From 37d4a07027ed6b4167745a9eaca9fd1aad20044e Mon Sep 17 00:00:00 2001 From: Bradley Nicholes Date: Tue, 18 Feb 2003 22:21:24 +0000 Subject: [PATCH] Update the mod_auth_ldap and mod_ldap documentation to show the new directives for establishing an SSL connection and the addition of the Novell LDAP SDK. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@98714 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_auth_ldap.xml | 42 ++++------------ docs/manual/mod/mod_ldap.xml | 81 +++++++++++++++++++++++++++---- 2 files changed, 81 insertions(+), 42 deletions(-) diff --git a/docs/manual/mod/mod_auth_ldap.xml b/docs/manual/mod/mod_auth_ldap.xml index 9cf3a64bc2..263001c734 100644 --- a/docs/manual/mod/mod_auth_ldap.xml +++ b/docs/manual/mod/mod_auth_ldap.xml @@ -17,7 +17,8 @@ for HTTP Basic authentication. @@ -413,24 +414,16 @@ require valid-user
Using TLS -

To use TLS, simply set the AuthLDAPStartTLS to on. - Nothing else needs to be done (other than ensure that your LDAP - server is configured for TLS).

+

To use TLS, see the mod_ldap directives LDAPTrustedCA and LDAPTrustedCAType.

Using SSL -

If mod_auth_ldap is linked against the - Netscape/iPlanet LDAP SDK, it will not talk to any SSL server - unless that server has a certificate signed by a known Certificate - Authority. As part of the configuration - mod_auth_ldap needs to be told where it can find - a database containing the known CAs. This database is in the same - format as Netscape Communicator's cert7.db - database. The easiest way to get this file is to start up a fresh - copy of Netscape, and grab the resulting - $HOME/.netscape/cert7.db file.

+

To use SSL, see the mod_ldap directives LDAPTrustedCA and LDAPTrustedCAType.

To specify a secure LDAP server, use ldaps:// in the AuthLDAPURL @@ -738,23 +731,6 @@ environment variable - -AuthLDAPStartTLS -Use a secure TLS connection to the LDAP server -AuthLDAPStartTLS on|off -AuthLDAPStartTLS off -directory.htaccess - -AuthConfig - - -

If this directive is set to on, - mod_auth_ldap will start a secure TLS session - after connecting to the LDAP server. This requires your LDAP - server to support TLS.

- - - AuthLDAPUrl URL specifying the LDAP search parameters diff --git a/docs/manual/mod/mod_ldap.xml b/docs/manual/mod/mod_ldap.xml index 3418617f5f..acb1853b2f 100644 --- a/docs/manual/mod/mod_ldap.xml +++ b/docs/manual/mod/mod_ldap.xml @@ -22,6 +22,13 @@ by other LDAP modules apr-util. This is achieved by adding the --with-ldap flag to the ./configure script when building Apache.

+ +

SSL support requires that mod_ldap be linked + with one of the following LDAP SDKs: + OpenLDAP SDK (both 1.x and 2.x), + Novell LDAP SDK or the + iPlanet(Netscape) SDK.

+
Example Configuration @@ -156,6 +163,51 @@ by other LDAP modules
+
Using SSL + +

The ability to create an SSL connections to an LDAP server + is defined by the directives + LDAPTrustedCA and + LDAPTrustedCAType. These directives specify the certificate + file or database and the certificate type. Whenever the LDAP url + includes ldaps://, mod_ldap will establish + a secure connection to the LDAP server. + + + # Establish an SSL LDAP connection. Requires that
+ # mod_ldap and mod_auth_ldap be loaded. Change the
+ # "yourdomain.example.com" to match your domain.
+
+ LDAPTrustedCA /certs/certfile.der
+ LDAPTrustedCAType DER_FILE
+
+ <Location /ldap-status>
+ + SetHandler ldap-status
+ Order deny,allow
+ Deny from all
+ Allow from yourdomain.example.com
+ AuthLDAPEnabled on
+ AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one
+ AuthLDAPAuthoritative on
+ require valid-user
+ + </Location> + + +

If mod_ldap is linked against the + Netscape/iPlanet LDAP SDK, it will not talk to any SSL server + unless that server has a certificate signed by a known Certificate + Authority. As part of the configuration + mod_ldap needs to be told where it can find + a database containing the known CAs. This database is in the same + format as Netscape Communicator's cert7.db + database. The easiest way to get this file is to start up a fresh + copy of Netscape, and grab the resulting + $HOME/.netscape/cert7.db file.

+ +
+ LDAPSharedCacheSize Size in bytes of the shared-memory cache @@ -228,19 +280,30 @@ valid -LDAPCertDBPath -Directory containing certificates for SSL support -LDAPCertDBPath directory-path +LDAPTrustedCA +Sets the file containing the trusted Certificate Authority certificate or database +LDAPTrustedCA directory-path/filename server config -

This directive is only valid if Apache has been linked - against the Netscape/iPlanet Directory SDK.

+

It specifies the directory path and file name of the trusted CA + mod_ldap should use when establishing an SSL + connection to an LDAP server. If using the Netscape/iPlanet Directory + SDK, the file name should be cert7.db.

+ + -

It specifies in which directory mod_ldap - should look for the certificate authorities database for SSL - support. There should be a file named cert7.db in that - directory.

+ +LDAPTrustedCAType +Specifies the type of the Certificate Authority file +LDAPTrustedCAType type +server config + + +

The following types are supported:
+ DER_FILE - file in binary DER format
+ BASE64_FILE - file in Base64 format
+ CERT7_DB_PATH - Netscape certificate database file ")

 -- 2.40.0