<related>
<modulelist>
- <module>mod_access</module>
+ <module>mod_authz_host</module>
<module>mod_cgi</module>
<module>mod_ext_filter</module>
<module>mod_headers</module>
<module>mod_rewrite</module>
</modulelist>
<directivelist>
- <directive module="mod_access">Allow</directive>
+ <directive module="mod_authz_host">Allow</directive>
<directive module="mod_log_config">CustomLog</directive>
- <directive module="mod_access">Deny</directive>
+ <directive module="mod_authz_host">Deny</directive>
<directive module="mod_ext_filter">ExtFilterDefine</directive>
<directive module="mod_headers">Header</directive>
<directive module="mod_log_config">LogFormat</directive>
<related>
<modulelist>
<module>core</module>
- <module>mod_auth</module>
+ <module>mod_authn_file</module>
+ <module>mod_authz_groupfile</module>
<module>mod_cgi</module>
<module>mod_include</module>
<module>mod_mime</module>
<directive module="core">SetHandler</directive>
<directive module="core">AuthType</directive>
<directive module="core">AuthName</directive>
- <directive module="mod_auth">AuthUserFile</directive>
- <directive module="mod_auth">AuthGroupFile</directive>
+ <directive module="mod_authn_file">AuthUserFile</directive>
+ <directive module="mod_authz_groupfile">AuthGroupFile</directive>
<directive module="core">Require</directive>
</directivelist>
<section id="dbm"><title>DBM</title>
<p>Several Apache features, including
- <module>mod_auth_dbm</module> and <module>mod_rewrite</module>'s
+ <module>mod_authn_dbm</module> and <module>mod_rewrite</module>'s
DBM <directive module="mod_rewrite">RewriteMap</directive> use
simple key/value databases for quick lookups of information. Apache
includes SDBM with its source-code, so this database is always
instance a authentication which checks for a set of
explicitly configured users. Only these should receive
access and without explicit prompting (which would occur
- when using the Basic Auth via <module>mod_access</module>).</p>
+ when using the Basic Auth via <module>mod_auth_basic</module>).</p>
</dd>
<dt>Solution:</dt>
Allow use of the authorization directives (<directive
module="mod_authn_dbm">AuthDBMGroupFile</directive>,
<directive module="mod_authn_dbm">AuthDBMUserFile</directive>,
- <directive module="mod_authn_file">AuthGroupFile</directive>,
+ <directive module="mod_authz_groupfile">AuthGroupFile</directive>,
<directive module="core">AuthName</directive>,
<directive module="core">AuthType</directive>, <directive
module="mod_authn_file">AuthUserFile</directive>, <directive
<dd>
Allow use of the directives controlling host access (<directive
- module="mod_access">Allow</directive>, <directive
- module="mod_access">Deny</directive> and <directive
- module="mod_access">Order</directive>).</dd>
+ module="mod_authz_host">Allow</directive>, <directive
+ module="mod_authz_host">Deny</directive> and <directive
+ module="mod_authz_host">Order</directive>).</dd>
<dt>Options</dt>
marks. It must be accompanied by <directive
module="core">AuthType</directive> and <directive
module="core">Require</directive> directives, and directives such
- as <directive module="mod_auth">AuthUserFile</directive> and
- <directive module="mod_auth">AuthGroupFile</directive> to
+ as <directive module="mod_authn_file">AuthUserFile</directive> and
+ <directive module="mod_authz_groupfile">AuthGroupFile</directive> to
work.</p>
<p>For example:</p>
It must be accompanied by <directive
