<Location /ldap-status>
SetHandler ldap-status
-
+
Require host yourdomain.example.com
-
+
Satisfy any
AuthType Basic
AuthName "LDAP Protected"
credentials used when binding to an LDAP server. These
credentials can be provided to LDAP servers that do not
allow anonymous binds during referral chasing. To control
- this feature, see the
- <code class="directive"><a href="#ldapreferrals">LDAPReferrals</a></code> and
- <code class="directive"><a href="#ldapreferralhoplimit">LDAPReferralHopLimit</a></code>
+ this feature, see the
+ <code class="directive"><a href="#ldapreferrals">LDAPReferrals</a></code> and
+ <code class="directive"><a href="#ldapreferralhoplimit">LDAPReferralHopLimit</a></code>
directives. By default, this feature is enabled.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="usingssltls" id="usingssltls">Using SSL/TLS</a></h2>
<p>The ability to create an SSL and TLS connections to an LDAP server
- is defined by the directives
- <code class="directive"><a href="#ldaptrustedglobalcert">LDAPTrustedGlobalCert</a></code>,
+ is defined by the directives
+ <code class="directive"><a href="#ldaptrustedglobalcert">LDAPTrustedGlobalCert</a></code>,
<code class="directive"><a href="#ldaptrustedclientcert">LDAPTrustedClientCert</a></code>
- and <code class="directive"><a href="#ldaptrustedmode">LDAPTrustedMode</a></code>.
- These directives specify the CA and optional client certificates to be used,
- as well as the type of encryption to be used on the connection (none, SSL or
+ and <code class="directive"><a href="#ldaptrustedmode">LDAPTrustedMode</a></code>.
+ These directives specify the CA and optional client certificates to be used,
+ as well as the type of encryption to be used on the connection (none, SSL or
TLS/STARTTLS).</p>
- <pre class="prettyprint lang-config"># Establish an SSL LDAP connection on port 636. Requires that
-# mod_ldap and mod_authnz_ldap be loaded. Change the
+ <pre class="prettyprint lang-config"># Establish an SSL LDAP connection on port 636. Requires that
+# mod_ldap and mod_authnz_ldap be loaded. Change the
# "yourdomain.example.com" to match your domain.
LDAPTrustedGlobalCert CA_DER /certs/certfile.der
<Location /ldap-status>
SetHandler ldap-status
-
+
Require host yourdomain.example.com
-
+
Satisfy any
AuthType Basic
AuthName "LDAP Protected"
</Location></pre>
- <pre class="prettyprint lang-config"># Establish a TLS LDAP connection on port 389. Requires that
-# mod_ldap and mod_authnz_ldap be loaded. Change the
+ <pre class="prettyprint lang-config"># Establish a TLS LDAP connection on port 389. Requires that
+# mod_ldap and mod_authnz_ldap be loaded. Change the
# "yourdomain.example.com" to match your domain.
LDAPTrustedGlobalCert CA_DER /certs/certfile.der
<Location /ldap-status>
SetHandler ldap-status
-
+
Require host yourdomain.example.com
-
+
Satisfy any
AuthType Basic
AuthName "LDAP Protected"
LDAPTrustedGlobalCert CA_BASE64 /certs/cacert2.pem
<Location /ldap-status>
SetHandler ldap-status
-
+
Require host yourdomain.example.com
-
+
LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem
LDAPTrustedClientCert KEY_BASE64 /certs/key1.pem
# CA certs respecified due to per-directory client certs
connection pool. The default value of -1, and any other negative value,
allows connections of any age to be reused.</p>
- <p>The timemout is based on when the LDAP connection is returned to the
+ <p>The timemout is based on when the LDAP connection is returned to the
pool, not based on the last time I/O has been performed over the backend
connection. If the information is cached, the apparent idle time can exceed
- the <code class="directive">LDAPConnectionPoolTTL</code>. </p>
+ the <code class="directive">LDAPConnectionPoolTTL</code>. </p>
<div class="note"><p>This timeout defaults to units of seconds, but accepts
suffixes for milliseconds (ms), minutes (min), and hours (h).
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr>
</table>
- <p>This directive, if enabled by the <code>LDAPReferrals</code> directive,
+ <p>This directive, if enabled by the <code class="directive">LDAPReferrals</code> directive,
limits the number of referral hops that are followed before terminating an
LDAP query.</p>
<div class="directive-section"><h2><a name="LDAPReferrals" id="LDAPReferrals">LDAPReferrals</a> <a name="ldapreferrals" id="ldapreferrals">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enable referral chasing during queries to the LDAP server.</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPReferrals On|Off|default</code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPReferrals <var>On|Off|default</var></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPReferrals On</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The <var>default</var> parameter is available in Apache 2.4.7 and later</td></tr>
</table>
<p>Some LDAP servers divide their directory among multiple domains and use referrals
to direct a client when a domain boundary is crossed. This is similar to a HTTP redirect.
- LDAP client libraries may or may not chase referrals by default. This directive
- explicitly configures the referral chasing in the underlying SDK.</p>
-
-
- <p><code class="directive">LDAPReferrals</code> takes the takes the following values:</p>
+ LDAP client libraries may or may not chase referrals by default. This directive
+ explicitly configures the referral chasing in the underlying SDK.</p>
+
+ <p><code class="directive">LDAPReferrals</code> takes the following values:</p>
<dl>
<dt>"on"</dt>
<dd> <p> When set to "on", the underlying SDK's referral chasing state
- is enabled, <code class="directive">LDAPReferralHopLimit</code> is used to
- override the SDK's hop limit, and an LDAP rebind callback is
+ is enabled, <code class="directive">LDAPReferralHopLimit</code> is used to
+ override the SDK's hop limit, and an LDAP rebind callback is
registered.</p></dd>
<dt>"off"</dt>
<dd> <p> When set to "off", the underlying SDK's referral chasing state
is disabled completely.</p></dd>
<dt>"default"</dt>
<dd> <p> When set to "default", the underlying SDK's referral chasing state
- is not changed, <code class="directive">LDAPReferralHopLimit</code> is not
- used to overide the SDK's hop limit, and no LDAP rebind callback is
+ is not changed, <code class="directive">LDAPReferralHopLimit</code> is not
+ used to overide the SDK's hop limit, and no LDAP rebind callback is
registered.</p></dd>
</dl>
- <p> The directive <code>LDAPReferralHopLimit</code> works in conjunction with
+ <p>The directive <code class="directive">LDAPReferralHopLimit</code> works in conjunction with
this directive to limit the number of referral hops to follow before terminating the LDAP query.
- When referral processing is enabled by a value of "On", client credentials will be provided,
- via a rebind callback, for any LDAP server requiring them. </p>
+ When referral processing is enabled by a value of "On", client credentials will be provided,
+ via a rebind callback, for any LDAP server requiring them.</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr>
</table>
- <p>The server will retry failed LDAP requests up to
+ <p>The server will retry failed LDAP requests up to
<code class="directive">LDAPRetries</code> times. Setting this
directive to 0 disables retries.</p>
<p>LDAP errors such as timeouts and refused connections are retryable.</p>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr>
</table>
<p>If <code class="directive">LDAPRetryDelay</code> is set to a non-zero
- value, the server will delay retrying an LDAP request for the
+ value, the server will delay retrying an LDAP request for the
specified amount of time. Setting this directive to 0 will
result in any retry to occur without delay.</p>