br /> 263 Require valid-user<br /> 264 </span> 265 </Location> 266 </code></p></div> 267 268 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 269 <div class="section"> 270 <h2><a name="settingcerts" id="settingcerts">SSL/TLS Certificates</a></h2> 271 272 <p>The different LDAP SDKs have widely different methods of setting 273 and handling both CA and client side certificates.</p> 274 275 <p>If you intend to use SSL or TLS, read this section CAREFULLY so as to 276 understand the differences between configurations on the different LDAP 277 toolkits supported.</p> 278 279 <h3><a name="settingcerts-netscape" id="settingcerts-netscape">Netscape/Mozilla/iPlanet SDK</a></h3> 280 <p>CA certificates are specified within a file called cert7.db. 281 The SDK will not talk to any LDAP server whose certificate was 282 not signed by a CA specified in this file. If 283 client certificates are required, an optional key3.db file may 284 be specified with an optional password. The secmod file can be 285 specified if required. These files are in the same format as 286 used by the Netscape Communicator or Mozilla web browsers. The easiest 287 way to obtain these files is to grab them from your browser 288 installation.</p> 289 290 <p>Client certificates are specified per connection using the 291 LDAPTrustedClientCert directive by referring 292 to the certificate "nickname". An optional password may be 293 specified to unlock the certificate's private key.</p> 294 295 <p>The SDK supports SSL only. An attempt to use STARTTLS will cause 296 an error when an attempt is made to contact the LDAP server at 297 runtime.</p> 298 299 <div class="example"><p><code> 300 # Specify a Netscape CA certificate file<br /> 301 LDAPTrustedGlobalCert CA_CERT7_DB /certs/cert7.db<br /> 302 # Specify an optional key3.db file for client certificate support<br /> 303 LDAPTrustedGlobalCert CERT_KEY3_DB /certs/key3.db<br /> 304 # Specify the secmod file if required<br /> 305 LDAPTrustedGlobalCert CA_SECMOD /certs/secmod<br /> 306 <Location /ldap-status><br /> 307 <span class="indent"> 308 SetHandler ldap-status<br /> 309 Order deny,allow<br /> 310 Deny from all<br /> 311 Allow from yourdomain.example.com<br /> 312 LDAPTrustedClientCert CERT_NICKNAME <nickname> [password]<br /> 313 AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one<br /> 314 AuthzLDAPAuthoritative off<br /> 315 Require valid-user<br /> 316 </span> 317 </Location> 318 </code></p></div> 319 320 321 322 <h3><a name="settingcerts-novell" id="settingcerts-novell">Novell SDK</a></h3> 323 324 <p>One or more CA certificates must be specified for the Novell 325 SDK to work correctly. These certificates can be specified as 326 binary DER or Base64 (PEM) encoded files.</p> 327 328 <p>Note: Client certificates are specified globally rather than per 329 connection, and so must be specified with the LDAPTrustedGlobalCert 330 directive as below. Trying to set client certificates via the 331 LDAPTrustedClientCert directive will cause an error to be logged 332 when an attempt is made to connect to the LDAP server..</p> 333 334 <p>The SDK supports both SSL and STARTTLS, set using the 335 LDAPTrustedMode parameter. If an ldaps:// URL is specified, 336 SSL mode is forced, override this directive.</p> 337 338 <div class="example"><p><code> 339 # Specify two CA certificate files<br /> 340 LDAPTrustedGlobalCert CA_DER /certs/cacert1.der<br /> 341 LDAPTrustedGlobalCert CA_BASE64 /certs/cacert2.pem<br /> 342 # Specify a client certificate file and key<br /> 343 LDAPTrustedGlobalCert CERT_BASE64 /certs/cert1.pem<br /> 344 LDAPTrustedGlobalCert KEY_BASE64 /certs/key1.pem [password]<br /> 345 # Do not use this directive, as it will throw an error<br /> 346 #LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem<br /> 347 </code></p></div> 348 349 350 351 <h3><a name="settingcerts-openldap" id="settingcerts-openldap">OpenLDAP SDK</a></h3> 352 353 <p>One or more CA certificates must be specified for the OpenLDAP 354 SDK to work correctly. These certificates can be specified as 355 binary DER or Base64 (PEM) encoded files.</p> 356 357 <p>Client certificates are specified per connection using the 358 LDAPTrustedClientCert directive.</p> 359 360 <p>The documentation for the SDK claims to support both SSL and 361 STARTTLS, however STARTTLS does not seem to work on all versions 362 of the SDK. The SSL/TLS mode can be set using the 363 LDAPTrustedMode parameter. If an ldaps:// URL is specified, 364 SSL mode is forced. The OpenLDAP documentation notes that SSL 365 (ldaps://) support has been deprecated to be replaced with TLS, 366 although the SSL functionality still works.</p> 367 368 <div class="example"><p><code> 369 # Specify two CA certificate files<br /> 370 LDAPTrustedGlobalCert CA_DER /certs/cacert1.der<br /> 371 LDAPTrustedGlobalCert CA_BASE64 /certs/cacert2.pem<br /> 372 <Location /ldap-status><br /> 373 <span class="indent"> 374 SetHandler ldap-status<br /> 375 Order deny,allow<br /> 376 Deny from all<br /> 377 Allow from yourdomain.example.com<br /> 378 LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem<br /> 379 LDAPTrustedClientCert KEY_BASE64 /certs/key1.pem<br /> 380 AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one<br /> 381 AuthzLDAPAuthoritative off<br /> 382 Require valid-user<br /> 383 </span> 384 </Location> 385 </code></p></div> 386 387 388 389 <h3><a name="settingcerts-solaris" id="settingcerts-solaris">Solaris SDK</a></h3> 390 391 <p>SSL/TLS for the native Solaris LDAP libraries is not yet 392 supported. If required, install and use the OpenLDAP libraries 393 instead.