|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
|
|
Packit |
90a5c9 |
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
|
Packit |
90a5c9 |
This file is generated from xml source: DO NOT EDIT
|
|
Packit |
90a5c9 |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
|
Packit |
90a5c9 |
-->
|
|
Packit |
90a5c9 |
<title>mod_authnz_ldap - Apache HTTP Server Version 2.4</title>
|
|
Packit |
90a5c9 |
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
|
|
Packit |
90a5c9 |
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
|
|
Packit |
90a5c9 |
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
|
|
Packit |
90a5c9 |
<script src="../style/scripts/prettify.min.js" type="text/javascript">
|
|
Packit |
90a5c9 |
</script>
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
|
|
Packit |
90a5c9 |
<body>
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Modules | Directives | FAQ | Glossary | Sitemap
|
|
Packit |
90a5c9 |
Apache HTTP Server Version 2.4
|
|
Packit |
90a5c9 |
![](../images/feather.png)
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Apache > HTTP Server > Documentation > Version 2.4 > Modules
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Apache Module mod_authnz_ldap
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Available Languages: en |
|
|
Packit |
90a5c9 |
fr
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description: | Allows an LDAP directory to be used to store the database |
---|
|
|
Packit |
90a5c9 |
for HTTP Basic authentication.
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module Identifier:authnz_ldap_module
|
|
Packit |
90a5c9 |
Source File:mod_authnz_ldap.c
|
|
Packit |
90a5c9 |
Compatibility:Available in version 2.1 and later
|
|
Packit |
90a5c9 |
Summary
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
This module allows authentication front-ends such as
|
|
Packit |
90a5c9 |
mod_auth_basic to authenticate users through
|
|
Packit |
90a5c9 |
an ldap directory.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
mod_authnz_ldap supports the following features:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Known to support the OpenLDAP SDK (both 1.x
|
|
Packit |
90a5c9 |
and 2.x),
|
|
Packit |
90a5c9 |
Novell LDAP SDK and the iPlanet
|
|
Packit |
90a5c9 |
(Netscape) SDK.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Complex authorization policies can be implemented by
|
|
Packit |
90a5c9 |
representing the policy with LDAP filters.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Uses extensive caching of LDAP operations via mod_ldap.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Support for LDAP over SSL (requires the Netscape SDK) or
|
|
Packit |
90a5c9 |
TLS (requires the OpenLDAP 2.x SDK or Novell LDAP SDK).
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
When using mod_auth_basic , this module is invoked
|
|
Packit |
90a5c9 |
via the AuthBasicProvider
|
|
Packit |
90a5c9 |
directive with the ldap value.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
![Support Apache!]() Topics
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Contents
|
|
Packit |
90a5c9 |
General caveats
|
|
Packit |
90a5c9 |
Operation
|
|
Packit |
90a5c9 |
The Require Directives
|
|
Packit |
90a5c9 |
Examples
|
|
Packit |
90a5c9 |
Using TLS
|
|
Packit |
90a5c9 |
Using SSL
|
|
Packit |
90a5c9 |
Exposing Login Information
|
|
Packit |
90a5c9 |
Using Active Directory
|
|
Packit |
90a5c9 |
Using Microsoft
|
|
Packit |
90a5c9 |
FrontPage with mod_authnz_ldap
|
|
Packit |
90a5c9 |
Directives
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AuthLDAPAuthorizePrefix
|
|
Packit |
90a5c9 |
AuthLDAPBindAuthoritative
|
|
Packit |
90a5c9 |
AuthLDAPBindDN
|
|
Packit |
90a5c9 |
AuthLDAPBindPassword
|
|
Packit |
90a5c9 |
AuthLDAPCharsetConfig
|
|
Packit |
90a5c9 |
AuthLDAPCompareAsUser
|
|
Packit |
90a5c9 |
AuthLDAPCompareDNOnServer
|
|
Packit |
90a5c9 |
AuthLDAPDereferenceAliases
|
|
Packit |
90a5c9 |
AuthLDAPGroupAttribute
|
|
Packit |
90a5c9 |
AuthLDAPGroupAttributeIsDN
|
|
Packit |
90a5c9 |
AuthLDAPInitialBindAsUser
|
|
Packit |
90a5c9 |
AuthLDAPInitialBindPattern
|
|
Packit |
90a5c9 |
AuthLDAPMaxSubGroupDepth
|
|
Packit |
