consistent format, and there is <a href="directive-dict.html" rel="Glossary">a dictionary</a> of the terms used in their
descriptions available.
</p>
- <ul><li><a href="prefork.html#acceptmutex">AcceptMutex</a></li><li><a href="core.html#acceptpathinfo">AcceptPathInfo</a></li><li><a href="core.html#accessfilename">AccessFileName</a></li><li><a href="mod_actions.html#action">Action</a></li><li><a href="mod_autoindex.html#addalt">AddAlt</a></li><li><a href="mod_autoindex.html#addaltbyencoding">AddAltByEncoding</a></li><li><a href="mod_autoindex.html#addaltbytype">AddAltByType</a></li><li><a href="mod_mime.html#addcharset">AddCharset</a></li><li><a href="core.html#adddefaultcharset">AddDefaultCharset</a></li><li><a href="mod_autoindex.html#adddescription">AddDescription</a></li><li><a href="mod_mime.html#addencoding">AddEncoding</a></li><li><a href="mod_mime.html#addhandler">AddHandler</a></li><li><a href="mod_autoindex.html#addicon">AddIcon</a></li><li><a href="mod_autoindex.html#addiconbyencoding">AddIconByEncoding</a></li><li><a href="mod_autoindex.html#addiconbytype">AddIconByType</a></li><li><a href="mod_mime.html#addinputfilter">AddInputFilter</a></li><li><a href="mod_mime.html#addlanguage">AddLanguage</a></li><li><a href="mod_info.html#addmoduleinfo">AddModuleInfo</a></li><li><a href="mod_mime.html#addoutputfilter">AddOutputFilter</a></li><li><a href="mod_mime.html#addtype">AddType</a></li><li><a href="mod_alias.html#alias">Alias</a></li><li><a href="mod_alias.html#aliasmatch">AliasMatch</a></li><li><a href="mod_access.html#allow">Allow</a></li><li><a href="mod_proxy.html#allowconnect">AllowCONNECT</a></li><li><a href="core.html#allowoverride">AllowOverride</a></li><li><a href="mod_auth_anon.html#anonymous">Anonymous</a></li><li><a href="mod_auth_anon.html#anonymous_authoritative">Anonymous_Authoritative</a></li><li><a href="mod_auth_anon.html#anonymous_logemail">Anonymous_LogEmail</a></li><li><a href="mod_auth_anon.html#anonymous_mustgiveemail">Anonymous_MustGiveEmail</a></li><li><a href="mod_auth_anon.html#anonymous_nouserid">Anonymous_NoUserID</a></li><li><a href="mod_auth_anon.html#anonymous_verifyemail">Anonymous_VerifyEmail</a></li><li><a href="perchild.html#assignuserid">AssignUserId</a></li><li><a href="mod_auth.html#authauthoritative">AuthAuthoritative</a></li><li><a href="mod_auth_dbm.html#authdbmauthoritative">AuthDBMAuthoritative</a></li><li><a href="mod_auth_dbm.html#authdbmgroupfile">AuthDBMGroupFile</a></li><li><a href="mod_auth_dbm.html#authdbmtype">AuthDBMType</a></li><li><a href="mod_auth_dbm.html#authdbmuserfile">AuthDBMUserFile</a></li><li><a href="mod_auth_digest.html#authdigestalgorithm">AuthDigestAlgorithm</a></li><li><a href="mod_auth_digest.html#authdigestdomain">AuthDigestDomain</a></li><li><a href="mod_auth_digest.html#authdigestfile">AuthDigestFile</a></li><li><a href="mod_auth_digest.html#authdigestgroupfile">AuthDigestGroupFile</a></li><li><a href="mod_auth_digest.html#authdigestnccheck">AuthDigestNcCheck</a></li><li><a href="mod_auth_digest.html#authdigestnonceformat">AuthDigestNonceFormat</a></li><li><a href="mod_auth_digest.html#authdigestnoncelifetime">AuthDigestNonceLifetime</a></li><li><a href="mod_auth_digest.html#authdigestqop">AuthDigestQop</a></li><li><a href="mod_auth.html#authgroupfile">AuthGroupFile</a></li><li><a href="core.html#authname">AuthName</a></li><li><a href="core.html#authtype">AuthType</a></li><li><a href="mod_auth.html#authuserfile">AuthUserFile</a></li><li><a href="mod_setenvif.html#browsermatch">BrowserMatch</a></li><li><a href="mod_setenvif.html#browsermatchnocase">BrowserMatchNoCase</a></li><li><a href="mod_cache.html#cachedefaultexpire">CacheDefaultExpire</a></li><li><a href="mod_cache.html#cachedisable">CacheDisable</a></li><li><a href="mod_cache.html#cacheenable">CacheEnable</a></li><li><a href="mod_file_cache.html#cachefile">CacheFile</a></li><li><a href="mod_cache.html#cacheforcecompletion">CacheForceCompletion</a></li><li><a href="mod_cache.html#cacheforcecompletion">CacheForceCompletion</a></li><li><a href="mod_cache.html#cacheignorecachecontrol">CacheIgnoreCacheControl</a></li><li><a href="mod_cache.html#cacheignorenolastmod">CacheIgnoreNoLastMod</a></li><li><a href="mod_cache.html#cachelastmodifiedfactor">CacheLastModifiedFactor</a></li><li><a href="mod_cache.html#cachemaxexpire">CacheMaxExpire</a></li><li><a href="mod_negotiation.html#cachenegotiateddocs">CacheNegotiatedDocs</a></li><li><a href="core.html#cgimapextension">CGIMapExtension</a></li><li><a href="mod_charset_lite.html#charsetdefault">CharsetDefault</a></li><li><a href="mod_charset_lite.html#charsetoptions">CharsetOptions</a></li><li><a href="mod_charset_lite.html#charsetsourceenc">CharsetSourceEnc</a></li><li><a href="mod_speling.html#checkspelling">CheckSpelling</a></li><li><a href="perchild.html#childperuserid">ChildPerUserId</a></li><li><a href="core.html#contentdigest">ContentDigest</a></li><li><a href="mod_usertrack.html#cookiedomain">CookieDomain</a></li><li><a href="mod_usertrack.html#cookieexpires">CookieExpires</a></li><li><a href="mod_log_config.html#cookielog">CookieLog</a></li><li><a href="mod_usertrack.html#cookiename">CookieName</a></li><li><a href="mod_usertrack.html#cookiestyle">CookieStyle</a></li><li><a href="mod_usertrack.html#cookietracking">CookieTracking</a></li><li><a href="mpm_common.html#coredumpdirectory">CoreDumpDirectory</a></li><li><a href="mod_log_config.html#customlog">CustomLog</a></li><li><a href="mod_dav.html#dav">Dav</a></li><li><a href="mod_dav.html#davdepthinfinity">DavDepthInfinity</a></li><li><a href="mod_dav.html#davlockdb">DavLockDB</a></li><li><a href="mod_dav.html#davmintimeout">DavMinTimeout</a></li><li><a href="mod_autoindex.html#defaulticon">DefaultIcon</a></li><li><a href="mod_mime.html#defaultlanguage">DefaultLanguage</a></li><li><a href="core.html#defaulttype">DefaultType</a></li><li><a href="mod_deflate.html#deflatebuffersize">DeflateBufferSize</a></li><li><a href="mod_deflate.html#deflatefilternote">DeflateFilterNote</a></li><li><a href="mod_deflate.html#deflatememlevel">DeflateMemLevel</a></li><li><a href="mod_deflate.html#deflatewindowsize">DeflateWindowSize</a></li><li><a href="mod_access.html#deny">Deny</a></li><li><a href="core.html#directory">Directory</a></li><li><a href="mod_dir.html#directoryindex">DirectoryIndex</a></li><li><a href="core.html#directorymatch">DirectoryMatch</a></li><li><a href="core.html#documentroot">DocumentRoot</a></li><li><a href="core.html#enablemmap">EnableMMAP</a></li><li><a href="core.html#errordocument">ErrorDocument</a></li><li><a href="core.html#errorlog">ErrorLog</a></li><li><a href="mod_example.html#example">Example</a></li><li><a href="mod_expires.html#expiresactive">ExpiresActive</a></li><li><a href="mod_expires.html#expiresbytype">ExpiresByType</a></li><li><a href="mod_expires.html#expiresdefault">ExpiresDefault</a></li><li><a href="mod_status.html#extendedstatus">ExtendedStatus</a></li><li><a href="mod_ext_filter.html#extfilterdefine">ExtFilterDefine</a></li><li><a href="mod_ext_filter.html#extfilteroptions">ExtFilterOptions</a></li><li><a href="core.html#fileetag">FileETag</a></li><li><a href="core.html#files">Files</a></li><li><a href="core.html#filesmatch">FilesMatch</a></li><li><a href="mod_negotiation.html#forcelanguagepriority">ForceLanguagePriority</a></li><li><a href="core.html#forcetype">ForceType</a></li><li><a href="mpm_common.html#group">Group</a></li><li><a href="mod_headers.html#header">Header</a></li><li><a href="mod_autoindex.html#headername">HeaderName</a></li><li><a href="core.html#hostnamelookups">HostnameLookups</a></li><li><a href="core.html#identitycheck">IdentityCheck</a></li><li><a href="core.html#ifdefine">IfDefine</a></li><li><a href="core.html#ifmodule">IfModule</a></li><li><a href="mod_imap.html#imapbase">ImapBase</a></li><li><a href="mod_imap.html#imapdefault">ImapDefault</a></li><li><a href="mod_imap.html#imapmenu">ImapMenu</a></li><li><a href="core.html#include">Include</a></li><li><a href="mod_autoindex.html#indexignore">IndexIgnore</a></li><li><a href="mod_autoindex.html#indexoptions">IndexOptions</a></li><li><a href="mod_autoindex.html#indexorderdefault">IndexOrderDefault</a></li><li><a href="mod_isapi.html#isapiappendlogtoerrors">ISAPIAppendLogToErrors</a></li><li><a href="mod_isapi.html#isapiappendlogtoquery">ISAPIAppendLogToQuery</a></li><li><a href="mod_isapi.html#isapicachefile">ISAPICacheFile</a></li><li><a href="mod_isapi.html#isapifakeasync">ISAPIFakeAsync</a></li><li><a href="mod_isapi.html#isapilognotsupported">ISAPILogNotSupported</a></li><li><a href="mod_isapi.html#isapireadaheadbuffer">ISAPIReadAheadBuffer</a></li><li><a href="core.html#keepalive">KeepAlive</a></li><li><a href="core.html#keepalivetimeout">KeepAliveTimeout</a></li><li><a href="mod_negotiation.html#languagepriority">LanguagePriority</a></li><li><a href="core.html#limit">Limit</a></li><li><a href="core.html#limitexcept">LimitExcept</a></li><li><a href="core.html#limitrequestbody">LimitRequestBody</a></li><li><a href="core.html#limitrequestfields">LimitRequestFields</a></li><li><a href="core.html#limitrequestfieldsize">LimitRequestFieldSize</a></li><li><a href="core.html#limitrequestline">LimitRequestLine</a></li><li><a href="core.html#limitxmlrequestbody">LimitXMLRequestBody</a></li><li><a href="mpm_common.html#listen">Listen</a></li><li><a href="mpm_common.html#listenbacklog">ListenBackLog</a></li><li><a href="mod_so.html#loadfile">LoadFile</a></li><li><a href="mod_so.html#loadmodule">LoadModule</a></li><li><a href="core.html#location">Location</a></li><li><a href="core.html#locationmatch">LocationMatch</a></li><li><a href="mpm_common.html#lockfile">LockFile</a></li><li><a href="mod_log_config.html#logformat">LogFormat</a></li><li><a href="core.html#loglevel">LogLevel</a></li><li><a href="mpm_common.html#maxclients">MaxClients</a></li><li><a href="core.html#maxkeepaliverequests">MaxKeepAliveRequests</a></li><li><a href="mpm_common.html#maxrequestsperchild">MaxRequestsPerChild</a></li><li><a href="prefork.html#maxspareservers">MaxSpareServers</a></li><li><a href="mpm_common.html#maxsparethreads">MaxSpareThreads</a></li><li><a href="mpm_netware.html#maxthreads">MaxThreads</a></li><li><a href="mpm_common.html#maxthreadsperchild">MaxThreadsPerChild</a></li><li><a href="mod_cern_meta.html#metadir">MetaDir</a></li><li><a href="mod_cern_meta.html#metafiles">MetaFiles</a></li><li><a href="mod_cern_meta.html#metasuffix">MetaSuffix</a></li><li><a href="mod_mime_magic.html#mimemagicfile">MimeMagicFile</a></li><li><a href="prefork.html#minspareservers">MinSpareServers</a></li><li><a href="mpm_common.html#minsparethreads">MinSpareThreads</a></li><li><a href="mod_file_cache.html#mmapfile">MMapFile</a></li><li><a href="mod_mime.html#multiviewsmatch">MultiviewsMatch</a></li><li><a href="core.html#namevirtualhost">NameVirtualHost</a></li><li><a href="mod_proxy.html#noproxy">NoProxy</a></li><li><a href="mpm_common.html#numservers">NumServers</a></li><li><a href="core.html#options">Options</a></li><li><a href="mod_access.html#order">Order</a></li><li><a href="mod_env.html#passenv">PassEnv</a></li><li><a href="mpm_common.html#pidfile">PidFile</a></li><li><a href="mod_echo.html#protocolecho">ProtocolEcho</a></li><li><a href="mod_proxy.html#proxy">Proxy</a></li><li><a href="mod_proxy.html#proxyblock">ProxyBlock</a></li><li><a href="mod_proxy.html#proxydomain">ProxyDomain</a></li><li><a href="mod_proxy.html#proxyerroroverride">ProxyErrorOverride</a></li><li><a href="mod_proxy.html#proxyiobuffersize">ProxyIOBufferSize</a></li><li><a href="mod_proxy.html#proxymatch">ProxyMatch</a></li><li><a href="mod_proxy.html#proxymaxforwards">ProxyMaxForwards</a></li><li><a href="mod_proxy.html#proxypass">ProxyPass</a></li><li><a href="mod_proxy.html#proxypassreverse">ProxyPassReverse</a></li><li><a href="mod_proxy.html#proxypreservehost">ProxyPreserveHost</a></li><li><a href="mod_proxy.html#proxyreceivebuffersize">ProxyReceiveBufferSize</a></li><li><a href="mod_proxy.html#proxyremote">ProxyRemote</a></li><li><a href="mod_proxy.html#proxyremotematch">ProxyRemoteMatch</a></li><li><a href="mod_proxy.html#proxyrequests">ProxyRequests</a></li><li><a href="mod_proxy.html#proxytimeout">ProxyTimeout</a></li><li><a href="mod_proxy.html#proxyvia">ProxyVia</a></li><li><a href="mod_autoindex.html#readmename">ReadmeName</a></li><li><a href="mod_alias.html#redirect">Redirect</a></li><li><a href="mod_alias.html#redirectmatch">RedirectMatch</a></li><li><a href="mod_alias.html#redirectpermanent">RedirectPermanent</a></li><li><a href="mod_alias.html#redirecttemp">RedirectTemp</a></li><li><a href="mod_mime.html#removecharset">RemoveCharset</a></li><li><a href="mod_mime.html#removeencoding">RemoveEncoding</a></li><li><a href="mod_mime.html#removehandler">RemoveHandler</a></li><li><a href="mod_mime.html#removeinputfilter">RemoveInputFilter</a></li><li><a href="mod_mime.html#removelanguage">RemoveLanguage</a></li><li><a href="mod_mime.html#removeoutputfilter">RemoveOutputFilter</a></li><li><a href="mod_mime.html#removetype">RemoveType</a></li><li><a href="mod_headers.html#requestheader">RequestHeader</a></li><li><a href="core.html#require">Require</a></li><li><a href="mod_rewrite.html#rewritebase">RewriteBase</a></li><li><a href="mod_rewrite.html#rewritecond">RewriteCond</a></li><li><a href="mod_rewrite.html#rewriteengine">RewriteEngine</a></li><li><a href="mod_rewrite.html#rewritelock">RewriteLock</a></li><li><a href="mod_rewrite.html#rewritelog">RewriteLog</a></li><li><a href="mod_rewrite.html#rewriteloglevel">RewriteLogLevel</a></li><li><a href="mod_rewrite.html#rewritemap">RewriteMap</a></li><li><a href="mod_rewrite.html#rewriteoptions">RewriteOptions</a></li><li><a href="mod_rewrite.html#rewriterule">RewriteRule</a></li><li><a href="core.html#rlimitcpu">RLimitCPU</a></li><li><a href="core.html#rlimitmem">RLimitMEM</a></li><li><a href="core.html#rlimitnproc">RLimitNPROC</a></li><li><a href="core.html#satisfy">Satisfy</a></li><li><a href="mpm_common.html#scoreboardfile">ScoreBoardFile</a></li><li><a href="mod_actions.html#script">Script</a></li><li><a href="mod_alias.html#scriptalias">ScriptAlias</a></li><li><a href="mod_alias.html#scriptaliasmatch">ScriptAliasMatch</a></li><li><a href="core.html#scriptinterpretersource">ScriptInterpreterSource</a></li><li><a href="mod_cgi.html#scriptlog">ScriptLog</a></li><li><a href="mod_cgi.html#scriptlogbuffer">ScriptLogBuffer</a></li><li><a href="mod_cgi.html#scriptloglength">ScriptLogLength</a></li><li><a href="mod_cgid.html#scriptsock">ScriptSock</a></li><li><a href="mpm_common.html#sendbuffersize">SendBufferSize</a></li><li><a href="core.html#serveradmin">ServerAdmin</a></li><li><a href="core.html#serveralias">ServerAlias</a></li><li><a href="mpm_common.html#serverlimit">ServerLimit</a></li><li><a href="core.html#servername">ServerName</a></li><li><a href="core.html#serverpath">ServerPath</a></li><li><a href="core.html#serverroot">ServerRoot</a></li><li><a href="core.html#serversignature">ServerSignature</a></li><li><a href="core.html#servertokens">ServerTokens</a></li><li><a href="mod_env.html#setenv">SetEnv</a></li><li><a href="mod_setenvif.html#setenvif">SetEnvIf</a></li><li><a href="mod_setenvif.html#setenvifnocase">SetEnvIfNoCase</a></li><li><a href="core.html#sethandler">SetHandler</a></li><li><a href="core.html#setinputfilter">SetInputFilter</a></li><li><a href="core.html#setoutputfilter">SetOutputFilter</a></li><li><a href="mod_include.html#ssiendtag">SSIEndTag</a></li><li><a href="mod_include.html#ssierrormsg">SSIErrorMsg</a></li><li><a href="mod_include.html#ssistarttag">SSIStartTag</a></li><li><a href="mod_include.html#ssitimeformat">SSITimeFormat</a></li><li><a href="mod_include.html#ssiundefinedecho">SSIUndefinedEcho</a></li><li><a href="mod_ssl.html#sslcacertificatefile">SSLCACertificateFile</a></li><li><a href="mod_ssl.html#sslcacertificatepath">SSLCACertificatePath</a></li><li><a