module="core">AuthName</directive> and <directive
module="core">Require</directive> directives, and directives such
- as <directive module="mod_auth">AuthUserFile</directive> and
- <directive module="mod_auth">AuthGroupFile</directive> to
+ as <directive module="mod_authn_file">AuthUserFile</directive> and
+ <directive module="mod_authz_groupfile">AuthGroupFile</directive> to
work.</p>
</usage>
<seealso><a href="../howto/auth.html">Authentication, Authorization,
address. (In "tcpwrappers" terminology this is called
<code>PARANOID</code>.)</p>
- <p>Regardless of the setting, when <module>mod_access</module> is
+ <p>Regardless of the setting, when <module>mod_authz_host</module> is
used for controlling access by hostname, a double reverse lookup
will be performed. This is necessary for security. Note that the
result of this double-reverse isn't generally available unless you
<p><directive>Require</directive> must be accompanied by
<directive module="core">AuthName</directive> and <directive
module="core">AuthType</directive> directives, and directives such
- as <directive module="mod_auth">AuthUserFile</directive>
- and <directive module="mod_auth">AuthGroupFile</directive> (to
+ as <directive module="mod_authn_file">AuthUserFile</directive>
+ and <directive module="mod_authz_groupfile">AuthGroupFile</directive> (to
define users and groups) in order to work correctly. Example:</p>
<example>
section.</p>
</usage>
<seealso><directive module="core">Satisfy</directive></seealso>
-<seealso><module>mod_access</module></seealso>
+<seealso><module>mod_authz_host</module></seealso>
</directivesynopsis>
<directivesynopsis>
<usage>
<p>Access policy if both <directive
- module="core">Allow</directive> and <directive
+ module="mod_authz_host">Allow</directive> and <directive
module="core">Require</directive> used. The parameter can be
either <var>all</var> or <var>any</var>. This directive is only
useful if access to a particular area is being restricted by both
</example>
</usage>
- <seealso><directive module="mod_access">Allow</directive></seealso>
+ <seealso><directive module="mod_authz_host">Allow</directive></seealso>
<seealso><directive module="core">Require</directive></seealso>
</directivesynopsis>
<ul>
<li><a href="#reqvaliduser">require valid-user</a></li>
-
<li><a href="#requser">require user</a></li>
-
<li><a href="#reqgroup">require group</a></li>
-
<li><a href="#reqdn">require dn</a></li>
</ul>
</li>
<li><a href="#examples">Examples</a></li>
-
<li><a href="#usingtls">Using TLS</a></li>
-
<li><a href="#usingssl">Using SSL</a></li>
<li>
<ul>
<li><a href="#howitworks">How It Works</a></li>
-
<li><a href="#fpcaveats">Caveats</a></li>
</ul>
</li>
FrontPage with mod_auth_ldap</title>
<p>Normally, FrontPage uses FrontPage-web-specific user/group
- files (i.e., the <module>mod_auth</module> module) to handle all
+ files (i.e., the <module>mod_authn_file</module> and
+ <module>mod_authz_groupfile</module> modules) to handle all
authentication. Unfortunately, it is not possible to just
change to LDAP authentication by adding the proper directives,
because it will break the <em>Permissions</em> forms in
<ul>
<li>When choosing the LDAP URL, the attribute to use for
authentication should be something that will also be valid
- for putting into a <module>mod_auth</module> user file. The user ID is
- ideal for this.</li>
+ for putting into a <module>mod_authn_file</module> user file.