90a5c9 |
AuthLDAPRemoteUserAttribute
|
|
Packit |
90a5c9 |
AuthLDAPRemoteUserIsDN
|
|
Packit |
90a5c9 |
AuthLDAPSearchAsUser
|
|
Packit |
90a5c9 |
AuthLDAPSubGroupAttribute
|
|
Packit |
90a5c9 |
AuthLDAPSubGroupClass
|
|
Packit |
90a5c9 |
AuthLDAPUrl
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Bugfix checklistSee also
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
mod_ldap
|
|
Packit |
90a5c9 |
mod_auth_basic
|
|
Packit |
90a5c9 |
mod_authz_user
|
|
Packit |
90a5c9 |
mod_authz_groupfile
|
|
Packit |
90a5c9 |
Comments
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
General caveats
|
|
Packit |
90a5c9 |
Operation
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The Authentication
|
|
Packit |
90a5c9 |
Phase
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The Authorization
|
|
Packit |
90a5c9 |
Phase
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The Require Directives
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Require ldap-user
|
|
Packit |
90a5c9 |
Require ldap-group
|
|
Packit |
90a5c9 |
Require ldap-dn
|
|
Packit |
90a5c9 |
Require ldap-attribute
|
|
Packit |
90a5c9 |
Require ldap-filter
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Examples
|
|
Packit |
90a5c9 |
Using TLS
|
|
Packit |
90a5c9 |
Using SSL
|
|
Packit |
90a5c9 |
Exposing Login Information
|
|
Packit |
90a5c9 |
Using Active Directory
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Using Microsoft FrontPage with
|
|
Packit |
90a5c9 |
mod_authnz_ldap
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
How It Works
|
|
Packit |
90a5c9 |
Caveats
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
This module caches authentication and authorization results based
|
|
Packit |
90a5c9 |
on the configuration of mod_ldap . Changes
|
|
Packit |
90a5c9 |
made to the backing LDAP server will not be immediately reflected on the
|
|
Packit |
90a5c9 |
HTTP Server, including but not limited to user lockouts/revocations,
|
|
Packit |
90a5c9 |
password changes, or changes to group memberships. Consult the directives
|
|
Packit |
90a5c9 |
in mod_ldap for details of the cache tunables.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
There are two phases in granting access to a user. The first
|
|
Packit |
90a5c9 |
phase is authentication, in which the mod_authnz_ldap
|
|
Packit |
90a5c9 |
authentication provider verifies that the user's credentials are valid.
|
|
Packit |
90a5c9 |
This is also called the search/bind phase. The second phase is
|
|
Packit |
90a5c9 |
authorization, in which mod_authnz_ldap determines
|
|
Packit |
90a5c9 |
if the authenticated user is allowed access to the resource in
|
|
Packit |
90a5c9 |
question. This is also known as the compare
|
|
Packit |
90a5c9 |
phase.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
mod_authnz_ldap registers both an authn_ldap authentication
|
|
Packit |
90a5c9 |
provider and an authz_ldap authorization handler. The authn_ldap
|
|
Packit |
90a5c9 |
authentication provider can be enabled through the
|
|
Packit |
90a5c9 |
AuthBasicProvider directive
|
|
Packit |
90a5c9 |
using the ldap value. The authz_ldap handler extends the
|
|
Packit |
90a5c9 |
Require directive's authorization types
|
|
Packit |
90a5c9 |
by adding ldap-user , ldap-dn and ldap-group
|
|
Packit |
90a5c9 |
values.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Phase
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
During the authentication phase, mod_authnz_ldap
|
|
Packit |
90a5c9 |
searches for an entry in the directory that matches the username
|
|
Packit |
90a5c9 |
that the HTTP client passes. If a single unique match is found,
|
|
Packit |
90a5c9 |
then mod_authnz_ldap attempts to bind to the
|
|
Packit |
90a5c9 |
directory server using the DN of the entry plus the password
|
|
Packit |
90a5c9 |
provided by the HTTP client. Because it does a search, then a
|
|
Packit |
90a5c9 |
bind, it is often referred to as the search/bind phase. Here are
|
|
Packit |
90a5c9 |
the steps taken during the search/bind phase.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Generate a search filter by combining the attribute and
|
|
Packit |
90a5c9 |