href="mod_ssl.html#sslcarevocationfile">SSLCARevocationFile</a></li><li><a href="mod_ssl.html#sslcarevocationpath">SSLCARevocationPath</a></li><li><a href="mod_ssl.html#sslcertificatechainfile">SSLCertificateChainFile</a></li><li><a href="mod_ssl.html#sslcertificatefile">SSLCertificateFile</a></li><li><a href="mod_ssl.html#sslcertificatekeyfile">SSLCertificateKeyFile</a></li><li><a href="mod_ssl.html#sslciphersuite">SSLCipherSuite</a></li><li><a href="mod_ssl.html#sslengine">SSLEngine</a></li><li><a href="mod_ssl.html#sslmutex">SSLMutex</a></li><li><a href="mod_ssl.html#ssloptions">SSLOptions</a></li><li><a href="mod_ssl.html#sslpassphrasedialog">SSLPassPhraseDialog</a></li><li><a href="mod_ssl.html#sslprotocol">SSLProtocol</a></li><li><a href="mod_ssl.html#sslproxycacertificatefile">SSLProxyCACertificateFile</a></li><li><a href="mod_ssl.html#sslproxycacertificatepath">SSLProxyCACertificatePath</a></li><li><a href="mod_ssl.html#sslproxycarevocationfile">SSLProxyCARevocationFile</a></li><li><a href="mod_ssl.html#sslproxycarevocationpath">SSLProxyCARevocationPath</a></li><li><a href="mod_ssl.html#sslproxyciphersuite">SSLProxyCipherSuite</a></li><li><a href="mod_ssl.html#sslproxyengine">SSLProxyEngine</a></li><li><a href="mod_ssl.html#sslproxymachinecertificatefile">SSLProxyMachineCertificateFile</a></li><li><a href="mod_ssl.html#sslproxymachinecertificatepath">SSLProxyMachineCertificatePath</a></li><li><a href="mod_ssl.html#sslproxyprotocol">SSLProxyProtocol</a></li><li><a href="mod_ssl.html#sslproxyverify">SSLProxyVerify</a></li><li><a href="mod_ssl.html#sslproxyverifydepth">SSLProxyVerifyDepth</a></li><li><a href="mod_ssl.html#sslrandomseed">SSLRandomSeed</a></li><li><a href="mod_ssl.html#sslrequire">SSLRequire</a></li><li><a href="mod_ssl.html#sslrequiressl">SSLRequireSSL</a></li><li><a href="mod_ssl.html#sslsessioncache">SSLSessionCache</a></li><li><a href="mod_ssl.html#sslsessioncachetimeout">SSLSessionCacheTimeout</a></li><li><a href="mod_ssl.html#sslverifyclient">SSLVerifyClient</a></li><li><a href="mod_ssl.html#sslverifydepth">SSLVerifyDepth</a></li><li><a href="mpm_common.html#startservers">StartServers</a></li><li><a href="mpm_common.html#startthreads">StartThreads</a></li><li><a href="mod_suexec.html#suexecusergroup">SuexecUserGroup</a></li><li><a href="mpm_common.html#threadlimit">ThreadLimit</a></li><li><a href="mpm_common.html#threadsperchild">ThreadsPerChild</a></li><li><a href="mpm_netware.html#threadstacksize">ThreadStackSize</a></li><li><a href="core.html#timeout">TimeOut</a></li><li><a href="mod_log_config.html#transferlog">TransferLog</a></li><li><a href="mod_mime.html#typesconfig">TypesConfig</a></li><li><a href="mod_env.html#unsetenv">UnsetEnv</a></li><li><a href="core.html#usecanonicalname">UseCanonicalName</a></li><li><a href="mpm_common.html#user">User</a></li><li><a href="mod_userdir.html#userdir">UserDir</a></li><li><a href="mod_vhost_alias.html#virtualdocumentroot">VirtualDocumentRoot</a></li><li><a href="mod_vhost_alias.html#virtualdocumentrootip">VirtualDocumentRootIP</a></li><li><a href="core.html#virtualhost">VirtualHost</a></li><li><a href="mod_vhost_alias.html#virtualscriptalias">VirtualScriptAlias</a></li><li><a href="mod_vhost_alias.html#virtualscriptaliasip">VirtualScriptAliasIP</a></li><li><a href="mod_include.html#xbithack">XBitHack</a></li></ul></blockquote><hr><h3 align="center">Apache HTTP Server Version 2.0</h3><a href="./"><img src="../images/index.gif" alt="Index"></a><a href="../"><img src="../images/home.gif" alt="Home"></a></body></html>
\ No newline at end of file
+ <ul><li><a href="prefork.html#acceptmutex">AcceptMutex</a></li><li><a href="core.html#acceptpathinfo">AcceptPathInfo</a></li><li><a href="core.html#accessfilename">AccessFileName</a></li><li><a href="mod_actions.html#action">Action</a></li><li><a href="mod_autoindex.html#addalt">AddAlt</a></li><li><a href="mod_autoindex.html#addaltbyencoding">AddAltByEncoding</a></li><li><a href="mod_autoindex.html#addaltbytype">AddAltByType</a></li><li><a href="mod_mime.html#addcharset">AddCharset</a></li><li><a href="core.html#adddefaultcharset">AddDefaultCharset</a></li><li><a href="mod_autoindex.html#adddescription">AddDescription</a></li><li><a href="mod_mime.html#addencoding">AddEncoding</a></li><li><a href="mod_mime.html#addhandler">AddHandler</a></li><li><a href="mod_autoindex.html#addicon">AddIcon</a></li><li><a href="mod_autoindex.html#addiconbyencoding">AddIconByEncoding</a></li><li><a href="mod_autoindex.html#addiconbytype">AddIconByType</a></li><li><a href="mod_mime.html#addinputfilter">AddInputFilter</a></li><li><a href="mod_mime.html#addlanguage">AddLanguage</a></li><li><a href="mod_info.html#addmoduleinfo">AddModuleInfo</a></li><li><a href="mod_mime.html#addoutputfilter">AddOutputFilter</a></li><li><a href="mod_mime.html#addtype">AddType</a></li><li><a href="mod_alias.html#alias">Alias</a></li><li><a href="mod_alias.html#aliasmatch">AliasMatch</a></li><li><a href="mod_access.html#allow">Allow</a></li><li><a href="mod_proxy.html#allowconnect">AllowCONNECT</a></li><li><a href="core.html#allowoverride">AllowOverride</a></li><li><a href="mod_auth_anon.html#anonymous">Anonymous</a></li><li><a href="mod_auth_anon.html#anonymous_authoritative">Anonymous_Authoritative</a></li><li><a href="mod_auth_anon.html#anonymous_logemail">Anonymous_LogEmail</a></li><li><a href="mod_auth_anon.html#anonymous_mustgiveemail">Anonymous_MustGiveEmail</a></li><li><a href="mod_auth_anon.html#anonymous_nouserid">Anonymous_NoUserID</a></li><li><a href="mod_auth_anon.html#anonymous_verifyemail">Anonymous_VerifyEmail</a></li><li><a href="perchild.html#assignuserid">AssignUserId</a></li><li><a href="mod_auth.html#authauthoritative">AuthAuthoritative</a></li><li><a href="mod_auth_dbm.html#authdbmauthoritative">AuthDBMAuthoritative</a></li><li><a href="mod_auth_dbm.html#authdbmgroupfile">AuthDBMGroupFile</a></li><li><a href="mod_auth_dbm.html#authdbmtype">AuthDBMType</a></li><li><a href="mod_auth_dbm.html#authdbmuserfile">AuthDBMUserFile</a></li><li><a href="mod_auth_digest.html#authdigestalgorithm">AuthDigestAlgorithm</a></li><li><a href="mod_auth_digest.html#authdigestdomain">AuthDigestDomain</a></li><li><a href="mod_auth_digest.html#authdigestfile">AuthDigestFile</a></li><li><a href="mod_auth_digest.html#authdigestgroupfile">AuthDigestGroupFile</a></li><li><a href="mod_auth_digest.html#authdigestnccheck">AuthDigestNcCheck</a></li><li><a href="mod_auth_digest.html#authdigestnonceformat">AuthDigestNonceFormat</a></li><li><a href="mod_auth_digest.html#authdigestnoncelifetime">AuthDigestNonceLifetime</a></li><li><a href="mod_auth_digest.html#authdigestqop">AuthDigestQop</a></li><li><a href="mod_auth.html#authgroupfile">AuthGroupFile</a></li><li><a href="
mod_auth_ldap.html#authldapauthoritative">AuthLDAPAuthoritative</a></li><li><a href="mod_auth_ldap.html#authldapbinddn">AuthLDAPBindDN</a></li><li><a href="mod_auth_ldap.html#authldapbindpassword">AuthLDAPBindPassword</a></li><li><a href="mod_auth_ldap.html#authldapcomparednonserver">AuthLDAPCompareDNOnServer</a></li><li><a href="mod_auth_ldap.html#authldapdereferencealiases">AuthLDAPDereferenceAliases</a></li><li><a href="mod_auth_ldap.html#authldapenabled directive">AuthLDAPEnabled directive</a></li><li><a href="mod_auth_ldap.html#authldapfrontpagehack">AuthLDAPFrontPageHack</a></li><li><a href="mod_auth_ldap.html#authldapgroupattribute">AuthLDAPGroupAttribute</a></li><li><a href="mod_auth_ldap.html#authldapgroupattributeisdn">AuthLDAPGroupAttributeIsDN</a></li><li><a href="mod_auth_ldap.html#authldapremoteuserisdn">AuthLDAPRemoteUserIsDN</a></li><li><a href="mod_auth_ldap.html#authldapstarttls directive">AuthLDAPStartTLS directive</a></li><li><a href="mod_auth_ldap.html#authldapurl">AuthLDAPUrl</a></li><li><a href="core.html#authname">AuthName</a></li><li><a href="core.html#authtype">AuthType</a></li><li><a href="mod_auth.html#authuserfile">AuthUserFile</a></li><li><a href="mod_setenvif.html#browsermatch">BrowserMatch</a></li><li><a href="mod_setenvif.html#browsermatchnocase">BrowserMatchNoCase</a></li><li><a href="mod_cache.html#cachedefaultexpire">CacheDefaultExpire</a></li><li><a href="mod_cache.html#cachedisable">CacheDisable</a></li><li><a href="mod_cache.html#cacheenable">CacheEnable</a></li><li><a href="mod_file_cache.html#cachefile">CacheFile</a></li><li><a href="mod_cache.html#cacheforcecompletion">CacheForceCompletion</a></li><li><a href="mod_cache.html#cacheforcecompletion">CacheForceCompletion</a></li><li><a href="mod_cache.html#cacheignorecachecontrol">CacheIgnoreCacheControl</a></li><li><a href="mod_cache.html#cacheignorenolastmod">CacheIgnoreNoLastMod</a></li><li><a href="mod_cache.html#cachelastmodifiedfactor">CacheLastModifiedFactor</a></li><li><a href="mod_cache.html#cachemaxexpire">CacheMaxExpire</a></li><li><a href="mod_negotiation.html#cachenegotiateddocs">CacheNegotiatedDocs</a></li><li><a href="core.html#cgimapextension">CGIMapExtension</a></li><li><a href="mod_charset_lite.html#charsetdefault">CharsetDefault</a></li><li><a href="mod_charset_lite.html#charsetoptions">CharsetOptions</a></li><li><a href="mod_charset_lite.html#charsetsourceenc">CharsetSourceEnc</a></li><li><a href="mod_speling.html#checkspelling">CheckSpelling</a></li><li><a href="perchild.html#childperuserid">ChildPerUserId</a></li><li><a href="core.html#contentdigest">ContentDigest</a></li><li><a href="mod_usertrack.html#cookiedomain">CookieDomain</a></li><li><a href="mod_usertrack.html#cookieexpires">CookieExpires</a></li><li><a href="mod_log_config.html#cookielog">CookieLog</a></li><li><a href="mod_usertrack.html#cookiename">CookieName</a></li><li><a href="mod_usertrack.html#cookiestyle">CookieStyle</a></li><li><a href="mod_usertrack.html#cookietracking">CookieTracking</a></li><li><a href="mpm_common.html#coredumpdirectory">CoreDumpDirectory</a></li><li><a href="mod_log_config.html#customlog">CustomLog</a></li><li><a href="mod_dav.html#dav">Dav</a></li><li><a href="mod_dav.html#davdepthinfinity">DavDepthInfinity</a></li><li><a href="mod_dav.html#davlockdb">DavLockDB</a></li><li><a href="mod_dav.html#davmintimeout">DavMinTimeout</a></li><li><a href="mod_autoindex.html#defaulticon">DefaultIcon</a></li><li><a href="mod_mime.html#defaultlanguage">DefaultLanguage</a></li><li><a href="core.html#defaulttype">DefaultType</a></li><li><a href="mod_deflate.html#deflatebuffersize">DeflateBufferSize</a></li><li><a href="mod_deflate.html#deflatefilternote">DeflateFilterNote</a></li><li><a href="mod_deflate.html#deflatememlevel">DeflateMemLevel</a></li><li><a href="mod_deflate.html#deflatewindowsize">DeflateWindowSize</a></li><li><a href="mod_access.html#deny">Deny</a></li><li><a href="core.html#directory">Directory</a></li><li><a href="mod_dir.html#directoryindex">DirectoryIndex</a></li><li><a href="core.html#directorymatch">DirectoryMatch</a></li><li><a href="core.html#documentroot">DocumentRoot</a></li><li><a href="core.html#enablemmap">EnableMMAP</a></li><li><a href="core.html#errordocument">ErrorDocument</a></li><li><a href="core.html#errorlog">ErrorLog</a></li><li><a href="mod_example.html#example">Example</a></li><li><a href="mod_expires.html#expiresactive">ExpiresActive</a></li><li><a href="mod_expires.html#expiresbytype">ExpiresByType</a></li><li><a href="mod_expires.html#expiresdefault">ExpiresDefault</a></li><li><a href="mod_status.html#extendedstatus">ExtendedStatus</a></li><li><a href="mod_ext_filter.html#extfilterdefine">ExtFilterDefine</a></li><li><a href="mod_ext_filter.html#extfilteroptions">ExtFilterOptions</a></li><li><a href="core.html#fileetag">FileETag</a></li><li><a href="core.html#files">Files</a></li><li><a href="core.html#filesmatch">FilesMatch</a></li><li><a href="mod_negotiation.html#forcelanguagepriority">ForceLanguagePriority</a></li><li><a href="core.html#forcetype">ForceType</a></li><li><a href="mpm_common.html#group">Group</a></li><li><a href="mod_headers.html#header">Header</a></li><li><a href="mod_autoindex.html#headername">HeaderName</a></li><li><a href="core.html#hostnamelookups">HostnameLookups</a></li><li><a href="core.html#identitycheck">IdentityCheck</a></li><li><a href="core.html#ifdefine">IfDefine</a></li><li><a href="core.html#ifmodule">IfModule</a></li><li><a href="mod_imap.html#imapbase">ImapBase</a></li><li><a href="mod_imap.html#imapdefault">ImapDefault</a></li><li><a href="mod_imap.html#imapmenu">ImapMenu</a></li><li><a href="core.html#include">Include</a></li><li><a href="mod_autoindex.html#indexignore">IndexIgnore</a></li><li><a href="mod_autoindex.html#indexoptions">IndexOptions</a></li><li><a href="mod_autoindex.html#indexorderdefault">IndexOrderDefault</a></li><li><a href="mod_isapi.html#isapiappendlogtoerrors">ISAPIAppendLogToErrors</a></li><li><a href="mod_isapi.html#isapiappendlogtoquery">ISAPIAppendLogToQuery</a></li><li><a href="mod_isapi.html#isapicachefile">ISAPICacheFile</a></li><li><a href="mod_isapi.html#isapifakeasync">ISAPIFakeAsync</a></li><li><a href="mod_isapi.html#isapilognotsupported">ISAPILogNotSupported</a></li><li><a href="mod_isapi.html#isapireadaheadbuffer">ISAPIReadAheadBuffer</a></li><li><a href="core.html#keepalive">KeepAlive</a></li><li><a href="core.html#keepalivetimeout">KeepAliveTimeout</a></li><li><a href="mod_negotiation.html#languagepriority">LanguagePriority</a></li><li><a href="core.html#limit">Limit</a></li><li><a href="core.html#limitexcept">LimitExcept</a></li><li><a href="core.html#limitrequestbody">LimitRequestBody</a></li><li><a href="core.html#limitrequestfields">LimitRequestFields</a></li><li><a href="core.html#limitrequestfieldsize">LimitRequestFieldSize</a></li><li><a href="core.html#limitrequestline">LimitRequestLine</a></li><li><a href="core.html#limitxmlrequestbody">LimitXMLRequestBody</a></li><li><a href="mpm_common.html#listen">Listen</a></li><li><a href="mpm_common.html#listenbacklog">ListenBackLog</a></li><li><a href="mod_so.html#loadfile">LoadFile</a></li><li><a href="mod_so.html#loadmodule">LoadModule</a></li><li><a href="core.html#location">Location</a></li><li><a href="core.html#locationmatch">LocationMatch</a></li><li><a href="mpm_common.html#lockfile">LockFile</a></li><li><a href="mod_log_config.html#logformat">LogFormat</a></li><li><a href="core.html#loglevel">LogLevel</a></li><li><a href="mpm_common.html#maxclients">MaxClients</a></li><li><a href="core.html#maxkeepaliverequests">MaxKeepAliveRequests</a></li><li><a href="mpm_common.html#maxrequestsperchild">MaxRequestsPerChild</a></li><li><a href="prefork.html#maxspareservers">MaxSpareServers</a></li><li><a href="mpm_common.html#maxsparethreads">MaxSpareThreads</a></li><li><a href="mpm_netware.html#maxthreads">MaxThreads</a></li><li><a href="mpm_common.html#maxthreadsperchild">MaxThreadsPerChild</a></li><li><a href="mod_cern_meta.html#metadir">MetaDir</a></li><li><a href="mod_cern_meta.html#metafiles">MetaFiles</a></li><li><a href="mod_cern_meta.html#metasuffix">MetaSuffix</a></li><li><a href="mod_mime_magic.html#mimemagicfile">MimeMagicFile</a></li><li><a href="prefork.html#minspareservers">MinSpareServers</a></li><li><a href="mpm_common.html#minsparethreads">MinSpareThreads</a></li><li><a href="mod_file_cache.html#mmapfile">MMapFile</a></li><li><a href="mod_mime.html#multiviewsmatch">MultiviewsMatch</a></li><li><a href="core.html#namevirtualhost">NameVirtualHost</a></li><li><a href="mod_proxy.html#noproxy">NoProxy</a></li><li><a href="mpm_common.html#numservers">NumServers</a></li><li><a href="core.html#options">Options</a></li><li><a href="mod_access.html#order">Order</a></li><li><a href="mod_env.html#passenv">PassEnv</a></li><li><a href="mpm_common.html#pidfile">PidFile</a></li><li><a href="mod_echo.html#protocolecho">ProtocolEcho</a></li><li><a href="mod_proxy.html#proxy">Proxy</a></li><li><a href="mod_proxy.html#proxyblock">ProxyBlock</a></li><li><a href="mod_proxy.html#proxydomain">ProxyDomain</a></li><li><a href="mod_proxy.html#proxyerroroverride">ProxyErrorOverride</a></li><li><a