</p> 394 395 396 397 <h3><a name="settingcerts-microsoft" id="settingcerts-microsoft">Microsoft SDK</a></h3> 398 399 <p>SSL/TLS certificate configuration for the native Microsoft 400 LDAP libraries is done inside the system registry, and no 401 configuration directives are required.</p> 402 403 <p>Both SSL and TLS are supported by using the ldaps:// URL 404 format, or by using the LDAPTrustedMode directive accordingly.</p> 405 406 <p>Note: The status of support for client certificates is not yet known 407 for this toolkit.</p> 408 409 410 411 </div> 412 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 413 <div class="directive-section"><h2><a name="LDAPCacheEntries" id="LDAPCacheEntries">LDAPCacheEntries</a> <a name="ldapcacheentries" id="ldapcacheentries">Directive</a></h2> 414 <table class="directive"> 415 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Maximum number of entries in the primary LDAP cache</td></tr> 416 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPCacheEntries <var>number</var></code></td></tr> 417 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPCacheEntries 1024</code></td></tr> 418 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 419 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 420 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 421 </table> 422 <p>Specifies the maximum size of the primary LDAP cache. This 423 cache contains successful search/binds. Set it to 0 to turn off 424 search/bind caching. The default size is 1024 cached 425 searches.</p> 426 427 </div> 428 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 429 <div class="directive-section"><h2><a name="LDAPCacheTTL" id="LDAPCacheTTL">LDAPCacheTTL</a> <a name="ldapcachettl" id="ldapcachettl">Directive</a></h2> 430 <table class="directive"> 431 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Time that cached items remain valid</td></tr> 432 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPCacheTTL <var>seconds</var></code></td></tr> 433 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPCacheTTL 600</code></td></tr> 434 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 435 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 436 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 437 </table> 438 <p>Specifies the time (in seconds) that an item in the 439 search/bind cache remains valid. The default is 600 seconds (10 440 minutes).</p> 441 442 </div> 443 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 444 <div class="directive-section"><h2><a name="LDAPConnectionTimeout" id="LDAPConnectionTimeout">LDAPConnectionTimeout</a> <a name="ldapconnectiontimeout" id="ldapconnectiontimeout">Directive</a></h2> 445 <table class="directive"> 446 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Specifies the socket connection timeout in seconds</td></tr> 447 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPConnectionTimeout <var>seconds</var></code></td></tr> 448 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 449 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 450 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 451 </table> 452 <p>This directive configures the LDAP_OPT_NETWORK_TIMEOUT option in the 453 underlying LDAP client library, when available. This value typically 454 controls how long the LDAP client library will wait for the TCP connection 455 to the LDAP server to complete.</p> 456 457 <p> If a connection is not successful with the timeout period, either an error will be 458 returned or the LDAP client library will attempt to connect to a secondary LDAP 459 server if one is specified (via a space-separated list of hostnames in the 460 <code class="directive"><a href="../mod/mod_authnz_ldap.html#authldapurl">AuthLDAPURL</a></code>).</p> 461 462 <p>The default is 10 seconds, if the LDAP client library linked with the 463 server supports the LDAP_OPT_NETWORK_TIMEOUT option.</p> 464 465 <div class="note">LDAPConnectionTimeout is only available when the LDAP client library linked 466 with the server supports the LDAP_OPT_NETWORK_TIMEOUT option, and the 467 ultimate behavior is dictated entirely by the LDAP client library. 468 </div> 469 470 </div> 471 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 472 <div class="directive-section"><h2><a name="LDAPOpCacheEntries" id="LDAPOpCacheEntries">LDAPOpCacheEntries</a> <a name="ldapopcacheentries" id="ldapopcacheentries">Directive</a></h2> 473 <table class="directive"> 474 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Number of entries used to cache LDAP compare 475 operations</td></tr> 476 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPOpCacheEntries <var>number</var></code></td></tr> 477 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPOpCacheEntries 1024</code></td></tr> 478 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 479 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 480 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 481 </table> 482 <p>This specifies the number of entries <code class="module"><a href="../mod/mod_ldap.html">mod_ldap</a></code> 483 will use to cache LDAP compare operations. The default is 1024 484 entries. Setting it to 0 disables operation caching.