filter provided in the AuthLDAPURL directive with
|
|
Packit |
90a5c9 |
the username passed by the HTTP client.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Search the directory using the generated filter. If the
|
|
Packit |
90a5c9 |
search does not return exactly one entry, deny or decline
|
|
Packit |
90a5c9 |
access.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Fetch the distinguished name of the entry retrieved from
|
|
Packit |
90a5c9 |
the search and attempt to bind to the LDAP server using that
|
|
Packit |
90a5c9 |
DN and the password passed by the HTTP client. If the bind is
|
|
Packit |
90a5c9 |
unsuccessful, deny or decline access.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The following directives are used during the search/bind
|
|
Packit |
90a5c9 |
phase
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AuthLDAPURL
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Specifies the LDAP server, the
|
|
Packit |
90a5c9 |
base DN, the attribute to use in the search, as well as the
|
|
Packit |
90a5c9 |
extra search filter to use.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AuthLDAPBindDN
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
An optional DN to bind with
|
|
Packit |
90a5c9 |
during the search phase.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AuthLDAPBindPassword
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
An optional password to bind
|
|
Packit |
90a5c9 |
with during the search phase.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
During the authorization phase, mod_authnz_ldap
|
|
Packit |
90a5c9 |
attempts to determine if the user is authorized to access the
|
|
Packit |
90a5c9 |
resource. Many of these checks require
|
|
Packit |
90a5c9 |
mod_authnz_ldap to do a compare operation on the
|
|
Packit |
90a5c9 |
LDAP server. This is why this phase is often referred to as the
|
|
Packit |
90a5c9 |
compare phase. mod_authnz_ldap accepts the
|
|
Packit |
90a5c9 |
following Require
|
|
Packit |
90a5c9 |
directives to determine if the credentials are acceptable:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Grant access if there is a Require ldap-user directive, and the
|
|
Packit |
90a5c9 |
username in the directive matches the username passed by the
|
|
Packit |
90a5c9 |
client.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Grant access if there is a Require
|
|
Packit |
90a5c9 |
ldap-dn directive, and the DN in the directive matches
|
|
Packit |
90a5c9 |
the DN fetched from the LDAP directory.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Grant access if there is a Require ldap-group directive, and
|
|
Packit |
90a5c9 |
the DN fetched from the LDAP directory (or the username
|
|
Packit |
90a5c9 |
passed by the client) occurs in the LDAP group or, potentially, in
|
|
Packit |
90a5c9 |
one of its sub-groups.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Grant access if there is a
|
|
Packit |
90a5c9 |
Require ldap-attribute
|
|
Packit |
90a5c9 |
directive, and the attribute fetched from the LDAP directory
|
|
Packit |
90a5c9 |
matches the given value.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Grant access if there is a
|
|
Packit |
90a5c9 |
Require ldap-filter
|
|
Packit |
90a5c9 |
directive, and the search filter successfully finds a single user
|
|
Packit |
90a5c9 |
object that matches the dn of the authenticated user.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
otherwise, deny or decline access
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Other Require values may also
|
|
Packit |
90a5c9 |
be used which may require loading additional authorization modules.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Grant access to all successfully authenticated users if
|
|
Packit |
90a5c9 |
there is a Require valid-user
|
|
Packit |
90a5c9 |
directive. (requires mod_authz_user )
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Grant access if there is a Require group directive, and
|
|
Packit |
90a5c9 |
mod_authz_groupfile has been loaded with the
|
|
Packit |
90a5c9 |
AuthGroupFile
|
|
Packit |
90a5c9 |
directive set.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
others...