href="mod_proxy.html#proxyiobuffersize">ProxyIOBufferSize</a></li><li><a href="mod_proxy.html#proxymatch">ProxyMatch</a></li><li><a href="mod_proxy.html#proxymaxforwards">ProxyMaxForwards</a></li><li><a href="mod_proxy.html#proxypass">ProxyPass</a></li><li><a href="mod_proxy.html#proxypassreverse">ProxyPassReverse</a></li><li><a href="mod_proxy.html#proxypreservehost">ProxyPreserveHost</a></li><li><a href="mod_proxy.html#proxyreceivebuffersize">ProxyReceiveBufferSize</a></li><li><a href="mod_proxy.html#proxyremote">ProxyRemote</a></li><li><a href="mod_proxy.html#proxyremotematch">ProxyRemoteMatch</a></li><li><a href="mod_proxy.html#proxyrequests">ProxyRequests</a></li><li><a href="mod_proxy.html#proxytimeout">ProxyTimeout</a></li><li><a href="mod_proxy.html#proxyvia">ProxyVia</a></li><li><a href="mod_autoindex.html#readmename">ReadmeName</a></li><li><a href="mod_alias.html#redirect">Redirect</a></li><li><a href="mod_alias.html#redirectmatch">RedirectMatch</a></li><li><a href="mod_alias.html#redirectpermanent">RedirectPermanent</a></li><li><a href="mod_alias.html#redirecttemp">RedirectTemp</a></li><li><a href="mod_mime.html#removecharset">RemoveCharset</a></li><li><a href="mod_mime.html#removeencoding">RemoveEncoding</a></li><li><a href="mod_mime.html#removehandler">RemoveHandler</a></li><li><a href="mod_mime.html#removeinputfilter">RemoveInputFilter</a></li><li><a href="mod_mime.html#removelanguage">RemoveLanguage</a></li><li><a href="mod_mime.html#removeoutputfilter">RemoveOutputFilter</a></li><li><a href="mod_mime.html#removetype">RemoveType</a></li><li><a href="mod_headers.html#requestheader">RequestHeader</a></li><li><a href="core.html#require">Require</a></li><li><a href="mod_rewrite.html#rewritebase">RewriteBase</a></li><li><a href="mod_rewrite.html#rewritecond">RewriteCond</a></li><li><a href="mod_rewrite.html#rewriteengine">RewriteEngine</a></li><li><a href="mod_rewrite.html#rewritelock">RewriteLock</a></li><li><a href="mod_rewrite.html#rewritelog">RewriteLog</a></li><li><a href="mod_rewrite.html#rewriteloglevel">RewriteLogLevel</a></li><li><a href="mod_rewrite.html#rewritemap">RewriteMap</a></li><li><a href="mod_rewrite.html#rewriteoptions">RewriteOptions</a></li><li><a href="mod_rewrite.html#rewriterule">RewriteRule</a></li><li><a href="core.html#rlimitcpu">RLimitCPU</a></li><li><a href="core.html#rlimitmem">RLimitMEM</a></li><li><a href="core.html#rlimitnproc">RLimitNPROC</a></li><li><a href="core.html#satisfy">Satisfy</a></li><li><a href="mpm_common.html#scoreboardfile">ScoreBoardFile</a></li><li><a href="mod_actions.html#script">Script</a></li><li><a href="mod_alias.html#scriptalias">ScriptAlias</a></li><li><a href="mod_alias.html#scriptaliasmatch">ScriptAliasMatch</a></li><li><a href="core.html#scriptinterpretersource">ScriptInterpreterSource</a></li><li><a href="mod_cgi.html#scriptlog">ScriptLog</a></li><li><a href="mod_cgi.html#scriptlogbuffer">ScriptLogBuffer</a></li><li><a href="mod_cgi.html#scriptloglength">ScriptLogLength</a></li><li><a href="mod_cgid.html#scriptsock">ScriptSock</a></li><li><a href="mpm_common.html#sendbuffersize">SendBufferSize</a></li><li><a href="core.html#serveradmin">ServerAdmin</a></li><li><a href="core.html#serveralias">ServerAlias</a></li><li><a href="mpm_common.html#serverlimit">ServerLimit</a></li><li><a href="core.html#servername">ServerName</a></li><li><a href="core.html#serverpath">ServerPath</a></li><li><a href="core.html#serverroot">ServerRoot</a></li><li><a href="core.html#serversignature">ServerSignature</a></li><li><a href="core.html#servertokens">ServerTokens</a></li><li><a href="mod_env.html#setenv">SetEnv</a></li><li><a href="mod_setenvif.html#setenvif">SetEnvIf</a></li><li><a href="mod_setenvif.html#setenvifnocase">SetEnvIfNoCase</a></li><li><a href="core.html#sethandler">SetHandler</a></li><li><a href="core.html#setinputfilter">SetInputFilter</a></li><li><a href="core.html#setoutputfilter">SetOutputFilter</a></li><li><a href="mod_include.html#ssiendtag">SSIEndTag</a></li><li><a href="mod_include.html#ssierrormsg">SSIErrorMsg</a></li><li><a href="mod_include.html#ssistarttag">SSIStartTag</a></li><li><a href="mod_include.html#ssitimeformat">SSITimeFormat</a></li><li><a href="mod_include.html#ssiundefinedecho">SSIUndefinedEcho</a></li><li><a href="mod_ssl.html#sslcacertificatefile">SSLCACertificateFile</a></li><li><a href="mod_ssl.html#sslcacertificatepath">SSLCACertificatePath</a></li><li><a href="mod_ssl.html#sslcarevocationfile">SSLCARevocationFile</a></li><li><a href="mod_ssl.html#sslcarevocationpath">SSLCARevocationPath</a></li><li><a href="mod_ssl.html#sslcertificatechainfile">SSLCertificateChainFile</a></li><li><a href="mod_ssl.html#sslcertificatefile">SSLCertificateFile</a></li><li><a href="mod_ssl.html#sslcertificatekeyfile">SSLCertificateKeyFile</a></li><li><a href="mod_ssl.html#sslciphersuite">SSLCipherSuite</a></li><li><a href="mod_ssl.html#sslengine">SSLEngine</a></li><li><a href="mod_ssl.html#sslmutex">SSLMutex</a></li><li><a href="mod_ssl.html#ssloptions">SSLOptions</a></li><li><a href="mod_ssl.html#sslpassphrasedialog">SSLPassPhraseDialog</a></li><li><a href="mod_ssl.html#sslprotocol">SSLProtocol</a></li><li><a href="mod_ssl.html#sslproxycacertificatefile">SSLProxyCACertificateFile</a></li><li><a href="mod_ssl.html#sslproxycacertificatepath">SSLProxyCACertificatePath</a></li><li><a href="mod_ssl.html#sslproxycarevocationfile">SSLProxyCARevocationFile</a></li><li><a href="mod_ssl.html#sslproxycarevocationpath">SSLProxyCARevocationPath</a></li><li><a href="mod_ssl.html#sslproxyciphersuite">SSLProxyCipherSuite</a></li><li><a href="mod_ssl.html#sslproxyengine">SSLProxyEngine</a></li><li><a href="mod_ssl.html#sslproxymachinecertificatefile">SSLProxyMachineCertificateFile</a></li><li><a href="mod_ssl.html#sslproxymachinecertificatepath">SSLProxyMachineCertificatePath</a></li><li><a href="mod_ssl.html#sslproxyprotocol">SSLProxyProtocol</a></li><li><a href="mod_ssl.html#sslproxyverify">SSLProxyVerify</a></li><li><a href="mod_ssl.html#sslproxyverifydepth">SSLProxyVerifyDepth</a></li><li><a href="mod_ssl.html#sslrandomseed">SSLRandomSeed</a></li><li><a href="mod_ssl.html#sslrequire">SSLRequire</a></li><li><a href="mod_ssl.html#sslrequiressl">SSLRequireSSL</a></li><li><a href="mod_ssl.html#sslsessioncache">SSLSessionCache</a></li><li><a href="mod_ssl.html#sslsessioncachetimeout">SSLSessionCacheTimeout</a></li><li><a href="mod_ssl.html#sslverifyclient">SSLVerifyClient</a></li><li><a href="mod_ssl.html#sslverifydepth">SSLVerifyDepth</a></li><li><a href="mpm_common.html#startservers">StartServers</a></li><li><a href="mpm_common.html#startthreads">StartThreads</a></li><li><a href="mod_suexec.html#suexecusergroup">SuexecUserGroup</a></li><li><a href="mpm_common.html#threadlimit">ThreadLimit</a></li><li><a href="mpm_common.html#threadsperchild">ThreadsPerChild</a></li><li><a href="mpm_netware.html#threadstacksize">ThreadStackSize</a></li><li><a href="core.html#timeout">TimeOut</a></li><li><a href="mod_log_config.html#transferlog">TransferLog</a></li><li><a href="mod_mime.html#typesconfig">TypesConfig</a></li><li><a href="mod_env.html#unsetenv">UnsetEnv</a></li><li><a href="core.html#usecanonicalname">UseCanonicalName</a></li><li><a href="mpm_common.html#user">User</a></li><li><a href="mod_userdir.html#userdir">UserDir</a></li><li><a href="mod_vhost_alias.html#virtualdocumentroot">VirtualDocumentRoot</a></li><li><a href="mod_vhost_alias.html#virtualdocumentrootip">VirtualDocumentRootIP</a></li><li><a href="core.html#virtualhost">VirtualHost</a></li><li><a href="mod_vhost_alias.html#virtualscriptalias">VirtualScriptAlias</a></li><li><a href="mod_vhost_alias.html#virtualscriptaliasip">VirtualScriptAliasIP</a></li><li><a href="mod_include.html#xbithack">XBitHack</a></li></ul></blockquote><hr><h3 align="center">Apache HTTP Server Version 2.0</h3><a href="./"><img src="../images/index.gif" alt="Index"></a><a href="../"><img src="../images/home.gif" alt="Home"></a></body></html>
\ No newline at end of file
HTTP headers</dd><dt><a href="mod_auth.html">mod_auth</a></dt><dd>User authentication using text files</dd><dt><a href="mod_auth_anon.html">mod_auth_anon</a></dt><dd>Allows "anonymous" user access to authenticated
areas</dd><dt><a href="mod_auth_dbm.html">mod_auth_dbm</a></dt><dd>Provides for user authentication using DBM
files</dd><dt><a href="mod_auth_digest.html">mod_auth_digest</a></dt><dd>User authentication using MD5
- Digest Authentication.</dd><dt><a href="mod_autoindex.html">mod_autoindex</a></dt><dd>Generates directory indexes,
+ Digest Authentication.</dd><dt><a href="mod_auth_ldap.html">mod_auth_ldap</a></dt><dd>Allows an LDAP directory to be used to store the database
+for HTTP Basic authentication.</dd><dt><a href="mod_autoindex.html">mod_autoindex</a></dt><dd>Generates directory indexes,
automatically, similar to the Unix <em>ls</em> command or the
Win32 <em>dir</em> shell command</dd><dt><a href="mod_cache.html">mod_cache</a></dt><dd>Content cache keyed to URIs.</dd><dt><a href="mod_cern_meta.html">mod_cern_meta</a></dt><dd>CERN httpd metafile semantics</dd><dt><a href="mod_cgi.html">mod_cgi</a></dt><dd>Execution of CGI scripts</dd><dt><a href="mod_cgid.html">mod_cgid</a></dt><dd>Execution of CGI scripts using an
external CGI daemon</dd><dt><a href="mod_charset_lite.html">mod_charset_lite</a></dt><dd>Specify character set translation or recoding</dd><dt><a href="mod_dav.html">mod_dav</a></dt><dd>Distributed Authoring and Versioning
+++ /dev/null
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-
-<html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <meta name="generator" content="HTML Tidy, see www.w3.org" />
-
- <title>Apache module mod_ldap</title>
- <!--
- Copyright (C) 2000,2001 Dave Carrigan <dave@rudedog.org>
- Copyright (C) 2001-2002 The Apache Software Foundation
- -->
- </head>
- <!-- Background white, links blue (unvisited), navy (visited), red (active) -->
-
- <body bgcolor="#FFFFFF" text="#000000" link="#0000FF"
- vlink="#000080" alink="#FF0000">
- <!--#include virtual="header.html" -->
-
- <h1 align="CENTER">Module mod_auth_ldap</h1>
-
- <p>This is an authentication module that allows Apache to
- authenticate HTTP clients using user entries in an LDAP
- directory.</p>
-
- <p><a href="module-dict.html#Status"
- rel="Help"><strong>Status:</strong></a> Extension<br />
- <a href="module-dict.html#SourceFile"
- rel="Help"><strong>Source File:</strong></a> util_ldap.c<br />
- <a href="module-dict.html#ModuleIdentifier"
- rel="Help"><strong>Module Identifier:</strong></a>
- ldap_module<br />
- <a href="module-dict.html#Compatibility"
- rel="Help"><strong>Compatibility:</strong></a> Available in
- Apache 2.0 and later.</p>
-
- <h2>Summary</h2>
-
- <p>mod_auth_ldap supports the following features:</p>
-
- <ul>
- <li>Known to support the <a
- href="http://www.openldap.org/">OpenLDAP SDK</a> (both 1.x
- and 2.x), and the <a
- href="http://www.iplanet.com/downloads/developer/">iPlanet
- (Netscape)</a> SDK.</li>
-
- <li>Complex authorization policies can be implemented by
- representing the policy with LDAP filters.</li>
-
- <li>Support for Microsoft FrontPage allows FrontPage users to
- control access to their webs, while retaining LDAP for user
- authentication.</li>
-
- <li>Uses extensive caching of LDAP operations via <a
- href="mod_ldap.html">mod_ldap</a>.</li>
-
- <li>Support for LDAP over SSL (requires the Netscape SDK) or
- TLS (requires the OpenLDAP 2.x SDK).</li>
- </ul>
-
- <h2>Directives</h2>
-
- <ul>
- <li><a
- href="#AuthLDAPAuthoritative">AuthLDAPAuthoritative</a></li>
-
- <li><a href="#AuthLDAPBindDN">AuthLDAPBindDN</a></li>
-
- <li><a
- href="#AuthLDAPBindPassword">AuthLDAPBindPassword</a></li>
-
- <li><a
- href="#AuthLDAPCompareDNOnServer">AuthLDAPCompareDNOnServer</a></li>
-
- <li><a
- href="#AuthLDAPDereferenceAliases">AuthLDAPDereferenceAliases</a></li>
-
- <li><a href="#AuthLDAPEnabled">AuthLDAPEnabled</a></li>
-
- <li><a
- href="#AuthLDAPFrontPageHack">AuthLDAPFrontPageHack</a></li>
-
- <li><a
- href="#AuthLDAPGroupAttribute">AuthLDAPGroupAttribute</a></li>
-
- <li><a
- href="#AuthLDAPGroupAttributeIsDN">AuthLDAPGroupAttributeIsDN</a></li>
-
- <li><a
- href="#AuthLDAPRemoteUserIsDN">AuthLDAPRemoteUserIsDN</a></li>
-
- <li><a href="#AuthLDAPStartTLS">AuthLDAPStartTLS</a></li>
-
- <li><a href="#AuthLDAPUrl">AuthLDAPUrl</a></li>
- </ul>
-
- <h2>Contents</h2>
-
- <ul>
- <li>
- <a href="#operation">Operation</a>
-
- <ul>
- <li><a href="#authenphase">The Authentication
- Phase</a></li>
-
- <li><a href="#authorphase">The Authorization
- Phase</a></li>
- </ul>
- </li>
-
- <li>
- <a href="#requiredirectives">The require Directives</a>
-
- <ul>
- <li><a href="#reqvaliduser">require valid-user</a></li>
-
- <li><a href="#requser">require user</a></li>
-
- <li><a href="#reqgroup">require group</a></li>
-
- <li><a href="#reqdn">require dn</a></li>
- </ul>
- </li>
-
- <li><a href="#examples">Examples</a></li>
-
- <li><a href="#usingtls">Using TLS</a></li>
-
- <li><a href="#usingssl">Using SSL</a></li>
-
- <li>
- <a href="#frontpage">Using Microsoft FrontPage with
- mod_auth_ldap</a>
-
- <ul>
- <li><a href="#howitworks">How It Works</a></li>
-
- <li><a href="#fpcaveats">Caveats</a></li>
- </ul>
- </li>
- </ul>
-
- <h2><a id="operation" name="operation">Operation</a></h2>
-
- <p>There are two phases in granting access to a user. The first
- phase is authentication, in which mod_auth_ldap verifies that
- the user's credentials are valid. This also called the
- <em><b>search/bind</b></em> phase. The second phase is
- authorization, in which mod_auth_ldap determines if the
- authenticated user is allowed access to the resource in
- question. This is also known as the <em><b>compare</b></em>
- phase.</p>
-
- <h3><a id="authenphase" name="authenphase">The Authentication
- Phase</a></h3>
-
- <p>During the authentication phase, mod_auth_ldap searches for
- an entry in the directory that matches the username that the
- HTTP client passes. If a single unique match is found, then
- mod_auth_ldap attempts to bind to the directory server using
- the DN of the entry plus the password provided by the HTTP
- client. Because it does a search, then a bind, it is often
- referred to as the search/bind phase. Here are the steps taken
- during the search/bind phase.</p>
-
- <ol>
- <li>Generate a search filter by combining the attribute and
- filter provided in the <a
- href="#AuthLDAPURL"><tt>AuthLDAPURL</tt></a> directive with
- the username passed by the HTTP client.</li>
-
- <li>Search the directory using the generated filter. If the
- search does not return exactly one entry, deny or decline
- access.</li>
-
- <li>Fetch the distinguished name of the entry retrieved from
- the search and attempt to bind to the LDAP server using the
- DN and the password passed by the HTTP client. If the bind is
- unsuccessful, deny or decline access.</li>
- </ol>
-
- <p>The following directives are used during the search/bind
- phase</p>
-
- <table border="0" bgcolor="#ffffff">
- <tr valign="top">
- <td colspan="1" align="left"><a
- href="#AuthLDAPURL">AuthLDAPURL</a> </td>
-
- <td colspan="1" align="left">Specifies the LDAP server, the
- base DN, the attribute to use in the search, as well as the
- extra search filter to use.</td>
- </tr>
-
- <tr valign="top">
- <td colspan="1" align="left"><a
- href="#AuthLDAPBindDN">AuthLDAPBindDN</a> </td>
-
- <td colspan="1" align="left">An optional DN to bind with
- during the search phase.</td>
- </tr>
-
- <tr valign="top">
- <td colspan="1" align="left"><a
- href="#AuthLDAPBindPassword">AuthLDAPBindPassword</a> </td>
-
- <td colspan="1" align="left">An optional password to bind
- with during the search phase.</td>
- </tr>
- </table>
-
- <h3><a id="authorphase" name="authorphase">The Authorization
- Phase</a></h3>
-
- <p>During the authorization phase, mod_auth_ldap attempts to
- determine if the user is authorized to access the resource.