+ The user ID is ideal for this.</li>
<li>When adding users via FrontPage, FrontPage administrators
should choose usernames that already exist in the LDAP
LDAP database, and not against the password in the local user
file. This could cause confusion for web administrators.</li>
- <li>Apache must be compiled with <module>mod_auth</module> in order to
+ <!-- XXX is that true? was mod_auth before the aaa change -->
+ <li>Apache must be compiled with <module>mod_auth_basic</module>,
+ <module>mod_authn_file</module> and
+ <module>mod_authz_groupfile</module> in order to
use FrontPage support. This is because Apache will still use
- the <module>mod_auth</module> group file for determine the extent of a
+ the <module>mod_authz_groupfile</module> group file for determine the extent of a
user's access to the FrontPage web.</li>
<li>The directives must be put in the <code>.htaccess</code>
type="section">Location</directive> or <directive module="core"
type="section">Directory</directive> directives won't work. This
is because <module>mod_auth_ldap</module> has to be able to grab
- the <directive module="mod_auth">AuthUserFile</directive>
+ the <directive module="mod_authn_file">AuthUserFile</directive>
directive that is found in FrontPage <code>.htaccess</code>
files so that it knows where to look for the valid user list. If
the <module>mod_auth_ldap</module> directives aren't in the same
AuthType basic<br />
<br />
# An
- AuthUserFile/AuthDBUserFile/AuthDBMUserFile<br />
+ AuthUserFile/AuthDBMUserFile<br />
# directive must be specified, or use<br />
# Anonymous_Authoritative for public access.<br />
# In the .htaccess for the public directory, add:<br />
<compatibility>Available in Apache 2.0.44 and later</compatibility>
<summary>
- <p>The directives provided by mod_authz_host are used in <directive
- module="core" type="section">Directory</directive>, <directive
- module="core" type="section">Files</directive>, and <directive
- module="core" type="section">Location</directive> sections as well as
- <code><a href="core.html#accessfilename">.htaccess</a></code>
- files to control access to particular parts of the server. Access
- can be controlled based on the client hostname, IP address, or
+ <p>The directives provided by <module>mod_authz_host</module> are
+ used in <directive module="core" type="section">Directory</directive>,
+ <directive module="core" type="section">Files</directive>, and
+ <directive module="core" type="section">Location</directive> sections
+ as well as <code><a href="core.html#accessfilename">.htaccess</a>
+ </code> files to control access to particular parts of the server.
+ Access can be controlled based on the client hostname, IP address, or
other characteristics of the client request, as captured in <a
href="../env.html">environment variables</a>. The <directive
module="mod_authz_host">Allow</directive> and <directive
<p>You may wish to add a
<directive module="core"><Limit></directive>
clause inside the
- <directive module="core"><location></directive>
+ <directive module="core"><Location></directive>
directive to limit access to your server configuration
information.</p>
the module <em>module-name</em>. Example:</p>
<example>
-AddModuleInfo mod_authn_file.c 'See <A \<br />
- HREF="http://www.apache.org/docs-2.0/mod/mod_authn_file.html">\<br />
- http://www.apache.org/docs-2.0/mod/mod_authn_file.html</A>'
+ AddModuleInfo mod_authn_file.c 'See <a \<br />
+ <indent>
+ href="http://www.apache.org/docs-2.0/mod/mod_authn_file.html">\<br />
+ http://www.apache.org/docs-2.0/mod/mod_authn_file.html</a>'
+ </indent>
</example>
</usage>
<p>The key is to check for various ingredients of the client certficate.
Usually this means to check the whole or part of the Distinguished
Name (DN) of the Subject. For this two methods exists: The <module
- >mod_auth</module> based variant and the <directive module="mod_ssl"
- >SSLRequire</directive> variant. The first method is good when the
- clients are of totally different type, i.e. when their DNs have no
- common fields (usually the organisation, etc.). In this case you've
- to establish a password database containing <em>all</em> clients. The
- second method is better when your clients are all part of a common
- hierarchy which is encoded into the DN. Then you can match them more
- easily.</p>
+ >mod_auth_basic</module> based variant and the <directive
+ module="mod_ssl">SSLRequire</directive> variant. The first method is
+ good when the clients are of totally different type, i.e. when their
+ DNs have no common fields (usually the organisation, etc.). In this
+ case you've to establish a password database containing <em>all</em>
+ clients. The second method is better when your clients are all part of
+ a common hierarchy which is encoded into the DN. Then you can match
+ them more easily.</p>
<p>The first method:</p>
<example><title>httpd.conf</title><pre>
SSLRequireSSL
AuthName "Snake Oil Authentication"
AuthType Basic
+AuthBasicProvider file
AuthUserFile /usr/local/apache2/conf/httpd.passwd
require valid-user
</Directory></pre>
# HTTP Basic Authentication
AuthType basic
AuthName "Protected Intranet Area"
+AuthBasicProvider file
AuthUserFile conf/protected.passwd
Require valid-user
</Directory></pre>
projects / apache / commitdiff