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
mod_authnz_ldap uses the following directives during the
|
|
Packit |
90a5c9 |
compare phase:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AuthLDAPURL
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The attribute specified in the
|
|
Packit |
90a5c9 |
URL is used in compare operations for the Require
|
|
Packit |
90a5c9 |
ldap-user operation.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AuthLDAPCompareDNOnServer
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Determines the behavior of the
|
|
Packit |
90a5c9 |
Require ldap-dn directive.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AuthLDAPGroupAttribute
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Determines the attribute to
|
|
Packit |
90a5c9 |
use for comparisons in the Require ldap-group
|
|
Packit |
90a5c9 |
directive.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AuthLDAPGroupAttributeIsDN
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Specifies whether to use the
|
|
Packit |
90a5c9 |
user DN or the username when doing comparisons for the
|
|
Packit |
90a5c9 |
Require ldap-group directive.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AuthLDAPMaxSubGroupDepth
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Determines the maximum depth of sub-groups that will be evaluated
|
|
Packit |
90a5c9 |
during comparisons in the Require ldap-group directive.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AuthLDAPSubGroupAttribute
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Determines the attribute to use when obtaining sub-group members
|
|
Packit |
90a5c9 |
of the current group during comparisons in the Require ldap-group
|
|
Packit |
90a5c9 |
directive.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AuthLDAPSubGroupClass
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Specifies the LDAP objectClass values used to identify if queried directory
|
|
Packit |
90a5c9 |
objects really are group objects (as opposed to user objects) during the
|
|
Packit |
90a5c9 |
Require ldap-group directive's sub-group processing.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Apache's Require
|
|
Packit |
90a5c9 |
directives are used during the authorization phase to ensure that
|
|
Packit |
90a5c9 |
a user is allowed to access a resource. mod_authnz_ldap extends the
|
|
Packit |
90a5c9 |
authorization types with ldap-user , ldap-dn ,
|
|
Packit |
90a5c9 |
ldap-group , ldap-attribute and
|
|
Packit |
90a5c9 |
ldap-filter . Other authorization types may also be
|
|
Packit |
90a5c9 |
used but may require that additional authorization modules be loaded.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Since v2.4.8, expressions are supported
|
|
Packit |
90a5c9 |
within the LDAP require directives.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The Require ldap-user directive specifies what
|
|
Packit |
90a5c9 |
usernames can access the resource. Once
|
|
Packit |
90a5c9 |
mod_authnz_ldap has retrieved a unique DN from the
|
|
Packit |
90a5c9 |
directory, it does an LDAP compare operation using the username
|
|
Packit |
90a5c9 |
specified in the Require ldap-user to see if that username
|
|
Packit |
90a5c9 |
is part of the just-fetched LDAP entry. Multiple users can be
|
|
Packit |
90a5c9 |
granted access by putting multiple usernames on the line,
|
|
Packit |
90a5c9 |
separated with spaces. If a username has a space in it, then it
|
|
Packit |
90a5c9 |
must be surrounded with double quotes. Multiple users can also be
|
|
Packit |
90a5c9 |
granted access by using multiple Require ldap-user
|
|
Packit |
90a5c9 |
directives, with one user per line. For example, with a AuthLDAPURL of
|
|
Packit |
90a5c9 |
ldap://ldap/o=Example?cn (i.e., cn is
|
|
Packit |
90a5c9 |
used for searches), the following Require directives could be used
|
|
Packit |
90a5c9 |
to restrict access:
|
|
Packit |
90a5c9 |
Require ldap-user "Barbara Jenson"
|
|
Packit |
90a5c9 |
Require ldap-user "Fred User"
|
|
Packit |
90a5c9 |
Require ldap-user "Joe Manager"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Because of the way that mod_authnz_ldap handles this
|
|
Packit |
90a5c9 |
directive, Barbara Jenson could sign on as Barbara
|
|
Packit |
90a5c9 |
Jenson, Babs Jenson or any other cn that
|
|
Packit |
90a5c9 |
she has in her LDAP entry. Only the single Require
|
|
Packit |
90a5c9 |
ldap-user line is needed to support all values of the attribute
|
|
Packit |
90a5c9 |
in the user's entry.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
If the uid attribute was used instead of the
|
|
Packit |
90a5c9 |
cn attribute in the URL above, the above three lines
|
|
Packit |
90a5c9 |
could be condensed to
|
|
Packit |
90a5c9 |
Require ldap-user bjenson fuser jmanager
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
This directive specifies an LDAP group whose members are
|
|
Packit |
90a5c9 |
allowed access. It takes the distinguished name of the LDAP
|
|
Packit |
90a5c9 |
group. Note: Do not surround the group name with quotes.