- Many of these checks require mod_auth_ldap to do a compare
- operation on the LDAP server. This is why this phase is often
- referred to as the compare phase. mod_auth_ldap accepts the
- following <a href="#requiredirectives"><tt>require</tt>
- directives</a> to determine if the credentials are
- acceptable:</p>
-
- <ul>
- <li>Grant access if there is a <a href="#requser"><tt>require
- valid-user</tt></a> directive.</li>
-
- <li>Grant access if there is a <a
- href="#reqgroup"><tt>require user</tt></a> directive, and the
- username in the directive matches the username passed by the
- client.</li>
-
- <li>Grant access if there is a <a href="#reqdn"><tt>require
- dn</tt></a> directive, and the DN in the directive matches
- the DN fetched from the LDAP directory.</li>
-
- <li>Grant access if there is a <a
- href="#reqgroup"><tt>require group</tt></a> directive, and
- the DN fetched from the LDAP directory (or the username
- passed by the client) occurs in the LDAP group.</li>
-
- <li>otherwise, deny or decline access</li>
- </ul>
-
- <p>mod_auth_ldap uses the following directives during the
- compare phase:</p>
-
- <table border="0" bgcolor="#ffffff">
- <tr>
- <td><a href="#AuthLDAPURL"><tt>AuthLDAPURL</tt></a> </td>
-
- <td colspan="1" align="left">The attribute specified in the
- URL is used in compare operations for the <tt>require
- user</tt> operation.</td>
- </tr>
-
- <tr>
- <td><a
- href="#AuthLDAPCompareDNOnServer"><tt>AuthLDAPCompareDNOnServer</tt></a>
- </td>
-
- <td colspan="1" align="left">Determines the behavior of the
- <tt>require dn</tt> directive.</td>
- </tr>
-
- <tr>
- <td><a
- href="#AuthLDAPGroupAttribute"><tt>AuthLDAPGroupAttribute</tt></a>
- </td>
-
- <td colspan="1" align="left">Determines the attribute to
- use for comparisons in the <tt>require group</tt>
- directive.</td>
- </tr>
-
- <tr>
- <td><a
- href="#AuthLDAPGroupAttributeIsDN"><tt>AuthLDAPGroupAttributeIsDN</tt></a>
- </td>
-
- <td colspan="1" align="left">Specifies whether to use the
- user DN or the username when doing comparisons for the
- <tt>require group</tt> directive.</td>
- </tr>
- </table>
-
- <h2><a id="requiredirectives" name="requiredirectives">The
- require Directives</a></h2>
-
- <p>Apache's <tt>require</tt> directives are used during the
- authorization phase to ensure that a user is allowed to access
- a resource.</p>
-
- <h3><a id="reqvaliduser" name="reqvaliduser">require
- valid-user</a></h3>
-
- <p>If this directive exists, mod_auth_ldap grants access to any
- user that has successfully authenticated during the search/bind
- phase.</p>
-
- <h3><a id="requser" name="requser">require user</a></h3>
-
- <p>The <tt>require user</tt> directive specifies what usernames
- can access the resource. Once mod_auth_ldap has retrieved a
- unique DN from the directory, it does an LDAP compare operation
- using the username specified in the <tt>require user</tt> to
- see if that username is part of the just-fetched LDAP entry.
- Multiple users can be granted access by putting multiple
- usernames on the line, separated with spaces. If a username has
- a space in it, then it must be the only user on the line. In
- this case, multiple users can be granted access by using
- multiple <tt>require user</tt> directives, with one user per
- line. For example, with a <tt>AuthLDAPURL</tt> of
- <i>ldap://ldap/o=Airius?cn</i> (i.e., <tt>cn</tt> is used for
- searches), the following require directives could be used to
- restrict access:</p>
-<pre>
-require user Barbara Jenson
-require user Fred User
-require user Joe Manager
-</pre>
-
- <p>Because of the way that mod_auth_ldap handles this
- directive, Barbara Jenson could sign on as <i>Barbara
- Jenson</i>, <i>Babs Jenson</i> or any other <tt>cn</tt> that
- she has in her LDAP entry. Only the single <tt>require
- user</tt> line is needed to support all values of the attribute
- in the user's entry.</p>
-
- <p>If the <tt>uid</tt> attribute was used instead of the
- <tt>cn</tt> attribute in the URL above, the above three lines
- could be condensed to</p>
-<pre>
-require user bjenson fuser jmanager
-</pre>
-
- <h3><a id="reqgroup" name="reqgroup">require group</a></h3>
-
- <p>This directive specifies an LDAP group whose members are
- allowed access. It takes the distinguished name of the LDAP
- group. For example, assume that the following entry existed in
- the LDAP directory:</p>
-<pre>
-dn: cn=Administrators, o=Airius
-objectClass: groupOfUniqueNames
-uniqueMember: cn=Barbara Jenson, o=Airius
-uniqueMember: cn=Fred User, o=Airius
-</pre>
-
- <p>The following directive would grant access to both Fred and
- Barbara:</p>
-<pre>
-require group cn=Administrators, o=Airius
-</pre>
-
- <p>Behavior of this directive is modified by the <a
- href="#AuthLDAPGroupAttribute"><tt>AuthLDAPGroupAttribute</tt></a>
- and <a
- href="#AuthLDAPGroupAttributeIsDN"><tt>AuthLDAPGroupAttributeIsDN</tt></a>
- directives.</p>
-
- <h3><a id="reqdn" name="reqdn">require dn</a></h3>
-
- <p>The <tt>require dn</tt> directive allows the administrator
- to grant access based on distinguished names. It specifies a DN
- that must match for access to be granted. If the distinguished
- name that was retrieved from the directory server matches the
- distinguished name in the <tt>require dn</tt>, then
- authorization is granted.</p>
-
- <p>The following directive would grant access to a specific
- DN:</p>
-<pre>
-require dn cn=Barbara Jenson, o=Airius
-</pre>
-
- <p>Behavior of this directive is modified by the <a
- href="#AuthLDAPCompareDNOnServer"><tt>AuthLDAPCompareDNOnServer</tt></a>
- directive.</p>
-
- <h2><a id="examples" name="examples">Examples</a></h2>
-
- <ul>
- <li>
- Grant access to anyone who exists in the LDAP directory,
- using their UID for searches.
-<pre>
-AuthLDAPURL ldap://ldap1.airius.com:389/ou=People, o=Airius?uid?sub?(objectClass=*)
-require valid-user
-</pre>
- </li>
-
- <li>
- The next example is the same as above; but with the fields
- that have useful defaults omitted. Also, note the use of a
- redundant LDAP server.
-<pre>
-AuthLDAPURL ldap://ldap1.airius.com ldap2.airius.com/ou=People, o=Airius
-require valid-user
-</pre>
- </li>
-
- <li>
- The next example is similar to the previous one, but is
- uses the common name instead of the UID. Note that this
- could be problematical if multiple people in the directory
- share the same <tt>cn</tt>, because a search on <tt>cn</tt>
- <em><b>must</b></em> return exactly one entry. That's why
- this approach is not recommended: it's a better idea to
- choose an attribute that is guaranteed unique in your
- directory, such as <tt>uid</tt>.
-<pre>
-AuthLDAPURL ldap://ldap.airius.com/ou=People, o=Airius?cn
-require valid-user
-</pre>
- </li>
-
- <li>
- Grant access to anybody in the Administrators group. The
- users must authenticate using their UID.
-<pre>
-AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid
-require group cn=Administrators, o=Airius
-</pre>
- </li>
-
- <li>
- The next example assumes that everyone at Airius who
- carries an alphanumeric pager will have an LDAP attribute
- of <tt>qpagePagerID</tt>. The example will grant access
- only to people (authenticated via their UID) who have
- alphanumeric pagers:
-<pre>
-AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(qpagePagerID=*)
-require valid-user
-</pre>
- </li>
-
- <li>
- <p>The next example demonstrates the power of using filters
- to accomplish complicated administrative requirements.
- Without filters, it would have been necessary to create a
- new LDAP group and ensure that the group's members remain
- synchronized with the pager users. This becomes trivial
- with filters. The goal is to grant access to anyone who has
- a filter, plus grant access to Joe Manager, who doesn't
- have a pager, but does need to access the same
- resource:</p>
-<pre>
-AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(|(qpagePagerID=*)(uid=jmanager))
-require valid-user
-</pre>
-
- <p>This last may look confusing at first, so it helps to
- evaluate what the search filter will look like based on who
- connects, as shown below. The text in blue is the part that
- is filled in using the attribute specified in the URL. The
- text in red is the part that is filled in using the filter
- specified in the URL. The text in green is filled in using
- the information that is retrieved from the HTTP client. If
- Fred User connects as <i>fuser</i>, the filter would look
- like</p>
-
- <p><tt>(&<font
- color="red">(|(qpagePagerID=*)(uid=jmanager))</font>(<font
- color="blue">uid</font>=<font
- color="green">fuser</font>))</tt></p>
-
- <p>The above search will only succeed if <i>fuser</i> has a
- pager. When Joe Manager connects as <i>jmanager</i>, the
- filter looks like</p>
-
- <p><tt>(&<font
- color="red">(|(qpagePagerID=*)(uid=jmanager))</font>(<font
- color="blue">uid</font>=<font
- color="green">jmanager</font>))</tt></p>
-
- <p>The above search will succeed whether <i>jmanager</i>
- has a pager or not.</p>
- </li>
- </ul>
-
- <h2><a id="usingtls" name="usingtls">Using TLS</a></h2>
-
- <p>To use TLS, simply set the <tt>AuthLDAPStartTLS</tt> to on.
- Nothing else needs to be done (other than ensure that your LDAP
- server is configured for TLS).</p>
-
- <h2><a id="usingssl" name="usingssl">Using SSL</a></h2>
-
- <p>If mod_auth_ldap is linked against the Netscape/iPlanet LDAP
- SDK, it will not talk to any SSL server unless that server has
- a certificate signed by a known Certificate Authority. As part
- of the configuration mod_auth_ldap needs to be told where it
- can find a database containing the known CAs. This database is
- in the same format as Netscape Communicator's <tt>cert7.db</tt>
- database. The easiest way to get this file is to start up a
- fresh copy of Netscape, and grab the resulting
- <tt>$HOME/.netscape/cert7.db</tt> file.</p>
-
- <p>To specify a secure LDAP server, use <i>ldaps://</i> in the
- <tt>AuthLDAPURL</tt> directive, instead of <i>ldap://</i>.</p>
-
- <h2><a id="frontpage" name="frontpage">Using Microsoft
- FrontPage with mod_auth_ldap</a></h2>
-
- <p>Normally, FrontPage uses FrontPage-web-specific user/group
- files (i.e., the <i>mod_auth</i> module) to handle all
- authentication. Unfortunately, it is not possible to just
- change to LDAP authentication by adding the proper directives,
- because it will break the <em><b>Permissions</b></em> forms in
- the FrontPage client, which attempt to modify the standard
- text-based authorization files.</p>
-
- <p>Once a FrontPage web has been created, adding LDAP
- authentication to it is a matter of adding the following
- directives to <em><b>every</b></em> <tt>.htaccess</tt> file
- that gets created in the web</p>
-<pre>
-AuthLDAPURL the url
-AuthLDAPAuthoritative off
-AuthLDAPFrontPageHack on
-</pre>
-
- <p><tt>AuthLDAPAuthoritative</tt> must be off to allow
- mod_auth_ldap to decline group authentication so that Apache
- will fall back to file authentication for checking group
- membership. This allows the FrontPage-managed group file to be
- used.</p>
-
- <h3><a id="howitworks" name="howitworks">How It Works</a></h3>
-
- <p>FrontPage restricts access to a web by adding the
- <tt>require valid-user</tt> directive to the <tt>.htaccess</tt>
- files. If <tt>AuthLDAPFrontPageHack</tt> is not on, the
- <tt>require valid-user</tt> directive will succeed for any user
- who is valid <em><b>as far as LDAP is concerned</b></em>. This
- means that anybody who has an entry in the LDAP directory is
- considered a valid user, whereas FrontPage considers only those
- people in the local user file to be valid. The purpose of the
- hack is to force Apache to consult the local user file (which
- is managed by FrontPage) - instead of LDAP - when handling the
- <tt>require valid-user</tt> directive.</p>
-
- <p>Once directives have been added as specified above,
- FrontPage users will be able to perform all management
- operations from the FrontPage client.</p>
-
- <h3><a id="fpcaveats" name="fpcaveats">Caveats</a></h3>
-
- <ul>
- <li>When choosing the LDAP URL, the attribute to use for
- authentication should be something that will also be valid
- for putting into a <i>mod_auth</i> user file. The user ID is
- ideal for this.</li>
-
- <li>When adding users via FrontPage, FrontPage administrators
- should choose usernames that already exist in the LDAP
- directory (for obvious reasons). Also, the password that the
- administrator enters into the form is ignored, since Apache
- will actually be authenticating against the password in the
- LDAP database, and not against the password in the local user
- file. This could cause confusion for web administrators.</li>
-
- <li>Apache must be compiled with <i>mod_auth</i> in order to
- use FrontPage support. This is because Apache will still use
- the <i>mod_auth</i> group file for determine the extent of a
- user's access to the FrontPage web.</li>
-
- <li>The directives must be put in the <tt>.htaccess</tt>
- files. Attempting to put them inside
- <tt><Location></tt> or <tt><Directory></tt>
- directives won't work. This is because mod_auth_ldap has to
- be able to grab the <tt>AuthUserFile</tt> directive that is
- found in FrontPage <tt>.htaccess</tt> files so that it knows
- where to look for the valid user list. If the mod_auth_ldap
- directives aren't in the same <tt>.htaccess</tt> file as the
- FrontPage directives, then the hack won't work, because
- mod_auth_ldap will never get a chance to process the
- <tt>.htaccess</tt> file, and won't be able to find the
- FrontPage-managed user file.</li>
- </ul>
- <hr />
-
- <h2><a id="AuthLDAPAuthoritative"
- name="AuthLDAPAuthoritative">AuthLDAPAuthoritative
- directive</a></h2>
-
- <p><a href="directive-dict.html#Syntax"
- rel="Help"><strong>Syntax:</strong></a> AuthLDAPAuthoritative
- on|off<br />
- <a href="directive-dict.html#Default"
- rel="Help"><strong>Default:</strong></a>
- <code>AuthLDAPAuthoritative on</code><br />
- <a href="directive-dict.html#Context"
- rel="Help"><strong>Context:</strong></a> directory,
- .htaccess<br />
- <a href="directive-dict.html#Override"
- rel="Help"><strong>Override:</strong></a> AuthConfig<br />
- <a href="directive-dict.html#Status"
- rel="Help"><strong>Status:</strong></a> Extension<br />
- <a href="directive-dict.html#Module"
- rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-
- <p>Set to <i>off</i> if this module should let other
- authentication modules attempt to authenticate the user, should
- authentication with this module fail. Control is only passed on
- to lower modules if there is no DN or rule that matches the
- supplied user name (as passed by the client).</p>
- <hr />
-
- <h2><a id="AuthLDAPBindDN" name="AuthLDAPBindDN">AuthLDAPBindDN
- directive</a></h2>
-
- <p><a href="directive-dict.html#Syntax"
- rel="Help"><strong>Syntax:</strong></a> AuthLDAPBindDN
- <em>distinguished-name</em><br />
- <a href="directive-dict.html#Context"
- rel="Help"><strong>Context:</strong></a> directory,
- .htaccess<br />
- <a href="directive-dict.html#Override"
- rel="Help"><strong>Override:</strong></a> AuthConfig<br />
- <a href="directive-dict.html#Status"
- rel="Help"><strong>Status:</strong></a> Extension<br />
- <a href="directive-dict.html#Module"
- rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-
- <p>An optional DN used to bind to the server when searching for
- entries. If not provided, mod_auth_ldap will use an anonymous
- bind.</p>
- <hr />
-
- <h2><a id="AuthLDAPBindPassword"
- name="AuthLDAPBindPassword">AuthLDAPBindPassword
- directive</a></h2>
-
- <p><a href="directive-dict.html#Syntax"
- rel="Help"><strong>Syntax:</strong></a> AuthLDAPBindPassword
- <em>password</em><br />
- <a href="directive-dict.html#Context"
- rel="Help"><strong>Context:</strong></a> directory,
- .htaccess<br />
- <a href="directive-dict.html#Override"
- rel="Help"><strong>Override:</strong></a> AuthConfig<br />
- <a href="directive-dict.html#Status"
- rel="Help"><strong>Status:</strong></a> Extension<br />
- <a href="directive-dict.html#Module"
- rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-
- <p>A bind password to use in conjunction with the bind DN. Note
- that the bind password is probably sensitive data, and should
- be properly protected. You should only use the <a
- href="#AuthLDAPBindDN"><tt>AuthLDAPBindDN</tt></a> and <a
- href="#AuthLDAPBindPassword"><tt>AuthLDAPBindPassword</tt></a>
- if you absolutely need them to search the directory.</p>
- <hr />
-
- <h2><a id="AuthLDAPCompareDNOnServer"
- name="AuthLDAPCompareDNOnServer">AuthLDAPCompareDNOnServer
- directive</a></h2>
-
- <p><a href="directive-dict.html#Syntax"
- rel="Help"><strong>Syntax:</strong></a>
- AuthLDAPCompareDNOnServer on|off<br />
- <a href="directive-dict.html#Default"
- rel="Help"><strong>Default:</strong></a>
- <code>AuthLDAPCompareDNOnServer on</code><br />
- <a href="directive-dict.html#Context"
- rel="Help"><strong>Context:</strong></a> directory,
- .htaccess<br />
- <a href="directive-dict.html#Override"
- rel="Help"><strong>Override:</strong></a> AuthConfig<br />
- <a href="directive-dict.html#Status"
- rel="Help"><strong>Status:</strong></a> Extension<br />
- <a href="directive-dict.html#Module"
- rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-
- <p>When set, mod_auth_ldap will use the LDAP server to compare
- the DNs. This is the only foolproof way to compare DNs.
