[Remove entries to the current 2.0 section below, when backported]
+ *) Quotes cannot be used around require group and require dn
+ directives, update the documentation to reflect this. Also add
+ quotes around the dn and group within debug messages, to make it
+ more obvious why authentication is failing if quotes are used in
+ error. PR 19304 [Graham Leggett]
+
*) The Microsoft LDAP SDK escapes filters for us, stop util_ldap
from escaping filters twice when the backslash character is used.
PR 24437 [Jess Holle <jessh@ptc.com>]
<?xml version="1.0"?>
<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
-<!-- $Revision: 1.17 $ -->
+<!-- $Revision: 1.18 $ -->
<!--
Copyright 2002-2004 The Apache Software Foundation
<p>This directive specifies an LDAP group whose members are
allowed access. It takes the distinguished name of the LDAP
- group. For example, assume that the following entry existed in
+ group. Note: Do not surround the group name with quotes.
+ For example, assume that the following entry existed in
the LDAP directory:</p>
<example>
dn: cn=Administrators, o=Airius<br />
<p>The following directive would grant access to both Fred and
Barbara:</p>
-<example>require group "cn=Administrators, o=Airius"</example>
+<example>require group cn=Administrators, o=Airius</example>
<p>Behavior of this directive is modified by the <directive
module="mod_auth_ldap">AuthLDAPGroupAttribute</directive> and
that must match for access to be granted. If the distinguished
name that was retrieved from the directory server matches the
distinguished name in the <code>require dn</code>, then
- authorization is granted.</p>
+ authorization is granted. Note: do not surround the distinguished
+ name with quotes.</p>
<p>The following directive would grant access to a specific
DN:</p>
-<example>require dn "cn=Barbara Jenson, o=Airius"</example>
+<example>require dn cn=Barbara Jenson, o=Airius</example>
<p>Behavior of this directive is modified by the <directive
module="mod_auth_ldap">AuthLDAPCompareDNOnServer</directive>
Grant access to anyone who exists in the LDAP directory,
using their UID for searches.
<example>
-AuthLDAPURL "ldap://ldap1.airius.com:389/ou=People, o=Airius?uid?sub?(objectClass=*)"<br />
+AuthLDAPURL ldap://ldap1.airius.com:389/ou=People, o=Airius?uid?sub?(objectClass=*)<br />
require valid-user
</example>
</li>
The next example is the same as above; but with the fields
that have useful defaults omitted. Also, note the use of a
redundant LDAP server.
-<example>AuthLDAPURL "ldap://ldap1.airius.com ldap2.airius.com/ou=People, o=Airius"<br />
+<example>AuthLDAPURL ldap://ldap1.airius.com ldap2.airius.com/ou=People, o=Airius<br />
require valid-user
</example>
</li>
choose an attribute that is guaranteed unique in your
directory, such as <code>uid</code>.
<example>
-AuthLDAPURL "ldap://ldap.airius.com/ou=People, o=Airius?cn"<br />
+AuthLDAPURL ldap://ldap.airius.com/ou=People, o=Airius?cn<br />
require valid-user
</example>
</li>
Grant access to anybody in the Administrators group. The
users must authenticate using their UID.
<example>
-AuthLDAPURL "ldap://ldap.airius.com/o=Airius?uid"<br />
+AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid<br />
require group cn=Administrators, o=Airius
</example>
</li>
only to people (authenticated via their UID) who have
alphanumeric pagers:
<example>
-AuthLDAPURL "ldap://ldap.airius.com/o=Airius?uid??(qpagePagerID=*)"<br />
+AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(qpagePagerID=*)<br />
require valid-user
</example>
</li>
have a pager, but does need to access the same
resource:</p>
<example>
-AuthLDAPURL "ldap://ldap.airius.com/o=Airius?uid??(|(qpagePagerID=*)(uid=jmanager))"<br />
+AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(|(qpagePagerID=*)(uid=jmanager))<br />
require valid-user
</example>
default: {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[%d] auth_ldap authorise: "
- "require dn: LDAP error [%s][%s]",
- getpid(), ldc->reason, ldap_err2string(result));
+ "require dn \"%s\": LDAP error [%s][%s]",
+ getpid(), t, ldc->reason, ldap_err2string(result));
}
}
}
}
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: require group: testing for group membership in `%s'",
+ "[%d] auth_ldap authorise: require group: testing for group membership in \"%s\"",
getpid(), t);
for (i = 0; i < sec->groupattr->nelts; i++) {
}
default: {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: require group: "
+ "[%d] auth_ldap authorise: require group \"%s\": "
"authorisation failed [%s][%s]",
- getpid(), ldc->reason, ldap_err2string(result));
+ getpid(), t, ldc->reason, ldap_err2string(result));
}
}
}
projects / apache / commitdiff