|
|
Packit |
90a5c9 |
For example, assume that the following entry existed in
|
|
Packit |
90a5c9 |
the LDAP directory:
|
|
Packit |
90a5c9 |
dn: cn=Administrators, o=Example
|
|
Packit |
90a5c9 |
objectClass: groupOfUniqueNames
|
|
Packit |
90a5c9 |
uniqueMember: cn=Barbara Jenson, o=Example
|
|
Packit |
90a5c9 |
uniqueMember: cn=Fred User, o=Example
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The following directive would grant access to both Fred and
|
|
Packit |
90a5c9 |
Barbara:
|
|
Packit |
90a5c9 |
Require ldap-group cn=Administrators, o=Example
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Members can also be found within sub-groups of a specified LDAP group
|
|
Packit |
90a5c9 |
if AuthLDAPMaxSubGroupDepth
|
|
Packit |
90a5c9 |
is set to a value greater than 0. For example, assume the following entries
|
|
Packit |
90a5c9 |
exist in the LDAP directory:
|
|
Packit |
90a5c9 |
dn: cn=Employees, o=Example
|
|
Packit |
90a5c9 |
objectClass: groupOfUniqueNames
|
|
Packit |
90a5c9 |
uniqueMember: cn=Managers, o=Example
|
|
Packit |
90a5c9 |
uniqueMember: cn=Administrators, o=Example
|
|
Packit |
90a5c9 |
uniqueMember: cn=Users, o=Example
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
dn: cn=Managers, o=Example
|
|
Packit |
90a5c9 |
objectClass: groupOfUniqueNames
|
|
Packit |
90a5c9 |
uniqueMember: cn=Bob Ellis, o=Example
|
|
Packit |
90a5c9 |
uniqueMember: cn=Tom Jackson, o=Example
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
dn: cn=Administrators, o=Example
|
|
Packit |
90a5c9 |
objectClass: groupOfUniqueNames
|
|
Packit |
90a5c9 |
uniqueMember: cn=Barbara Jenson, o=Example
|
|
Packit |
90a5c9 |
uniqueMember: cn=Fred User, o=Example
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
dn: cn=Users, o=Example
|
|
Packit |
90a5c9 |
objectClass: groupOfUniqueNames
|
|
Packit |
90a5c9 |
uniqueMember: cn=Allan Jefferson, o=Example
|
|
Packit |
90a5c9 |
uniqueMember: cn=Paul Tilley, o=Example
|
|
Packit |
90a5c9 |
uniqueMember: cn=Temporary Employees, o=Example
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
dn: cn=Temporary Employees, o=Example
|
|
Packit |
90a5c9 |
objectClass: groupOfUniqueNames
|
|
Packit |
90a5c9 |
uniqueMember: cn=Jim Swenson, o=Example
|
|
Packit |
90a5c9 |
uniqueMember: cn=Elliot Rhodes, o=Example
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The following directives would allow access for Bob Ellis, Tom Jackson,
|
|
Packit |
90a5c9 |
Barbara Jenson, Fred User, Allan Jefferson, and Paul Tilley but would not
|
|
Packit |
90a5c9 |
allow access for Jim Swenson, or Elliot Rhodes (since they are at a
|
|
Packit |
90a5c9 |
sub-group depth of 2):
|
|
Packit |
90a5c9 |
Require ldap-group cn=Employees, o=Example
|
|
Packit |
90a5c9 |
AuthLDAPMaxSubGroupDepth 1
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Behavior of this directive is modified by the AuthLDAPGroupAttribute , AuthLDAPGroupAttributeIsDN , AuthLDAPMaxSubGroupDepth , AuthLDAPSubGroupAttribute , and AuthLDAPSubGroupClass
|
|
Packit |
90a5c9 |
directives.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The Require ldap-dn directive allows the administrator
|
|
Packit |
90a5c9 |
to grant access based on distinguished names. It specifies a DN
|
|
Packit |
90a5c9 |
that must match for access to be granted. If the distinguished
|
|
Packit |
90a5c9 |
name that was retrieved from the directory server matches the
|
|
Packit |
90a5c9 |
distinguished name in the Require ldap-dn , then
|
|
Packit |
90a5c9 |
authorization is granted. Note: do not surround the distinguished
|
|
Packit |
90a5c9 |
name with quotes.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The following directive would grant access to a specific
|
|
Packit |
90a5c9 |
DN:
|
|
Packit |
90a5c9 |
Require ldap-dn cn=Barbara Jenson, o=Example
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Behavior of this directive is modified by the AuthLDAPCompareDNOnServer
|
|
Packit |
90a5c9 |
directive.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The Require ldap-attribute directive allows the
|
|
Packit |
90a5c9 |
administrator to grant access based on attributes of the authenticated
|
|
Packit |
90a5c9 |
user in the LDAP directory. If the attribute in the directory
|
|
Packit |
90a5c9 |
matches the value given in the configuration, access is granted.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The following directive would grant access to anyone with
|
|
Packit |
90a5c9 |
the attribute employeeType = active
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Require ldap-attribute employeeType="active"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Multiple attribute/value pairs can be specified on the same line
|
|
Packit |
90a5c9 |
separated by spaces or they can be specified in multiple
|
|
Packit |
90a5c9 |
Require ldap-attribute directives. The effect of listing
|
|
Packit |
90a5c9 |
multiple attribute/values pairs is an OR operation. Access will be
|
|
Packit |
90a5c9 |
granted if any of the listed attribute values match the value of the
|
|
Packit |
90a5c9 |
corresponding attribute in the user object. If the value of the
|
|
Packit |
90a5c9 |
attribute contains a space, only the value must be within double quotes.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The following directive would grant access to anyone with
|
|
Packit |
90a5c9 |
the city attribute equal to "San Jose" or status equal to "Active"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Require ldap-attribute city="San Jose" status="active"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The Require ldap-filter directive allows the
|
|
Packit |
90a5c9 |
administrator to grant access based on a complex LDAP search filter.