- mod_auth_ldap will search the directory for the DN specified
- with the <a href="#reqdn"><tt>require dn</tt></a> directive,
- then, retrieve the DN and compare it with the DN retrieved from
- the user entry. If this directive is not set, mod_auth_ldap
- simply does a string comparison. It is possible to get false
- negatives with this approach, but it is much faster. Note the
- mod_ldap cache can speed up DN comparison in most
- situations.</p>
- <hr />
-
- <h2><a id="AuthLDAPDereferenceAliases"
- name="AuthLDAPDereferenceAliases">AuthLDAPDereferenceAliases
- directive</a></h2>
-
- <p><a href="directive-dict.html#Syntax"
- rel="Help"><strong>Syntax:</strong></a>
- AuthLDAPDereferenceAliases never|searching|finding|always<br />
- <a href="directive-dict.html#Default"
- rel="Help"><strong>Default:</strong></a>
- <code>AuthLDAPDereferenceAliases Always</code><br />
- <a href="directive-dict.html#Context"
- rel="Help"><strong>Context:</strong></a> directory,
- .htaccess<br />
- <a href="directive-dict.html#Override"
- rel="Help"><strong>Override:</strong></a> AuthConfig<br />
- <a href="directive-dict.html#Status"
- rel="Help"><strong>Status:</strong></a> Extension<br />
- <a href="directive-dict.html#Module"
- rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-
- <p>This directive specifies when mod_auth_ldap will
- de-reference aliases during LDAP operations. The default is
- <i>always</i>.</p>
- <hr />
-
- <h2><a id="AuthLDAPEnabled"
- name="AuthLDAPEnabled">AuthLDAPEnabled directive</a></h2>
-
- <p><a href="directive-dict.html#Syntax"
- rel="Help"><strong>Syntax:</strong></a> AuthLDAPEnabled
- on|off<br />
- <a href="directive-dict.html#Default"
- rel="Help"><strong>Default:</strong></a> <code>AuthLDAPEnabled
- on</code><br />
- <a href="directive-dict.html#Context"
- rel="Help"><strong>Context:</strong></a> directory,
- .htaccess<br />
- <a href="directive-dict.html#Override"
- rel="Help"><strong>Override:</strong></a> AuthConfig<br />
- <a href="directive-dict.html#Status"
- rel="Help"><strong>Status:</strong></a> Extension<br />
- <a href="directive-dict.html#Module"
- rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-
- <p>Set to <i>off</i> to disable mod_auth_ldap in certain
- directories. This is useful if you have mod_auth_ldap enabled
- at or near the top of your tree, but want to disable it
- completely in certain locations.</p>
- <hr />
-
- <h2><a id="AuthLDAPFrontPageHack"
- name="AuthLDAPFrontPageHack">AuthLDAPFrontPageHack
- directive</a></h2>
-
- <p><a href="directive-dict.html#Syntax"
- rel="Help"><strong>Syntax:</strong></a> AuthLDAPFrontPageHack
- on|off<br />
- <a href="directive-dict.html#Default"
- rel="Help"><strong>Default:</strong></a>
- <code>AuthLDAPFronPageHack off</code><br />
- <a href="directive-dict.html#Context"
- rel="Help"><strong>Context:</strong></a> directory,
- .htaccess<br />
- <a href="directive-dict.html#Override"
- rel="Help"><strong>Override:</strong></a> AuthConfig<br />
- <a href="directive-dict.html#Status"
- rel="Help"><strong>Status:</strong></a> Extension<br />
- <a href="directive-dict.html#Module"
- rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-
- <p>See the section on <a href="#frontpage">using Microsoft
- FrontPage</a> with mod_auth_ldap.</p>
- <hr />
-
- <h2><a id="AuthLDAPGroupAttribute"
- name="AuthLDAPGroupAttribute">AuthLDAPGroupAttribute
- directive</a></h2>
-
- <p><a href="directive-dict.html#Syntax"
- rel="Help"><strong>Syntax:</strong></a> AuthLDAPGroupAttribute
- <em>attribute</em><br />
- <a href="directive-dict.html#Context"
- rel="Help"><strong>Context:</strong></a> directory,
- .htaccess<br />
- <a href="directive-dict.html#Override"
- rel="Help"><strong>Override:</strong></a> AuthConfig<br />
- <a href="directive-dict.html#Status"
- rel="Help"><strong>Status:</strong></a> Extension<br />
- <a href="directive-dict.html#Module"
- rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-
- <p>This directive specifies which LDAP attributes are used to
- check for group membership. Multiple attributes can be used by
- specifying this directive multiple times. If not specified,
- then mod_auth_ldap uses the <tt>member</tt> and
- <tt>uniquemember</tt> attributes.</p>
- <hr />
-
- <h2><a id="AuthLDAPGroupAttributeIsDN"
- name="AuthLDAPGroupAttributeIsDN">AuthLDAPGroupAttributeIsDN
- directive</a></h2>
-
- <p><a href="directive-dict.html#Syntax"
- rel="Help"><strong>Syntax:</strong></a>
- AuthLDAPGroupAttributeIsDN on|off<br />
- <a href="directive-dict.html#Default"
- rel="Help"><strong>Default:</strong></a>
- <code>AuthLDAPGroupAttributeIsDN on</code><br />
- <a href="directive-dict.html#Context"
- rel="Help"><strong>Context:</strong></a> directory,
- .htaccess<br />
- <a href="directive-dict.html#Override"
- rel="Help"><strong>Override:</strong></a> AuthConfig<br />
- <a href="directive-dict.html#Status"
- rel="Help"><strong>Status:</strong></a> Extension<br />
- <a href="directive-dict.html#Module"
- rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-
- <p>When set, this directive says to use the distinguished name
- of the client username when checking for group membership.
- Otherwise, the username will be used. For example, assume that
- the client sent the username <i>bjenson</i>, which corresponds
- to the LDAP DN <i>cn=Babs Jenson, o=Airius</i>. If this
- directive is set, mod_auth_ldap will check if the group has
- <i>cn=Babs Jenson, o=Airius</i> as a member. If this directive
- is not set, then mod_auth_ldap will check if the group has
- <i>bjenson</i> as a member.</p>
- <hr />
-
- <h2><a id="AuthLDAPRemoteUserIsDN"
- name="AuthLDAPRemoteUserIsDN">AuthLDAPRemoteUserIsDN
- directive</a></h2>
-
- <p><a href="directive-dict.html#Syntax"
- rel="Help"><strong>Syntax:</strong></a> AuthLDAPRemoteUserIsDN
- on|off<br />
- <a href="directive-dict.html#Default"
- rel="Help"><strong>Default:</strong></a> <code>AuthLDAPUserIsDN
- off</code><br />
- <a href="directive-dict.html#Context"
- rel="Help"><strong>Context:</strong></a> directory,
- .htaccess<br />
- <a href="directive-dict.html#Override"
- rel="Help"><strong>Override:</strong></a> AuthConfig<br />
- <a href="directive-dict.html#Status"
- rel="Help"><strong>Status:</strong></a> Extension<br />
- <a href="directive-dict.html#Module"
- rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-
- <p>If this directive is set to on, the value of the
- <i>REMOTE_USER</i> environment variable will be set to the full
- distinguished name of the authenticated user, rather than just
- the username that was passed by the client. It is turned off by
- default.</p>
- <hr />
-
- <h2><a id="AuthLDAPStartTLS"
- name="AuthLDAPStartTLS">AuthLDAPStartTLS directive</a></h2>
-
- <p><a href="directive-dict.html#Syntax"
- rel="Help"><strong>Syntax:</strong></a> AuthLDAPStartTLS
- on|off<br />
- <a href="directive-dict.html#Default"
- rel="Help"><strong>Default:</strong></a> <code>AuthLDAPStartTLS
- off</code><br />
- <a href="directive-dict.html#Context"
- rel="Help"><strong>Context:</strong></a> directory,
- .htaccess<br />
- <a href="directive-dict.html#Override"
- rel="Help"><strong>Override:</strong></a> AuthConfig<br />
- <a href="directive-dict.html#Status"
- rel="Help"><strong>Status:</strong></a> Extension<br />
- <a href="directive-dict.html#Module"
- rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-
- <p>If this directive is set to on, mod_auth_ldap will start a
- secure TLS session after connecting to the LDAP server. This
- requires your LDAP server to support TLS.</p>
- <hr />
-
- <h2><a id="AuthLDAPUrl" name="AuthLDAPUrl">AuthLDAPUrl
- directive</a></h2>
-
- <p><a href="directive-dict.html#Syntax"
- rel="Help"><strong>Syntax:</strong></a> AuthLDAPUrl
- <em>url</em><br />
- <a href="directive-dict.html#Context"
- rel="Help"><strong>Context:</strong></a> directory,
- .htaccess<br />
- <a href="directive-dict.html#Override"
- rel="Help"><strong>Override:</strong></a> AuthConfig<br />
- <a href="directive-dict.html#Status"
- rel="Help"><strong>Status:</strong></a> Extension<br />
- <a href="directive-dict.html#Module"
- rel="Help"><strong>Module:</strong></a> mod_auth_ldap</p>
-
- <p>An RFC 2255 URL which specifies the LDAP search parameters
- to use. The syntax of the URL is</p>
-<pre>
-ldap://host:port/basedn?attribute?scope?filter
-</pre>
-
- <table border="0" bgcolor="#ffffff">
- <tr valign="top">
- <td colspan="1" align="left">ldap</td>
-
- <td colspan="1" align="left">For regular ldap, use the
- string <i>ldap</i>. For secure LDAP, use <i>ldaps</i>
- instead. Secure LDAP is only available if Apache was linked
- to an LDAP library with SSL support.</td>
- </tr>
-
- <tr valign="top">
- <td colspan="1" align="left">host:port</td>
-
- <td colspan="1" align="left">
- <p>The name/port of the ldap server (defaults to
- <i>localhost:389</i> for <i>ldap</i>, and
- <i>localhost:636</i> for <i>ldaps</i>). To specify
- multiple, redundant LDAP servers, just list all servers,
- separated by spaces. mod_auth_ldap will try connecting to
- each server in turn, until it makes a successful
- connection.</p>
-
- <p>Once a connection has been made to a server, that
- connection remains active for the life of the
- <i>httpd</i> process, or until the LDAP server goes
- down.</p>
-
- <p>If the LDAP server goes down and breaks an existing
- connection, mod_auth_ldap will attempt to re-connect,
- starting with the primary server, and trying each
- redundant server in turn. Note that this is different
- than a true round-robin search.</p>
- </td>
- </tr>
-
- <tr valign="top">
- <td colspan="1" align="left">basedn</td>
-
- <td colspan="1" align="left">The DN of the branch of the
- directory where all searches should start from. At the very
- least, this must be the top of your directory tree, but
- could also specify a subtree in the directory.</td>
- </tr>
-
- <tr valign="top">
- <td colspan="1" align="left">attribute</td>
-
- <td colspan="1" align="left">The attribute to search for.
- Although RFC 2255 allows a comma-separated list of
- attributes, only the first attribute will be used, no
- matter how many are provided. If no attributes are
- provided, the default is to use <tt>uid</tt>. It's a good
- idea to choose an attribute that will be unique across all
- entries in the subtree you will be using.</td>
- </tr>
-
- <tr valign="top">
- <td colspan="1" align="left">scope</td>
-
- <td colspan="1" align="left">The scope of the search. Can
- be either <i>one</i> or <i>sub</i>. Note that a scope of
- <i>base</i> is also supported by RFC 2255, but is not
- supported by this module. If the scope is not provided, or
- if <i>base</i> scope is specified, the default is to use a
- scope of <i>sub</i>.</td>
- </tr>
-
- <tr valign="top">
- <td colspan="1" align="left">filter</td>
-
- <td colspan="1" align="left">A valid LDAP search filter. If
- not provided, defaults to <tt>(objectClass=*)</tt>, which
- will search for all objects in the tree. Filters are
- limited to approximately 8000 characters (the definition of
- <i>MAX_STRING_LEN</i> in the Apache source code). This
- should be than sufficient for any application.</td>
- </tr>
- </table>
-
- <p>When doing searches, the attribute, filter and username
- passed by the HTTP client are combined to create a search
- filter that looks like
- <tt>(&(<i>filter</i>)(<i>attribute</i>=<i>username</i>))</tt>.</p>
-
- <p>For example, consider an URL of
- <i>ldap://ldap.airius.com/o=Airius?cn?sub?(posixid=*)</i>. When
- a client attempts to connect using a username of <i>Babs
- Jenson</i>, the resulting search filter will be
- <tt>(&(posixid=*)(cn=Babs Jenson))</tt>.</p>
-
- <p>See above for examples of <a
- href="#AuthLDAPURL"><tt>AuthLDAPURL</tt></a> URLs.</p>
- <!--#include virtual="footer.html" -->
- </body>
-</html>
-
--- /dev/null
+<html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><!--
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ This file is generated from xml source: DO NOT EDIT
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ --><title>mod_auth_ldap - Apache HTTP Server</title><link href="../style/manual.css" type="text/css" rel="stylesheet"></head><body><blockquote><div align="center"><img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]"><h3>Apache HTTP Server Version 2.0</h3></div><h1 align="center">Apache Module mod_auth_ldap</h1><table cellspacing="1" cellpadding="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td nowrap="nowrap" valign="top"><span class="help">Description:
+ </span></td><td>Allows an LDAP directory to be used to store the database
+for HTTP Basic authentication.</td></tr><tr><td nowrap="nowrap"><a href="module-dict.html#Status" class="help">Status:
+ </a></td><td>experimental</td></tr><tr><td nowrap="nowrap"><a href="module-dict.html#ModuleIdentifier" class="help">Module Identifier:
+ </a></td><td>auth_ldap_module</td></tr></table></td></tr></table><h2>Summary</h2>
+ <p><code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> supports the following features:</p>
+
+ <ul>
+ <li>Known to support the <a href="http://www.openldap.org/">OpenLDAP SDK</a> (both 1.x
+ and 2.x), and the <a href="http://www.iplanet.com/downloads/developer/">iPlanet
+ (Netscape)</a> SDK.</li>
+
+ <li>Complex authorization policies can be implemented by
+ representing the policy with LDAP filters.</li>
+
+ <li>Support for Microsoft FrontPage allows FrontPage users to
+ control access to their webs, while retaining LDAP for user
+ authentication.</li>
+
+ <li>Uses extensive caching of LDAP operations via <a href="mod_ldap.html">mod_ldap</a>.</li>
+
+ <li>Support for LDAP over SSL (requires the Netscape SDK) or
+ TLS (requires the OpenLDAP 2.x SDK).</li>
+ </ul>
+<h2>Directives</h2><ul><li><a href="#authldapauthoritative">AuthLDAPAuthoritative</a></li><li><a href="#authldapbinddn">AuthLDAPBindDN</a></li><li><a href="#authldapbindpassword">AuthLDAPBindPassword</a></li><li><a href="#authldapcomparednonserver">AuthLDAPCompareDNOnServer</a></li><li><a href="#authldapdereferencealiases">AuthLDAPDereferenceAliases</a></li><li><a href="#authldapenabled directive">AuthLDAPEnabled directive</a></li><li><a href="#authldapfrontpagehack">AuthLDAPFrontPageHack</a></li><li><a href="#authldapgroupattribute">AuthLDAPGroupAttribute</a></li><li><a href="#authldapgroupattributeisdn">AuthLDAPGroupAttributeIsDN</a></li><li><a href="#authldapremoteuserisdn">AuthLDAPRemoteUserIsDN</a></li><li><a href="#authldapstarttls directive">AuthLDAPStartTLS directive</a></li><li><a href="#authldapurl">AuthLDAPUrl</a></li></ul><h2><a name="contents">Contents</a></h2>
+
+ <ul>
+ <li>
+ <a href="#operation">Operation</a>
+
+ <ul>
+ <li><a href="#authenphase">The Authentication
+ Phase</a></li>
+
+ <li><a href="#authorphase">The Authorization
+ Phase</a></li>
+ </ul>
+ </li>
+
+ <li>
+ <a href="#requiredirectives">The require Directives</a>
+
+ <ul>
+ <li><a href="#reqvaliduser">require valid-user</a></li>
+
+ <li><a href="#requser">require user</a></li>
+
+ <li><a href="#reqgroup">require group</a></li>
+
+ <li><a href="#reqdn">require dn</a></li>
+ </ul>
+ </li>
+
+ <li><a href="#examples">Examples</a></li>
+
+ <li><a href="#usingtls">Using TLS</a></li>
+
+ <li><a href="#usingssl">Using SSL</a></li>
+
+ <li>
+ <a href="#frontpage">Using Microsoft FrontPage with
+ <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code></a>
+
+ <ul>
+ <li><a href="#howitworks">How It Works</a></li>
+
+ <li><a href="#fpcaveats">Caveats</a></li>
+ </ul>
+ </li>
+ </ul>
+<h2><a name="operation">Operation</a></h2>
+
+ <p>There are two phases in granting access to a user. The first
+ phase is authentication, in which <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code>
+ verifies that the user's credentials are valid. This also called
+ the <em>search/bind</em> phase. The second phase is
+ authorization, in which <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> determines
+ if the authenticated user is allowed access to the resource in
+ question. This is also known as the <em>compare</em>
+ phase.</p>
+
+<h3><a name="authenphase">The Authentication
+ Phase</a></h3>
+
+ <p>During the authentication phase, <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code>
+ searches for an entry in the directory that matches the username
+ that the HTTP client passes. If a single unique match is found,
+ then <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> attempts to bind to the
+ directory server using the DN of the entry plus the password
+ provided by the HTTP client. Because it does a search, then a
+ bind, it is often referred to as the search/bind phase. Here are
+ the steps taken during the search/bind phase.</p>
+
+ <ol>
+ <li>Generate a search filter by combining the attribute and
+ filter provided in the <a href="#authldapurl" class="directive"><code class="directive">AuthLDAPURL</code></a> directive with
+ the username passed by the HTTP client.</li>
+
+ <li>Search the directory using the generated filter. If the
+ search does not return exactly one entry, deny or decline
+ access.</li>
+
+ <li>Fetch the distinguished name of the entry retrieved from
+ the search and attempt to bind to the LDAP server using the
+ DN and the password passed by the HTTP client. If the bind is
+ unsuccessful, deny or decline access.</li>
+ </ol>
+
+ <p>The following directives are used during the search/bind
+ phase</p>
+
+ <table>
+ <tr>
+ <td><a href="#authldapurl" class="directive"><code class="directive">AuthLDAPURL</code></a></td>
+
+ <td>Specifies the LDAP server, the
+ base DN, the attribute to use in the search, as well as the
+ extra search filter to use.</td>
+ </tr>
+
+ <tr>
+ <td><a href="#authldapbinddn" class="directive"><code class="directive">AuthLDAPBindDN</code></a></td>
+
+ <td>An optional DN to bind with
+ during the search phase.</td>
+ </tr>
+
+ <tr>
+ <td><a href="#authldapbindpassword" class="directive"><code class="directive">AuthLDAPBindPassword</code></a></td>
+
+ <td>An optional password to bind
+ with during the search phase.</td>
+ </tr>
+ </table>
+
+
+<h3><a name="authorphase">The Authorization
+ Phase</a></h3>
+
+ <p>During the authorization phase, <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code>
+ attempts to determine if the user is authorized to access the
+ resource. Many of these checks require
+ <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> to do a compare operation on the
+ LDAP server. This is why this phase is often referred to as the
+ compare phase. <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> accepts the
+ following <a href="../mod/core.html#require" class="directive"><code class="directive">Require</code></a>
+ directives to determine if the credentials are acceptable:</p>
+
+ <ul>
+ <li>Grant access if there is a <a href="#requser"><code>require
+ valid-user</code></a> directive.</li>
+
+ <li>Grant access if there is a <a href="#reqgroup"><code>require user</code></a> directive, and the
+ username in the directive matches the username passed by the
+ client.</li>
+
+ <li>Grant access if there is a <a href="#reqdn"><code>require
+ dn</code></a> directive, and the DN in the directive matches
+ the DN fetched from the LDAP directory.</li>
+
+ <li>Grant access if there is a <a href="#reqgroup"><code>require group</code></a> directive, and
+ the DN fetched from the LDAP directory (or the username
+ passed by the client) occurs in the LDAP group.</li>
+
+ <li>otherwise, deny or decline access</li>
+ </ul>
+
+ <p><code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> uses the following directives during the
+ compare phase:</p>
+
+ <table>
+ <tr>
+ <td><a href="#authldapurl" class="directive"><code class="directive">AuthLDAPURL</code></a> </td>
+
+ <td>The attribute specified in the
+ URL is used in compare operations for the <code>require
+ user</code> operation.</td>
+ </tr>
+
+ <tr>
+ <td><a href="#authldapcomparednonserver" class="directive"><code class="directive">AuthLDAPCompareDNOnServer</code></a></td>
+
+ <td>Determines the behavior of the
+ <code>require dn</code> directive.</td>
+ </tr>
+
+ <tr>
+ <td><a href="#authldapgroupattribute" class="directive"><code class="directive">AuthLDAPGroupAttribute</code></a></td>
+
+ <td>Determines the attribute to
+ use for comparisons in the <code>require group</code>
+ directive.</td>
+ </tr>
+
+ <tr>
+ <td><a href="#authldapgroupattributeisdn" class="directive"><code class="directive">AuthLDAPGroupAttributeIsDN</code></a></td>
+
+ <td>Specifies whether to use the
+ user DN or the username when doing comparisons for the
+ <code>require group</code> directive.</td>
+ </tr>
+ </table>
+
+<h2><a name="requiredirectives">The require Directives</a></h2>
+
+ <p>Apache's <a href="../mod/core.html#require" class="directive"><code class="directive">Require</code></a>
+ directives are used during the authorization phase to ensure that
+ a user is allowed to access a resource.</p>
+
+<h3><a name="reqvaliduser">require
+ valid-user</a></h3>
+
+ <p>If this directive exists, <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> grants
+ access to any user that has successfully authenticated during the
+ search/bind phase.</p>
+
+
+<h3><a name="requser">require user</a></h3>
+
+ <p>The <code>require user</code> directive specifies what
+ usernames can access the resource. Once
+ <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> has retrieved a unique DN from the
+ directory, it does an LDAP compare operation using the username
+ specified in the <code>require user</code> to see if that username
+ is part of the just-fetched LDAP entry. Multiple users can be
+ granted access by putting multiple usernames on the line,
+ separated with spaces. If a username has a space in it, then it
+ must be the only user on the line. In this case, multiple users
+ can be granted access by using multiple <code>require user</code>
+ directives, with one user per line. For example, with a <a href="#authldapurl" class="directive"><code class="directive">AuthLDAPURL</code></a> of
+ <code>ldap://ldap/o=Airius?cn</code> (i.e., <code>cn</code> is
+ used for searches), the following require directives could be used
+ to restrict access:</p>
+<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>
+require user Barbara Jenson<br>
+require user Fred User<br>
+require user Joe Manager<br>
+</code></td></tr></table></blockquote>
+
+ <p>Because of the way that <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> handles this
+ directive, Barbara Jenson could sign on as <em>Barbara
+ Jenson</em>, <em>Babs Jenson</em> or any other <code>cn</code> that
+ she has in her LDAP entry. Only the single <code>require
+ user</code> line is needed to support all values of the attribute
+ in the user's entry.</p>
+
+ <p>If the <code>uid</code> attribute was used instead of the
+ <code>cn</code> attribute in the URL above, the above three lines
+ could be condensed to</p>
+<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>require user bjenson fuser jmanager</code></td></tr></table></blockquote>
+
+
+<h3><a name="reqgroup">require group</a></h3>
+
+ <p>This directive specifies an LDAP group whose members are
+ allowed access. It takes the distinguished name of the LDAP
+ group. For example, assume that the following entry existed in
+ the LDAP directory:</p>
+<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>
+dn: cn=Administrators, o=Airius<br>
+objectClass: groupOfUniqueNames<br>
+uniqueMember: cn=Barbara Jenson, o=Airius<br>
+uniqueMember: cn=Fred User, o=Airius<br>
+</code></td></tr></table></blockquote>
+
+ <p>The following directive would grant access to both Fred and
+ Barbara:</p>
+<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>require group cn=Administrators, o=Airius</code></td></tr></table></blockquote>
+
+ <p>Behavior of this directive is modified by the <a href="#authldapgroupattribute" class="directive"><code class="directive">AuthLDAPGroupAttribute</code></a> and
+ <a href="#authldapgroupattributeisdn" class="directive"><code class="directive">AuthLDAPGroupAttributeIsDN</code></a>
+ directives.</p>
+
+
+<h3><a name="reqdn">require dn</a></h3>
+
+ <p>The <code>require dn</code> directive allows the administrator
+ to grant access based on distinguished names. It specifies a DN
+ that must match for access to be granted. If the distinguished
+ name that was retrieved from the directory server matches the
+ distinguished name in the <code>require dn</code>, then
+ authorization is granted.</p>
+
+ <p>The following directive would grant access to a specific
+ DN:</p>
+<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>require dn cn=Barbara Jenson, o=Airius</code></td></tr></table></blockquote>
+
+ <p>Behavior of this directive is modified by the <a href="#authldapcomparednonserver" class="directive"><code class="directive">AuthLDAPCompareDNOnServer</code></a>
+ directive.</p>
+
+<h2><a name="examples">Examples</a></h2>
+
+ <ul>
+ <li>
+ Grant access to anyone who exists in the LDAP directory,
+ using their UID for searches.