</p> 485 486 </div> 487 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 488 <div class="directive-section"><h2><a name="LDAPOpCacheTTL" id="LDAPOpCacheTTL">LDAPOpCacheTTL</a> <a name="ldapopcachettl" id="ldapopcachettl">Directive</a></h2> 489 <table class="directive"> 490 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Time that entries in the operation cache remain 491 valid</td></tr> 492 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPOpCacheTTL <var>seconds</var></code></td></tr> 493 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPOpCacheTTL 600</code></td></tr> 494 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 495 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 496 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 497 </table> 498 <p>Specifies the time (in seconds) that entries in the 499 operation cache remain valid. The default is 600 seconds.</p> 500 501 </div> 502 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 503 <div class="directive-section"><h2><a name="LDAPSharedCacheFile" id="LDAPSharedCacheFile">LDAPSharedCacheFile</a> <a name="ldapsharedcachefile" id="ldapsharedcachefile">Directive</a></h2> 504 <table class="directive"> 505 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the shared memory cache file</td></tr> 506 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPSharedCacheFile <var>directory-path/filename</var></code></td></tr> 507 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 508 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 509 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 510 </table> 511 <p>Specifies the directory path and file name of the shared memory 512 cache file. If not set, anonymous shared memory will be used if the 513 platform supports it.</p> 514 515 </div> 516 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 517 <div class="directive-section"><h2><a name="LDAPSharedCacheSize" id="LDAPSharedCacheSize">LDAPSharedCacheSize</a> <a name="ldapsharedcachesize" id="ldapsharedcachesize">Directive</a></h2> 518 <table class="directive"> 519 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Size in bytes of the shared-memory cache</td></tr> 520 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPSharedCacheSize <var>bytes</var></code></td></tr> 521 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPSharedCacheSize 500000</code></td></tr> 522 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 523 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 524 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 525 </table> 526 <p>Specifies the number of bytes to allocate for the shared 527 memory cache. The default is 500kb. If set to 0, shared memory 528 caching will not be used.</p> 529 530 </div> 531 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 532 <div class="directive-section"><h2><a name="LDAPTrustedClientCert" id="LDAPTrustedClientCert">LDAPTrustedClientCert</a> <a name="ldaptrustedclientcert" id="ldaptrustedclientcert">Directive</a></h2> 533 <table class="directive"> 534 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the file containing or nickname referring to a per 535 connection client certificate. Not all LDAP toolkits support per 536 connection client certificates.</td></tr> 537 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPTrustedClientCert <var>type</var> <var>directory-path/filename/nickname</var> <var>[password]</var></code></td></tr> 538 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr> 539 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 540 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 541 </table> 542 <p>It specifies the directory path, file name or nickname of a 543 per connection client certificate used when establishing an SSL 544 or TLS connection to an LDAP server. Different locations or 545 directories may have their own independent client certificate 546 settings. Some LDAP toolkits (notably Novell) 547 do not support per connection client certificates, and will throw an 548 error on LDAP server connection if you try to use this directive 549 (Use the LDAPTrustedGlobalCert directive instead for Novell client 550 certificates - See the SSL/TLS certificate guide above for details). 551 The type specifies the kind of certificate parameter being 552 set, depending on the LDAP toolkit being used. Supported types are:</p> 553 <ul> 554 <li>CERT_DER - binary DER encoded client certificate</li> 555 <li>CERT_BASE64 - PEM encoded client certificate</li> 556 <li>CERT_NICKNAME - Client certificate "nickname" (Netscape SDK)</li> 557 <li>KEY_DER - binary DER encoded private key</li> 558 <li>KEY_BASE64 - PEM encoded private key</li> 559 </ul> 560 561 </div> 562 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 563 <div class="directive-section"><h2><a name="LDAPTrustedGlobalCert" id="LDAPTrustedGlobalCert">LDAPTrustedGlobalCert</a> <a name="ldaptrustedglobalcert" id="ldaptrustedglobalcert">Directive</a></h2> 564 <table class="directive"> 565 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the file or database containing global trusted 566 Certificate Authority or global client certificates</td></tr> 567 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPTrustedGlobalCert <var>type</var> <var>directory-path/filename</var> <var>[password]</var></code></td></tr> 568 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 569 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 570 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 571 </table> 572 <p>It specifies the directory path and file name of the trusted CA 573 certificates and/or system wide client certificates <code class="module"><a href="../mod/mod_ldap.html">mod_ldap</a></code> 574 should use when establishing an SSL or TLS connection to an LDAP 575 server. Note that all certificate information specified using this directive 576 is applied globally to the entire server installation. Some LDAP toolkits 577 (notably Novell) require all client certificates to be set globally using 578 this directive. Most other toolkits require clients certificates to be set 579 per Directory or per Location using LDAPTrustedClientCert. If you get this 580 wrong, an error may be logged when an attempt is made to contact the LDAP 581 server, or the connection may silently fail (See the SSL/TLS certificate 582 guide above for details). 583 The type specifies the kind of certificate parameter being 584 set, depending on the LDAP toolkit being used. Supported types are:</p> 585 <ul> 586 <li>CA_DER - binary DER encoded CA certificate</li> 587 <li>CA_BASE64 - PEM encoded CA certificate</li> 588 <li>CA_CERT7_DB - Netscape cert7.db CA certificate database file</li> 589 <li>CA_SECMOD - Netscape secmod database file</li> 590 <li>CERT_DER - binary DER encoded client certificate</li> 591 <li>CERT_BASE64 - PEM encoded client certificate</li> 592 <li>CERT_KEY3_DB - Netscape key3.db client certificate database file</li> 593 <li>CERT_NICKNAME - Client certificate "nickname" (Netscape SDK)</li> 594 <li>CERT_PFX - PKCS#12 encoded client certificate (Novell SDK)</li> 595 <li>KEY_DER - binary DER encoded private key</li> 596 <li>KEY_BASE64 - PEM encoded private key</li> 597 <li>KEY_PFX - PKCS#12 encoded private key (Novell SDK)</li> 598 </ul> 599 600 </div> 601 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 602 <div class="directive-section"><h2><a name="LDAPTrustedMode" id="LDAPTrustedMode">LDAPTrustedMode</a> <a name="ldaptrustedmode" id="ldaptrustedmode">Directive</a></h2> 603 <table class="directive"> 604 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Specifies the SSL/TLS mode to be used when connecting to an LDAP server.</td></tr> 605 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPTrustedMode <var>type</var></code></td></tr> 606 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> 607 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 608 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 609 </table> 610 <p>The following modes are supported:</p> 611 <ul> 612 <li>NONE - no encryption</li> 613 <li>SSL - ldaps:// encryption on default port 636</li> 614 <li>TLS - STARTTLS encryption on default port 389</li> 615 </ul> 616 617 <p>Not all LDAP toolkits support all the above modes. An error message 618 will be logged at runtime if a mode is not supported, and the 619 connection to the LDAP server will fail. 620 </p> 621 622 <p>If an ldaps:// URL is specified, the mode becomes SSL and the setting 623 of LDAPTrustedMode is ignored.</p> 624 625 </div> 626 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 627 <div class="directive-section"><h2><a name="LDAPVerifyServerCert" id="LDAPVerifyServerCert">LDAPVerifyServerCert</a> <a name="ldapverifyservercert" id="ldapverifyservercert">Directive</a></h2> 628 <table class="directive"> 629 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Force server certificate verification</td></tr> 630 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPVerifyServerCert <var>On|Off</var></code></td></tr> 631 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPVerifyServerCert On</code></td></tr> 632 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 633 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 634 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 635 </table> 636 <p>Specifies whether to force the verification of a 637 server certificate when establishing an SSL connection to the 638 LDAP server.</p> 639 640 </div> 641 </div> 642 <div class="bottomlang"> 643 <p><span>Available Languages: </span><a href="../en/mod/mod_ldap.html" title="English"> en </a></p> 644 </div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> 645 <script type="text/javascript"><!--//--><![CDATA[//><!-- 646 var comments_shortname = 'httpd'; 647 var comments_identifier = 'http://httpd.apache.org/docs/2.2/mod/mod_ldap.html'; 648 (function(w, d) { 649 if (w.location.hostname.toLowerCase() == "httpd.apache.org") { 650 d.write('<div id="comments_thread"><\/div>'); 651 var s = d.createElement('script'); 652 s.type = 'text/javascript'; 653 s.async = true; 654 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier; 655 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s); 656 } 657 else { 658 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>'); 659 } 660 })(window, document); 661 //--><!]]></script></div><div id="footer"> 662 <p class="apache">Copyright 2017 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> 663 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- 664 if (typeof(prettyPrint) !== 'undefined') { 665 prettyPrint(); 666 } 667 //--><!]]></script> 668 </body></html>