+<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>
+AuthLDAPURL ldap://ldap1.airius.com:389/ou=People, o=Airius?uid?sub?(objectClass=*)<br>
+require valid-user
+</code></td></tr></table></blockquote>
+ </li>
+
+ <li>
+ The next example is the same as above; but with the fields
+ that have useful defaults omitted. Also, note the use of a
+ redundant LDAP server.
+<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>AuthLDAPURL ldap://ldap1.airius.com ldap2.airius.com/ou=People, o=Airius<br>
+require valid-user
+</code></td></tr></table></blockquote>
+ </li>
+
+ <li>
+ The next example is similar to the previous one, but is
+ uses the common name instead of the UID. Note that this
+ could be problematical if multiple people in the directory
+ share the same <code>cn</code>, because a search on <code>cn</code>
+ <strong>must</strong> return exactly one entry. That's why
+ this approach is not recommended: it's a better idea to
+ choose an attribute that is guaranteed unique in your
+ directory, such as <code>uid</code>.
+<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>
+AuthLDAPURL ldap://ldap.airius.com/ou=People, o=Airius?cn<br>
+require valid-user
+</code></td></tr></table></blockquote>
+ </li>
+
+ <li>
+ Grant access to anybody in the Administrators group. The
+ users must authenticate using their UID.
+<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>
+AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid<br>
+require group cn=Administrators, o=Airius
+</code></td></tr></table></blockquote>
+ </li>
+
+ <li>
+ The next example assumes that everyone at Airius who
+ carries an alphanumeric pager will have an LDAP attribute
+ of <code>qpagePagerID</code>. The example will grant access
+ only to people (authenticated via their UID) who have
+ alphanumeric pagers:
+<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>
+AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(qpagePagerID=*)<br>
+require valid-user
+</code></td></tr></table></blockquote>
+ </li>
+
+ <li>
+ <p>The next example demonstrates the power of using filters
+ to accomplish complicated administrative requirements.
+ Without filters, it would have been necessary to create a
+ new LDAP group and ensure that the group's members remain
+ synchronized with the pager users. This becomes trivial
+ with filters. The goal is to grant access to anyone who has
+ a filter, plus grant access to Joe Manager, who doesn't
+ have a pager, but does need to access the same
+ resource:</p>
+<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>
+AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(|(qpagePagerID=*)(uid=jmanager))<br>
+require valid-user
+</code></td></tr></table></blockquote>
+
+ <p>This last may look confusing at first, so it helps to
+ evaluate what the search filter will look like based on who
+ connects, as shown below. The text in blue is the part that
+ is filled in using the attribute specified in the URL. The
+ text in red is the part that is filled in using the filter
+ specified in the URL. The text in green is filled in using
+ the information that is retrieved from the HTTP client. If
+ Fred User connects as <code>fuser</code>, the filter would look
+ like</p>
+
+ <blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>(&<font color="red">(|(qpagePagerID=*)(uid=jmanager))</font>(<font color="blue">uid</font>=<font color="green">fuser</font>))</code></td></tr></table></blockquote>
+
+ <p>The above search will only succeed if <em>fuser</em> has a
+ pager. When Joe Manager connects as <em>jmanager</em>, the
+ filter looks like</p>
+
+ <blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>(&<font color="red">(|(qpagePagerID=*)(uid=jmanager))</font>(<font color="blue">uid</font>=<font color="green">jmanager</font>))</code></td></tr></table></blockquote>
+
+ <p>The above search will succeed whether <em>jmanager</em>
+ has a pager or not.</p>
+ </li>
+ </ul>
+<h2><a name="usingtls">Using TLS</a></h2>
+
+ <p>To use TLS, simply set the <a href="#authldapstarttls" class="directive"><code class="directive">AuthLDAPStartTLS</code></a> to on.
+ Nothing else needs to be done (other than ensure that your LDAP
+ server is configured for TLS).</p>
+<h2><a name="usingssl">Using SSL</a></h2>
+
+ <p>If <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> is linked against the
+ Netscape/iPlanet LDAP SDK, it will not talk to any SSL server
+ unless that server has a certificate signed by a known Certificate
+ Authority. As part of the configuration
+ <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> needs to be told where it can find
+ a database containing the known CAs. This database is in the same
+ format as Netscape Communicator's <code>cert7.db</code>
+ database. The easiest way to get this file is to start up a fresh
+ copy of Netscape, and grab the resulting
+ <code>$HOME/.netscape/cert7.db</code> file.</p>
+
+ <p>To specify a secure LDAP server, use <em>ldaps://</em> in the
+ <a href="#authldapurl" class="directive"><code class="directive">AuthLDAPURL</code></a>
+ directive, instead of <em>ldap://</em>.</p>
+<h2><a name="frontpage">Using Microsoft
+ FrontPage with mod_auth_ldap</a></h2>
+
+ <p>Normally, FrontPage uses FrontPage-web-specific user/group
+ files (i.e., the <code><a href="../mod/mod_auth.html">mod_auth</a></code> module) to handle all
+ authentication. Unfortunately, it is not possible to just
+ change to LDAP authentication by adding the proper directives,
+ because it will break the <em>Permissions</em> forms in
+ the FrontPage client, which attempt to modify the standard
+ text-based authorization files.</p>
+
+ <p>Once a FrontPage web has been created, adding LDAP
+ authentication to it is a matter of adding the following
+ directives to <em>every</em> <code>.htaccess</code> file
+ that gets created in the web</p>
+<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code><pre>
+AuthLDAPURL the url
+AuthLDAPAuthoritative off
+AuthLDAPFrontPageHack on
+</pre></code></td></tr></table></blockquote>
+
+ <p><a href="#authldapauthoritative" class="directive"><code class="directive">AuthLDAPAuthoritative</code></a> must be
+ off to allow <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> to decline group
+ authentication so that Apache will fall back to file
+ authentication for checking group membership. This allows the
+ FrontPage-managed group file to be used.</p>
+
+<h3><a name="howitworks">How It Works</a></h3>
+
+ <p>FrontPage restricts access to a web by adding the <code>require
+ valid-user</code> directive to the <code>.htaccess</code>
+ files. If <a href="#authldapfrontpagehack" class="directive"><code class="directive">AuthLDAPFrontPageHack</code></a> is not
+ on, the <code>require valid-user</code> directive will succeed for
+ any user who is valid <em>as far as LDAP is
+ concerned</em>. This means that anybody who has an entry in
+ the LDAP directory is considered a valid user, whereas FrontPage
+ considers only those people in the local user file to be
+ valid. The purpose of the hack is to force Apache to consult the
+ local user file (which is managed by FrontPage) - instead of LDAP
+ - when handling the <code>require valid-user</code> directive.</p>
+
+ <p>Once directives have been added as specified above,
+ FrontPage users will be able to perform all management
+ operations from the FrontPage client.</p>
+
+
+<h3><a name="fpcaveats">Caveats</a></h3>
+
+ <ul>
+ <li>When choosing the LDAP URL, the attribute to use for
+ authentication should be something that will also be valid
+ for putting into a <code><a href="../mod/mod_auth.html">mod_auth</a></code> user file. The user ID is
+ ideal for this.</li>
+
+ <li>When adding users via FrontPage, FrontPage administrators
+ should choose usernames that already exist in the LDAP
+ directory (for obvious reasons). Also, the password that the
+ administrator enters into the form is ignored, since Apache
+ will actually be authenticating against the password in the
+ LDAP database, and not against the password in the local user
+ file. This could cause confusion for web administrators.</li>
+
+ <li>Apache must be compiled with <code><a href="../mod/mod_auth.html">mod_auth</a></code> in order to
+ use FrontPage support. This is because Apache will still use
+ the <code><a href="../mod/mod_auth.html">mod_auth</a></code> group file for determine the extent of a
+ user's access to the FrontPage web.</li>
+
+ <li>The directives must be put in the <code>.htaccess</code>
+ files. Attempting to put them inside <a href="../mod/core.html#location" class="directive"><code class="directive"><Location></code></a> or <a href="../mod/core.html#directory" class="directive"><code class="directive"><Directory></code></a> directives won't work. This
+ is because <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> has to be able to grab
+ the <a href="../mod/mod_auth.html#authuserfile" class="directive"><code class="directive">AuthUserFile</code></a>
+ directive that is found in FrontPage <code>.htaccess</code>
+ files so that it knows where to look for the valid user list. If
+ the <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> directives aren't in the same
+ <code>.htaccess</code> file as the FrontPage directives, then
+ the hack won't work, because <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> will
+ never get a chance to process the <code>.htaccess</code> file,
+ and won't be able to find the FrontPage-managed user file.</li>
+ </ul>
+
+<hr><h2><a name="AuthLDAPAuthoritative">AuthLDAPAuthoritative</a> <a name="authldapauthoritative">Directive</a></h2><table cellpadding="1" cellspacing="0" border="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td nowrap="nowrap"><strong>Description:
+ </strong></td><td></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Syntax" class="help">Syntax:
+ </a></td><td>AuthLDAPAuthoritative on|off</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Default" class="help">Default:
+ </a></td><td><code>AuthLDAPAuthoritative on</code></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Context" class="help">Context:
+ </a></td><td>directory, .htaccess</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Override" class="help">Override:
+ </a></td><td>AuthConfig</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Status" class="help">Status:
+ </a></td><td>experimental</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Module" class="help">Module:
+ </a></td><td>mod_auth_ldap</td></tr></table></td></tr></table>
+ <p>Set to <code>off</code> if this module should let other
+ authentication modules attempt to authenticate the user, should
+ authentication with this module fail. Control is only passed on
+ to lower modules if there is no DN or rule that matches the
+ supplied user name (as passed by the client).</p>
+<hr><h2><a name="AuthLDAPBindDN">AuthLDAPBindDN</a> <a name="authldapbinddn">Directive</a></h2><table cellpadding="1" cellspacing="0" border="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td nowrap="nowrap"><strong>Description:
+ </strong></td><td></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Syntax" class="help">Syntax:
+ </a></td><td>AuthLDAPBindDN <em>distinguished-name</em></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Context" class="help">Context:
+ </a></td><td>directory, .htaccess</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Override" class="help">Override:
+ </a></td><td>AuthConfig</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Status" class="help">Status:
+ </a></td><td>experimental</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Module" class="help">Module:
+ </a></td><td>mod_auth_ldap</td></tr></table></td></tr></table>
+ <p>An optional DN used to bind to the server when searching for
+ entries. If not provided, <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> will use
+ an anonymous bind.</p>
+<hr><h2><a name="AuthLDAPBindPassword">AuthLDAPBindPassword</a> <a name="authldapbindpassword">Directive</a></h2><table cellpadding="1" cellspacing="0" border="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td nowrap="nowrap"><strong>Description:
+ </strong></td><td></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Syntax" class="help">Syntax:
+ </a></td><td>AuthLDAPBindPassword <em>password</em></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Context" class="help">Context:
+ </a></td><td>directory, .htaccess</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Override" class="help">Override:
+ </a></td><td>AuthConfig</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Status" class="help">Status:
+ </a></td><td>experimental</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Module" class="help">Module:
+ </a></td><td>mod_auth_ldap</td></tr></table></td></tr></table>
+ <p>A bind password to use in conjunction with the bind DN. Note
+ that the bind password is probably sensitive data, and should be
+ properly protected. You should only use the <a href="#authldapbinddn" class="directive"><code class="directive">AuthLDAPBindDN</code></a> and <a href="#authldapbindpassword" class="directive"><code class="directive">AuthLDAPBindPassword</code></a> if you
+ absolutely need them to search the directory.</p>
+<hr><h2><a name="AuthLDAPCompareDNOnServer">AuthLDAPCompareDNOnServer</a> <a name="authldapcomparednonserver">Directive</a></h2><table cellpadding="1" cellspacing="0" border="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td nowrap="nowrap"><strong>Description:
+ </strong></td><td></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Syntax" class="help">Syntax:
+ </a></td><td>AuthLDAPCompareDNOnServer on|off</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Default" class="help">Default:
+ </a></td><td><code>AuthLDAPCompareDNOnServer on</code></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Context" class="help">Context:
+ </a></td><td>directory, .htaccess</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Override" class="help">Override:
+ </a></td><td>AuthConfig</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Status" class="help">Status:
+ </a></td><td>experimental</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Module" class="help">Module:
+ </a></td><td>mod_auth_ldap</td></tr></table></td></tr></table>
+ <p>When set, <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> will use the LDAP
+ server to compare the DNs. This is the only foolproof way to
+ compare DNs. <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> will search the
+ directory for the DN specified with the <a href="#reqdn"><code>require dn</code></a> directive, then,
+ retrieve the DN and compare it with the DN retrieved from the user
+ entry. If this directive is not set,
+ <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> simply does a string comparison. It
+ is possible to get false negatives with this approach, but it is
+ much faster. Note the <code><a href="../mod/mod_ldap.html">mod_ldap</a></code> cache can speed up
+ DN comparison in most situations.</p>
+<hr><h2><a name="AuthLDAPDereferenceAliases">AuthLDAPDereferenceAliases</a> <a name="authldapdereferencealiases">Directive</a></h2><table cellpadding="1" cellspacing="0" border="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td nowrap="nowrap"><strong>Description:
+ </strong></td><td></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Syntax" class="help">Syntax:
+ </a></td><td>AuthLDAPDereferenceAliases never|searching|finding|always</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Default" class="help">Default:
+ </a></td><td><code>AuthLDAPDereferenceAliases Always</code></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Context" class="help">Context:
+ </a></td><td>directory, .htaccess</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Override" class="help">Override:
+ </a></td><td>AuthConfig</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Status" class="help">Status:
+ </a></td><td>experimental</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Module" class="help">Module:
+ </a></td><td>mod_auth_ldap</td></tr></table></td></tr></table>
+ <p>This directive specifies when <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> will
+ de-reference aliases during LDAP operations. The default is
+ <code>always</code>.</p>
+<hr><h2><a name="AuthLDAPEnabled directive">AuthLDAPEnabled directive</a> <a name="authldapenabled directive">Directive</a></h2><table cellpadding="1" cellspacing="0" border="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td nowrap="nowrap"><strong>Description:
+ </strong></td><td></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Syntax" class="help">Syntax:
+ </a></td><td> AuthLDAPEnabled on|off</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Default" class="help">Default:
+ </a></td><td><code>AuthLDAPEnabled on</code></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Context" class="help">Context:
+ </a></td><td>directory, .htaccess</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Override" class="help">Override:
+ </a></td><td>AuthConfig</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Status" class="help">Status:
+ </a></td><td>experimental</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Module" class="help">Module:
+ </a></td><td>mod_auth_ldap</td></tr></table></td></tr></table>
+ <p>Set to <code>off</code> to disable
+ <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> in certain directories. This is
+ useful if you have <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> enabled at or
+ near the top of your tree, but want to disable it completely in
+ certain locations.</p>
+<hr><h2><a name="AuthLDAPFrontPageHack">AuthLDAPFrontPageHack</a> <a name="authldapfrontpagehack">Directive</a></h2><table cellpadding="1" cellspacing="0" border="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td nowrap="nowrap"><strong>Description:
+ </strong></td><td></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Syntax" class="help">Syntax:
+ </a></td><td>AuthLDAPFrontPageHack on|off</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Default" class="help">Default:
+ </a></td><td><code>AuthLDAPFronPageHack off</code></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Context" class="help">Context:
+ </a></td><td>directory, .htaccess</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Override" class="help">Override:
+ </a></td><td>AuthConfig</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Status" class="help">Status:
+ </a></td><td>experimental</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Module" class="help">Module:
+ </a></td><td>mod_auth_ldap</td></tr></table></td></tr></table>
+ <p>See the section on <a href="#frontpage">using Microsoft
+ FrontPage</a> with <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code>.</p>
+<hr><h2><a name="AuthLDAPGroupAttribute">AuthLDAPGroupAttribute</a> <a name="authldapgroupattribute">Directive</a></h2><table cellpadding="1" cellspacing="0" border="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td nowrap="nowrap"><strong>Description:
+ </strong></td><td></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Syntax" class="help">Syntax:
+ </a></td><td>AuthLDAPGroupAttribute <em>attribute</em></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Context" class="help">Context:
+ </a></td><td>directory, .htaccess</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Override" class="help">Override:
+ </a></td><td>AuthConfig</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Status" class="help">Status:
+ </a></td><td>experimental</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Module" class="help">Module:
+ </a></td><td>mod_auth_ldap</td></tr></table></td></tr></table>
+ <p>This directive specifies which LDAP attributes are used to
+ check for group membership. Multiple attributes can be used by
+ specifying this directive multiple times. If not specified,
+ then <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> uses the <code>member</code> and
+ <code>uniquemember</code> attributes.</p>
+<hr><h2><a name="AuthLDAPGroupAttributeIsDN">AuthLDAPGroupAttributeIsDN</a> <a name="authldapgroupattributeisdn">Directive</a></h2><table cellpadding="1" cellspacing="0" border="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td nowrap="nowrap"><strong>Description:
+ </strong></td><td></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Syntax" class="help">Syntax:
+ </a></td><td>AuthLDAPGroupAttributeIsDN on|off</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Default" class="help">Default:
+ </a></td><td><code>AuthLDAPGroupAttributeIsDN on</code></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Context" class="help">Context:
+ </a></td><td>directory, .htaccess</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Override" class="help">Override:
+ </a></td><td>AuthConfig</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Status" class="help">Status:
+ </a></td><td>experimental</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Module" class="help">Module:
+ </a></td><td>mod_auth_ldap</td></tr></table></td></tr></table>
+ <p>When set <code>on</code>, this directive says to use the
+ distinguished name of the client username when checking for group
+ membership. Otherwise, the username will be used. For example,
+ assume that the client sent the username <code>bjenson</code>,
+ which corresponds to the LDAP DN <code>cn=Babs Jenson,
+ o=Airius</code>. If this directive is set,
+ <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> will check if the group has
+ <code>cn=Babs Jenson, o=Airius</code> as a member. If this
+ directive is not set, then <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> will
+ check if the group has <code>bjenson</code> as a member.</p>
+<hr><h2><a name="AuthLDAPRemoteUserIsDN">AuthLDAPRemoteUserIsDN</a> <a name="authldapremoteuserisdn">Directive</a></h2><table cellpadding="1" cellspacing="0" border="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td nowrap="nowrap"><strong>Description:
+ </strong></td><td></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Syntax" class="help">Syntax:
+ </a></td><td>AuthLDAPRemoteUserIsDN on|off</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Default" class="help">Default:
+ </a></td><td><code>AuthLDAPUserIsDN off</code></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Context" class="help">Context:
+ </a></td><td>directory, .htaccess</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Override" class="help">Override:
+ </a></td><td>AuthConfig</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Status" class="help">Status:
+ </a></td><td>experimental</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Module" class="help">Module:
+ </a></td><td>mod_auth_ldap</td></tr></table></td></tr></table>
+ <p>If this directive is set to on, the value of the
+ <code>REMOTE_USER</code> environment variable will be set to the full
+ distinguished name of the authenticated user, rather than just
+ the username that was passed by the client. It is turned off by
+ default.</p>
+<hr><h2><a name="AuthLDAPStartTLS directive">AuthLDAPStartTLS directive</a> <a name="authldapstarttls directive">Directive</a></h2><table cellpadding="1" cellspacing="0" border="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td nowrap="nowrap"><strong>Description:
+ </strong></td><td></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Syntax" class="help">Syntax:
+ </a></td><td>AuthLDAPStartTLS on|off</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Default" class="help">Default:
+ </a></td><td><code>AuthLDAPStartTLS off</code></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Context" class="help">Context:
+ </a></td><td>directory, .htaccess</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Override" class="help">Override:
+ </a></td><td>AuthConfig</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Status" class="help">Status:
+ </a></td><td>experimental</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Module" class="help">Module:
+ </a></td><td>mod_auth_ldap</td></tr></table></td></tr></table>
+ <p>If this directive is set to <code>on</code>,
+ <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> will start a secure TLS session
+ after connecting to the LDAP server. This requires your LDAP
+ server to support TLS.</p>
+<hr><h2><a name="AuthLDAPUrl">AuthLDAPUrl</a> <a name="authldapurl">Directive</a></h2><table cellpadding="1" cellspacing="0" border="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td nowrap="nowrap"><strong>Description:
+ </strong></td><td></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Syntax" class="help">Syntax:
+ </a></td><td>AuthLDAPUrl <em>url</em></td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Context" class="help">Context:
+ </a></td><td>directory, .htaccess</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Override" class="help">Override:
+ </a></td><td>AuthConfig</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Status" class="help">Status:
+ </a></td><td>experimental</td></tr><tr><td nowrap="nowrap"><a href="directive-dict.html#Module" class="help">Module:
+ </a></td><td>mod_auth_ldap</td></tr></table></td></tr></table>
+ <p>An RFC 2255 URL which specifies the LDAP search parameters
+ to use. The syntax of the URL is</p>
+<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>ldap://host:port/basedn?attribute?scope?filter</code></td></tr></table></blockquote>
+
+<dl>
+<dt>ldap</dt>
+
+ <dd>For regular ldap, use the
+ string <code>ldap</code>. For secure LDAP, use <code>ldaps</code>
+ instead. Secure LDAP is only available if Apache was linked
+ to an LDAP library with SSL support.</dd>
+
+<dt>host:port</dt>
+
+ <dd>
+ <p>The name/port of the ldap server (defaults to
+ <code>localhost:389</code> for <code>ldap</code>, and
+ <code>localhost:636</code> for <code>ldaps</code>). To
+ specify multiple, redundant LDAP servers, just list all
+ servers, separated by spaces. <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code>
+ will try connecting to each server in turn, until it makes a
+ successful connection.</p>
+
+ <p>Once a connection has been made to a server, that
+ connection remains active for the life of the
+ <code>httpd</code> process, or until the LDAP server goes
+ down.</p>
+
+ <p>If the LDAP server goes down and breaks an existing
+ connection, <code><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> will attempt to
+ re-connect, starting with the primary server, and trying
+ each redundant server in turn. Note that this is different
+ than a true round-robin search.</p>
+ </dd>
+
+<dt>basedn</dt>
+
+ <dd>The DN of the branch of the
+ directory where all searches should start from. At the very
+ least, this must be the top of your directory tree, but
+ could also specify a subtree in the directory.</dd>
+
+<dt>attribute</dt>
+
+ <dd>The attribute to search for.
+ Although RFC 2255 allows a comma-separated list of
+ attributes, only the first attribute will be used, no
+ matter how many are provided. If no attributes are
+ provided, the default is to use <code>uid</code>. It's a good
+ idea to choose an attribute that will be unique across all
+ entries in the subtree you will be using.</dd>
+
+<dt>scope</dt>
+
+ <dd>The scope of the search. Can be either <code>one</code> or
+ <code>sub</code>. Note that a scope of <code>base</code> is
+ also supported by RFC 2255, but is not supported by this
+ module. If the scope is not provided, or if <code>base</code> scope
+ is specified, the default is to use a scope of
+ <code>sub</code>.</dd>
+
+<dt>filter</dt>
+
+ <dd>A valid LDAP search filter. If
+ not provided, defaults to <code>(objectClass=*)</code>, which
+ will search for all objects in the tree. Filters are
+ limited to approximately 8000 characters (the definition of
+ <code>MAX_STRING_LEN</code> in the Apache source code). This
+ should be than sufficient for any application.</dd>
+</dl>
+
+ <p>When doing searches, the attribute, filter and username passed
+ by the HTTP client are combined to create a search filter that
+ looks like
+ <code>(&(<em>filter</em>)(<em>attribute</em>=<em>username</em>))</code>.</p>
+
+ <p>For example, consider an URL of
+ <code>ldap://ldap.airius.com/o=Airius?cn?sub?(posixid=*)</code>. When
+ a client attempts to connect using a username of <code>Babs
+ Jenson</code>, the resulting search filter will be
+ <code>(&(posixid=*)(cn=Babs Jenson))</code>.</p>
+
+ <p>See above for examples of <a href="#authldapurl" class="directive"><code class="directive">AuthLDAPURL</code></a> URLs.</p>
+<hr></blockquote><h3 align="center">Apache HTTP Server Version 2.0</h3><a href="./"><img src="../images/index.gif" alt="Index"></a><a href="../"><img src="../images/home.gif" alt="Home"></a></body></html>
\ No newline at end of file
--- /dev/null
+<?xml version="1.0"?>
+<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
+<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
+<modulesynopsis>
+
+<name>mod_auth_ldap</name>
+<description>Allows an LDAP directory to be used to store the database
+for HTTP Basic authentication.</description>
+<status>experimental</status>
+<sourcefile>mod_auth_ldap.c</sourcefile>
+<identifier>auth_ldap_module</identifier>
+
+<summary>
+ <p><module>mod_auth_ldap</module> supports the following features:</p>
+
+ <ul>
+ <li>Known to support the <a
+ href="http://www.openldap.org/">OpenLDAP SDK</a> (both 1.x
+ and 2.x), and the <a
+ href="http://www.iplanet.com/downloads/developer/">iPlanet
+ (Netscape)</a> SDK.</li>
+
+ <li>Complex authorization policies can be implemented by
+ representing the policy with LDAP filters.</li>
+
+ <li>Support for Microsoft FrontPage allows FrontPage users to
+ control access to their webs, while retaining LDAP for user
+ authentication.</li>
+
+ <li>Uses extensive caching of LDAP operations via <a
+ href="mod_ldap.html">mod_ldap</a>.</li>
+
+ <li>Support for LDAP over SSL (requires the Netscape SDK) or
+ TLS (requires the OpenLDAP 2.x SDK).</li>
+ </ul>
+</summary>
+
+<section id="contents"><title>Contents</title>
+
+ <ul>
+ <li>
+ <a href="#operation">Operation</a>
+
+ <ul>
+ <li><a href="#authenphase">The Authentication
+ Phase</a></li>
+
+ <li><a href="#authorphase">The Authorization
+ Phase</a></li>
+ </ul>
+ </li>
+
+ <li>
+ <a href="#requiredirectives">The require Directives</a>
+
+ <ul>
+ <li><a href="#reqvaliduser">require valid-user</a></li>
+
+ <li><a href="#requser">require user</a></li>
+
+ <li><a href="#reqgroup">require group</a></li>
+
+ <li><a href="#reqdn">require dn</a></li>
+ </ul>
+ </li>
+
+ <li><a href="#examples">Examples</a></li>
+
+ <li><a href="#usingtls">Using TLS</a></li>
+
+ <li><a href="#usingssl">Using SSL</a></li>
+
+ <li>
+ <a href="#frontpage">Using Microsoft FrontPage with
+ <module>mod_auth_ldap</module></a>
+
+ <ul>
+ <li><a href="#howitworks">How It Works</a></li>
+
+ <li><a href="#fpcaveats">Caveats</a></li>
+ </ul>
+ </li>
+ </ul>
+</section>
+
+<section id="operation"><title>Operation</title>
+
+ <p>There are two phases in granting access to a user. The first
+ phase is authentication, in which <module>mod_auth_ldap</module>
+ verifies that the user's credentials are valid. This also called
+ the <em>search/bind</em> phase. The second phase is
+ authorization, in which <module>mod_auth_ldap</module> determines
+ if the authenticated user is allowed access to the resource in
+ question. This is also known as the <em>compare</em>
+ phase.</p>
+
+<section id="authenphase"><title>The Authentication
+ Phase</title>
+
+ <p>During the authentication phase, <module>mod_auth_ldap</module>
+ searches for an entry in the directory that matches the username
+ that the HTTP client passes. If a single unique match is found,
+ then <module>mod_auth_ldap</module> attempts to bind to the
+ directory server using the DN of the entry plus the password
+ provided by the HTTP client. Because it does a search, then a
+ bind, it is often referred to as the search/bind phase. Here are
+ the steps taken during the search/bind phase.</p>
+
+ <ol>
+ <li>Generate a search filter by combining the attribute and
+ filter provided in the <directive module="mod_auth_ldap"
+ >AuthLDAPURL</directive> directive with
+ the username passed by the HTTP client.</li>
+
+ <li>Search the directory using the generated filter. If the
+ search does not return exactly one entry, deny or decline
+ access.</li>
+
+ <li>Fetch the distinguished name of the entry retrieved from
+ the search and attempt to bind to the LDAP server using the
+ DN and the password passed by the HTTP client. If the bind is
+ unsuccessful, deny or decline access.</li>
+ </ol>
+
+ <p>The following directives are used during the search/bind
+ phase</p>
+
+ <table>
+ <tr>
+ <td><directive module="mod_auth_ldap">AuthLDAPURL</directive></td>
+
+ <td>Specifies the LDAP server, the
+ base DN, the attribute to use in the search, as well as the
+ extra search filter to use.</td>
+ </tr>
+
+ <tr>
+ <td><directive module="mod_auth_ldap">AuthLDAPBindDN</directive></td>
+
+ <td>An optional DN to bind with
+ during the search phase.</td>
+ </tr>
+
+ <tr>
+ <td><directive
+ module="mod_auth_ldap">AuthLDAPBindPassword</directive></td>
+
+ <td>An optional password to bind
+ with during the search phase.</td>
+ </tr>
+ </table>
+</section>
+
+<section id="authorphase"><title>The Authorization
+ Phase</title>
+
+ <p>During the authorization phase, <module>mod_auth_ldap</module>
+ attempts to determine if the user is authorized to access the
+ resource. Many of these checks require
+ <module>mod_auth_ldap</module> to do a compare operation on the
+ LDAP server. This is why this phase is often referred to as the
+ compare phase. <module>mod_auth_ldap</module> accepts the
+ following <directive module="core">Require</directive>
+ directives to determine if the credentials are acceptable:</p>
+
+ <ul>
+ <li>Grant access if there is a <a href="#requser"><code>require
+ valid-user</code></a> directive.</li>
+
+ <li>Grant access if there is a <a
+ href="#reqgroup"><code>require user</code></a> directive, and the
+ username in the directive matches the username passed by the
+ client.</li>
+
+ <li>Grant access if there is a <a href="#reqdn"><code>require
+ dn</code></a> directive, and the DN in the directive matches
+ the DN fetched from the LDAP directory.</li>
+
+ <li>Grant access if there is a <a
+ href="#reqgroup"><code>require group</code></a> directive, and
+ the DN fetched from the LDAP directory (or the username
+ passed by the client) occurs in the LDAP group.</li>
+
+ <li>otherwise, deny or decline access</li>
+ </ul>
+
+ <p><module>mod_auth_ldap</module> uses the following directives during the
+ compare phase:</p>
+
+ <table>
+ <tr>
+ <td><directive module="mod_auth_ldap">AuthLDAPURL</directive> </td>
+
+ <td>The attribute specified in the
+ URL is used in compare operations for the <code>require
+ user</code> operation.</td>
+ </tr>
+
+ <tr>
+ <td><directive
+ module="mod_auth_ldap">AuthLDAPCompareDNOnServer</directive></td>
+
+ <td>Determines the behavior of the
+ <code>require dn</code> directive.</td>
+ </tr>
+
+ <tr>
+ <td><directive
+ module="mod_auth_ldap">AuthLDAPGroupAttribute</directive></td>
+
+ <td>Determines the attribute to
+ use for comparisons in the <code>require group</code>
+ directive.</td>
+ </tr>
+
+ <tr>
+ <td><directive
+ module="mod_auth_ldap">AuthLDAPGroupAttributeIsDN</directive></td>
+
+ <td>Specifies whether to use the
+ user DN or the username when doing comparisons for the
+ <code>require group</code> directive.</td>
+ </tr>
+ </table>
+</section>
+</section>
+
+<section id="requiredirectives"><title>The require Directives</title>
+
+ <p>Apache's <directive module="core">Require</directive>
+ directives are used during the authorization phase to ensure that
+ a user is allowed to access a resource.</p>
+
+<section id="reqvaliduser"><title>require
+ valid-user</title>
+
+ <p>If this directive exists, <module>mod_auth_ldap</module> grants
+ access to any user that has successfully authenticated during the
+ search/bind phase.</p>
+</section>
+
+<section id="requser"><title>require user</title>
+
+ <p>The <code>require user</code> directive specifies what
+ usernames can access the resource. Once
+ <module>mod_auth_ldap</module> has retrieved a unique DN from the
+ directory, it does an LDAP compare operation using the username
+ specified in the <code>require user</code> to see if that username
+ is part of the just-fetched LDAP entry. Multiple users can be
+ granted access by putting multiple usernames on the line,
+ separated with spaces. If a username has a space in it, then it
+ must be the only user on the line. In this case, multiple users
+ can be granted access by using multiple <code>require user</code>
+ directives, with one user per line. For example, with a <directive
+ module="mod_auth_ldap">AuthLDAPURL</directive> of
+ <code>ldap://ldap/o=Airius?cn</code> (i.e., <code>cn</code> is
+ used for searches), the following require directives could be used
+ to restrict access:</p>
+<example>
+require user Barbara Jenson<br />
+require user Fred User<br />
+require user Joe Manager<br />
+</example>
+
+ <p>Because of the way that <module>mod_auth_ldap</module> handles this
+ directive, Barbara Jenson could sign on as <em>Barbara
+ Jenson</em>, <em>Babs Jenson</em> or any other <code>cn</code> that
+ she has in her LDAP entry. Only the single <code>require
+ user</code> line is needed to support all values of the attribute
+ in the user's entry.</p>
+
+ <p>If the <code>uid</code> attribute was used instead of the
+ <code>cn</code> attribute in the URL above, the above three lines
+ could be condensed to</p>
+<example>require user bjenson fuser jmanager</example>
+</section>
+
+<section id="reqgroup"><title>require group</title>
+
+ <p>This directive specifies an LDAP group whose members are
+ allowed access. It takes the distinguished name of the LDAP
+ group. For example, assume that the following entry existed in
+ the LDAP directory:</p>
+<example>
+dn: cn=Administrators, o=Airius<br />
+objectClass: groupOfUniqueNames<br />
+uniqueMember: cn=Barbara Jenson, o=Airius<br />
+uniqueMember: cn=Fred User, o=Airius<br />
+</example>
+
+ <p>The following directive would grant access to both Fred and
+ Barbara:</p>
+<example>require group cn=Administrators, o=Airius</example>
+
+ <p>Behavior of this directive is modified by the <directive
+ module="mod_auth_ldap">AuthLDAPGroupAttribute</directive> and
+ <directive
+ module="mod_auth_ldap">AuthLDAPGroupAttributeIsDN</directive>
+ directives.</p>
+</section>
+
+<section id="reqdn"><title>require dn</title>
+
+ <p>The <code>require dn</code> directive allows the administrator
+ to grant access based on distinguished names. It specifies a DN
+ that must match for access to be granted. If the distinguished
+ name that was retrieved from the directory server matches the
+ distinguished name in the <code>require dn</code>, then
+ authorization is granted.</p>
+
+ <p>The following directive would grant access to a specific
+ DN:</p>
+<example>require dn cn=Barbara Jenson, o=Airius</example>
+
+ <p>Behavior of this directive is modified by the <directive
+ module="mod_auth_ldap">AuthLDAPCompareDNOnServer</directive>
+ directive.</p>
+</section>
+</section>
+
+<section id="examples"><title>Examples</title>
+
+ <ul>
+ <li>
+ Grant access to anyone who exists in the LDAP directory,
+ using their UID for searches.
+<example>
+AuthLDAPURL ldap://ldap1.airius.com:389/ou=People, o=Airius?uid?sub?(objectClass=*)<br />
+require valid-user
+</example>
+ </li>
+
+ <li>
+ The next example is the same as above; but with the fields
+ that have useful defaults omitted. Also, note the use of a
+ redundant LDAP server.
+<example>AuthLDAPURL ldap://ldap1.airius.com ldap2.airius.com/ou=People, o=Airius<br />
+require valid-user
+</example>
+ </li>
+
+ <li>
+ The next example is similar to the previous one, but is
+ uses the common name instead of the UID. Note that this
+ could be problematical if multiple people in the directory
+ share the same <code>cn</code>, because a search on <code>cn</code>
+ <strong>must</strong> return exactly one entry. That's why
+ this approach is not recommended: it's a better idea to
+ choose an attribute that is guaranteed unique in your
+ directory, such as <code>uid</code>.
+<example>
+AuthLDAPURL ldap://ldap.airius.com/ou=People, o=Airius?cn<br />
+require valid-user
+</example>
+ </li>
+
+ <li>
+ Grant access to anybody in the Administrators group. The
+ users must authenticate using their UID.
+<example>
+AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid<br />
+require group cn=Administrators, o=Airius
+</example>
+ </li>
+
+ <li>
+ The next example assumes that everyone at Airius who
+ carries an alphanumeric pager will have an LDAP attribute
+ of <code>qpagePagerID</code>. The example will grant access
+ only to people (authenticated via their UID) who have
+ alphanumeric pagers:
+<example>
+AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(qpagePagerID=*)<br />
+require valid-user
+</example>
+ </li>
+
+ <li>
+ <p>The next example demonstrates the power of using filters
+ to accomplish complicated administrative requirements.
+ Without filters, it would have been necessary to create a
+ new LDAP group and ensure that the group's members remain
+ synchronized with the pager users. This becomes trivial
+ with filters. The goal is to grant access to anyone who has
+ a filter, plus grant access to Joe Manager, who doesn't
+ have a pager, but does need to access the same
+ resource:</p>
+<example>
+AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(|(qpagePagerID=*)(uid=jmanager))<br />
+require valid-user
+</example>
+
+ <p>This last may look confusing at first, so it helps to
+ evaluate what the search filter will look like based on who
+ connects, as shown below. The text in blue is the part that
+ is filled in using the attribute specified in the URL. The
+ text in red is the part that is filled in using the filter
+ specified in the URL. The text in green is filled in using
+ the information that is retrieved from the HTTP client. If
+ Fred User connects as <code>fuser</code>, the filter would look
+ like</p>
+
+ <example>(&<font
+ color="red">(|(qpagePagerID=*)(uid=jmanager))</font>(<font
+ color="blue">uid</font>=<font
+ color="green">fuser</font>))</example>
+
+ <p>The above search will only succeed if <em>fuser</em> has a
+ pager. When Joe Manager connects as <em>jmanager</em>, the
+ filter looks like</p>
+
+ <example>(&<font
+ color="red">(|(qpagePagerID=*)(uid=jmanager))</font>(<font
+ color="blue">uid</font>=<font
+ color="green">jmanager</font>))</example>
+
+ <p>The above search will succeed whether <em>jmanager</em>
+ has a pager or not.</p>
+ </li>
+ </ul>
+</section>
+
+<section id="usingtls"><title>Using TLS</title>
+
+ <p>To use TLS, simply set the <directive
+ module="mod_auth_ldap">AuthLDAPStartTLS</directive> to on.
+ Nothing else needs to be done (other than ensure that your LDAP
+ server is configured for TLS).</p>
+</section>
+
+<section id="usingssl"><title>Using SSL</title>
+
+ <p>If <module>mod_auth_ldap</module> is linked against the
+ Netscape/iPlanet LDAP SDK, it will not talk to any SSL server
+ unless that server has a certificate signed by a known Certificate
+ Authority. As part of the configuration
+ <module>mod_auth_ldap</module> needs to be told where it can find
+ a database containing the known CAs. This database is in the same
+ format as Netscape Communicator's <code>cert7.db</code>
+ database. The easiest way to get this file is to start up a fresh
+ copy of Netscape, and grab the resulting
+ <code>$HOME/.netscape/cert7.db</code> file.</p>
+
+ <p>To specify a secure LDAP server, use <em>ldaps://</em> in the
+ <directive module="mod_auth_ldap">AuthLDAPURL</directive>
+ directive, instead of <em>ldap://</em>.</p>
+</section>
+
+<section id="frontpage"><title>Using Microsoft
+ FrontPage with mod_auth_ldap</title>
+
+ <p>Normally, FrontPage uses FrontPage-web-specific user/group
+ files (i.e., the <module>mod_auth</module> module) to handle all
+ authentication. Unfortunately, it is not possible to just
+ change to LDAP authentication by adding the proper directives,
+ because it will break the <em>Permissions</em> forms in
+ the FrontPage client, which attempt to modify the standard
+ text-based authorization files.</p>
+
+ <p>Once a FrontPage web has been created, adding LDAP
+ authentication to it is a matter of adding the following
+ directives to <em>every</em> <code>.htaccess</code> file
+ that gets created in the web</p>
+<example><pre>
+AuthLDAPURL the url
+AuthLDAPAuthoritative off
+AuthLDAPFrontPageHack on
+</pre></example>
+
+ <p><directive
+ module="mod_auth_ldap">AuthLDAPAuthoritative</directive> must be
+ off to allow <module>mod_auth_ldap</module> to decline group
+ authentication so that Apache will fall back to file
+ authentication for checking group membership. This allows the
+ FrontPage-managed group file to be used.</p>
+
+<section id="howitworks"><title>How It Works</title>
+
+ <p>FrontPage restricts access to a web by adding the <code>require
+ valid-user</code> directive to the <code>.htaccess</code>
+ files. If <directive
+ module="mod_auth_ldap">AuthLDAPFrontPageHack</directive> is not
+ on, the <code>require valid-user</code> directive will succeed for
+ any user who is valid <em>as far as LDAP is
+ concerned</em>. This means that anybody who has an entry in
+ the LDAP directory is considered a valid user, whereas FrontPage
+ considers only those people in the local user file to be
+ valid. The purpose of the hack is to force Apache to consult the
+ local user file (which is managed by FrontPage) - instead of LDAP
+ - when handling the <code>require valid-user</code> directive.</p>
+
+ <p>Once directives have been added as specified above,
+ FrontPage users will be able to perform all management
+ operations from the FrontPage client.</p>
+</section>
+
+<section id="fpcaveats"><title>Caveats</title>
+
+ <ul>
+ <li>When choosing the LDAP URL, the attribute to use for
+ authentication should be something that will also be valid
+ for putting into a <module>mod_auth</module> user file. The user ID is
+ ideal for this.</li>
+
+ <li>When adding users via FrontPage, FrontPage administrators
+ should choose usernames that already exist in the LDAP
+ directory (for obvious reasons). Also, the password that the
+ administrator enters into the form is ignored, since Apache
+ will actually be authenticating against the password in the
+ LDAP database, and not against the password in the local user
+ file. This could cause confusion for web administrators.</li>
+
+ <li>Apache must be compiled with <module>mod_auth</module> in order to
+ use FrontPage support. This is because Apache will still use
+ the <module>mod_auth</module> group file for determine the extent of a
+ user's access to the FrontPage web.</li>
+
+ <li>The directives must be put in the <code>.htaccess</code>
+ files. Attempting to put them inside <directive module="core"
+ type="section">Location</directive> or <directive module="core"
+ type="section">Directory</directive> directives won't work. This
+ is because <module>mod_auth_ldap</module> has to be able to grab
+ the <directive module="mod_auth">AuthUserFile</directive>
+ directive that is found in FrontPage <code>.htaccess</code>
+ files so that it knows where to look for the valid user list. If
+ the <module>mod_auth_ldap</module> directives aren't in the same
+ <code>.htaccess</code> file as the FrontPage directives, then
+ the hack won't work, because <module>mod_auth_ldap</module> will
+ never get a chance to process the <code>.htaccess</code> file,
+ and won't be able to find the FrontPage-managed user file.</li>
+ </ul>
+</section>
+</section>
+
+<directivesynopsis>
+<name>AuthLDAPAuthoritative</name>
+<syntax>AuthLDAPAuthoritative on|off</syntax>
+<default>AuthLDAPAuthoritative on</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+
+<usage>
+ <p>Set to <code>off</code> if this module should let other
+ authentication modules attempt to authenticate the user, should
+ authentication with this module fail. Control is only passed on
+ to lower modules if there is no DN or rule that matches the
+ supplied user name (as passed by the client).</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>AuthLDAPBindDN</name>
+<syntax>AuthLDAPBindDN <em>distinguished-name</em></syntax>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+
+<usage>
+ <p>An optional DN used to bind to the server when searching for
+ entries. If not provided, <module>mod_auth_ldap</module> will use
+ an anonymous bind.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>AuthLDAPBindPassword</name>
+<syntax>AuthLDAPBindPassword <em>password</em></syntax>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+
+<usage>
+ <p>A bind password to use in conjunction with the bind DN. Note
+ that the bind password is probably sensitive data, and should be
+ properly protected. You should only use the <directive
+ module="mod_auth_ldap">AuthLDAPBindDN</directive> and <directive
+ module="mod_auth_ldap">AuthLDAPBindPassword</directive> if you
+ absolutely need them to search the directory.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>AuthLDAPCompareDNOnServer</name>
+<syntax>AuthLDAPCompareDNOnServer on|off</syntax>
+<default>AuthLDAPCompareDNOnServer on</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+
+<usage>
+ <p>When set, <module>mod_auth_ldap</module> will use the LDAP
+ server to compare the DNs. This is the only foolproof way to
+ compare DNs. <module>mod_auth_ldap</module> will search the
+ directory for the DN specified with the <a
+ href="#reqdn"><code>require dn</code></a> directive, then,
+ retrieve the DN and compare it with the DN retrieved from the user
+ entry. If this directive is not set,
+ <module>mod_auth_ldap</module> simply does a string comparison. It
+ is possible to get false negatives with this approach, but it is
+ much faster. Note the <module>mod_ldap</module> cache can speed up
+ DN comparison in most situations.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>AuthLDAPDereferenceAliases</name>
+<syntax>AuthLDAPDereferenceAliases never|searching|finding|always</syntax>
+<default>AuthLDAPDereferenceAliases Always</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+
+<usage>
+ <p>This directive specifies when <module>mod_auth_ldap</module> will
+ de-reference aliases during LDAP operations. The default is
+ <code>always</code>.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>AuthLDAPEnabled directive</name>
+<syntax> AuthLDAPEnabled on|off</syntax>
+<default>AuthLDAPEnabled on</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+
+<usage>
+ <p>Set to <code>off</code> to disable
+ <module>mod_auth_ldap</module> in certain directories. This is
+ useful if you have <module>mod_auth_ldap</module> enabled at or
+ near the top of your tree, but want to disable it completely in
+ certain locations.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>AuthLDAPFrontPageHack</name>
+<syntax>AuthLDAPFrontPageHack on|off</syntax>
+<default>AuthLDAPFronPageHack off</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+
+<usage>
+ <p>See the section on <a href="#frontpage">using Microsoft
+ FrontPage</a> with <module>mod_auth_ldap</module>.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>AuthLDAPGroupAttribute</name>
+<syntax>AuthLDAPGroupAttribute <em>attribute</em></syntax>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+
+<usage>
+ <p>This directive specifies which LDAP attributes are used to
+ check for group membership. Multiple attributes can be used by
+ specifying this directive multiple times. If not specified,
+ then <module>mod_auth_ldap</module> uses the <code>member</code> and
+ <code>uniquemember</code> attributes.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>AuthLDAPGroupAttributeIsDN</name>
+<syntax>AuthLDAPGroupAttributeIsDN on|off</syntax>
+<default>AuthLDAPGroupAttributeIsDN on</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+
+<usage>
+ <p>When set <code>on</code>, this directive says to use the
+ distinguished name of the client username when checking for group
+ membership. Otherwise, the username will be used. For example,
+ assume that the client sent the username <code>bjenson</code>,
+ which corresponds to the LDAP DN <code>cn=Babs Jenson,
+ o=Airius</code>. If this directive is set,
+ <module>mod_auth_ldap</module> will check if the group has
+ <code>cn=Babs Jenson, o=Airius</code> as a member. If this
+ directive is not set, then <module>mod_auth_ldap</module> will
+ check if the group has <code>bjenson</code> as a member.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>AuthLDAPRemoteUserIsDN</name>
+<syntax>AuthLDAPRemoteUserIsDN on|off</syntax>
+<default>AuthLDAPUserIsDN off</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+
+<usage>
+ <p>If this directive is set to on, the value of the
+ <code>REMOTE_USER</code> environment variable will be set to the full
+ distinguished name of the authenticated user, rather than just
+ the username that was passed by the client. It is turned off by
+ default.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>AuthLDAPStartTLS directive</name>
+<syntax>AuthLDAPStartTLS on|off</syntax>
+<default>AuthLDAPStartTLS off</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+
+<usage>
+ <p>If this directive is set to <code>on</code>,
+ <module>mod_auth_ldap</module> will start a secure TLS session
+ after connecting to the LDAP server. This requires your LDAP
+ server to support TLS.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>AuthLDAPUrl</name>
+<syntax>AuthLDAPUrl <em>url</em></syntax>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+
+<usage>
+ <p>An RFC 2255 URL which specifies the LDAP search parameters
+ to use. The syntax of the URL is</p>
+<example>ldap://host:port/basedn?attribute?scope?filter</example>
+
+<dl>
+<dt>ldap</dt>
+
+ <dd>For regular ldap, use the
+ string <code>ldap</code>. For secure LDAP, use <code>ldaps</code>
+ instead. Secure LDAP is only available if Apache was linked
+ to an LDAP library with SSL support.</dd>
+
+<dt>host:port</dt>
+
+ <dd>
+ <p>The name/port of the ldap server (defaults to
+ <code>localhost:389</code> for <code>ldap</code>, and
+ <code>localhost:636</code> for <code>ldaps</code>). To
+ specify multiple, redundant LDAP servers, just list all
+ servers, separated by spaces. <module>mod_auth_ldap</module>
+ will try connecting to each server in turn, until it makes a
+ successful connection.</p>
+
+ <p>Once a connection has been made to a server, that
+ connection remains active for the life of the
+ <code>httpd</code> process, or until the LDAP server goes
+ down.</p>
+
+ <p>If the LDAP server goes down and breaks an existing
+ connection, <module>mod_auth_ldap</module> will attempt to
+ re-connect, starting with the primary server, and trying
+ each redundant server in turn. Note that this is different
+ than a true round-robin search.</p>
+ </dd>
+
+<dt>basedn</dt>
+
+ <dd>The DN of the branch of the
+ directory where all searches should start from. At the very
+ least, this must be the top of your directory tree, but
+ could also specify a subtree in the directory.</dd>
+
+<dt>attribute</dt>
+
+ <dd>The attribute to search for.
+ Although RFC 2255 allows a comma-separated list of
+ attributes, only the first attribute will be used, no
+ matter how many are provided. If no attributes are
+ provided, the default is to use <code>uid</code>. It's a good
+ idea to choose an attribute that will be unique across all
+ entries in the subtree you will be using.</dd>
+
+<dt>scope</dt>
+
+ <dd>The scope of the search. Can be either <code>one</code> or
+ <code>sub</code>. Note that a scope of <code>base</code> is
+ also supported by RFC 2255, but is not supported by this
+ module. If the scope is not provided, or if <code>base</code> scope
+ is specified, the default is to use a scope of
+ <code>sub</code>.</dd>
+
+<dt>filter</dt>
+
+ <dd>A valid LDAP search filter. If
+ not provided, defaults to <code>(objectClass=*)</code>, which
+ will search for all objects in the tree. Filters are
+ limited to approximately 8000 characters (the definition of
+ <code>MAX_STRING_LEN</code> in the Apache source code). This
+ should be than sufficient for any application.</dd>
+</dl>
+
+ <p>When doing searches, the attribute, filter and username passed
+ by the HTTP client are combined to create a search filter that
+ looks like
+ <code>(&(<em>filter</em>)(<em>attribute</em>=<em>username</em>))</code>.</p>
+
+ <p>For example, consider an URL of
+ <code>ldap://ldap.airius.com/o=Airius?cn?sub?(posixid=*)</code>. When
+ a client attempts to connect using a username of <code>Babs
+ Jenson</code>, the resulting search filter will be
+ <code>(&(posixid=*)(cn=Babs Jenson))</code>.</p>
+
+ <p>See above for examples of <directive
+ module="mod_auth_ldap">AuthLDAPURL</directive> URLs.</p>
+</usage>
+</directivesynopsis>
+
+</modulesynopsis>
projects / apache / commitdiff