|
|
Packit |
90a5c9 |
If the dn returned by the filter search matches the authenticated user
|
|
Packit |
90a5c9 |
dn, access is granted.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The following directive would grant access to anyone having a cell phone
|
|
Packit |
90a5c9 |
and is in the marketing department
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Require ldap-filter "&(cell=*)(department=marketing)"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The difference between the Require ldap-filter directive and the
|
|
Packit |
90a5c9 |
Require ldap-attribute directive is that ldap-filter
|
|
Packit |
90a5c9 |
performs a search operation on the LDAP directory using the specified search
|
|
Packit |
90a5c9 |
filter rather than a simple attribute comparison. If a simple attribute
|
|
Packit |
90a5c9 |
comparison is all that is required, the comparison operation performed by
|
|
Packit |
90a5c9 |
ldap-attribute will be faster than the search operation
|
|
Packit |
90a5c9 |
used by ldap-filter especially within a large directory.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Grant access to anyone who exists in the LDAP directory,
|
|
Packit |
90a5c9 |
using their UID for searches.
|
|
Packit |
90a5c9 |
AuthLDAPURL "ldap://ldap1.example.com:389/ou=People, o=Example?uid?sub?(objectClass=*)"
|
|
Packit |
90a5c9 |
Require valid-user
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The next example is the same as above; but with the fields
|
|
Packit |
90a5c9 |
that have useful defaults omitted. Also, note the use of a
|
|
Packit |
90a5c9 |
redundant LDAP server.
|
|
Packit |
90a5c9 |
AuthLDAPURL "ldap://ldap1.example.com ldap2.example.com/ou=People, o=Example"
|
|
Packit |
90a5c9 |
Require valid-user
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The next example is similar to the previous one, but it
|
|
Packit |
90a5c9 |
uses the common name instead of the UID. Note that this
|
|
Packit |
90a5c9 |
could be problematical if multiple people in the directory
|
|
Packit |
90a5c9 |
share the same cn , because a search on cn
|
|
Packit |
90a5c9 |
must return exactly one entry. That's why
|
|
Packit |
90a5c9 |
this approach is not recommended: it's a better idea to
|
|
Packit |
90a5c9 |
choose an attribute that is guaranteed unique in your
|
|
Packit |
90a5c9 |
directory, such as uid .
|
|
Packit |
90a5c9 |
AuthLDAPURL "ldap://ldap.example.com/ou=People, o=Example?cn"
|
|
Packit |
90a5c9 |
Require valid-user
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Grant access to anybody in the Administrators group. The
|
|
Packit |
90a5c9 |
users must authenticate using their UID.
|
|
Packit |
90a5c9 |
AuthLDAPURL ldap://ldap.example.com/o=Example?uid
|
|
Packit |
90a5c9 |
Require ldap-group cn=Administrators, o=Example
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Grant access to anybody in the group whose name matches the
|
|
Packit |
90a5c9 |
hostname of the virtual host. In this example an
|
|
Packit |
90a5c9 |
expression is used to build the filter.
|
|
Packit |
90a5c9 |
AuthLDAPURL ldap://ldap.example.com/o=Example?uid
|
|
Packit |
90a5c9 |
Require ldap-group cn=%{SERVER_NAME}, o=Example
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The next example assumes that everyone at Example who
|
|
Packit |
90a5c9 |
carries an alphanumeric pager will have an LDAP attribute
|
|
Packit |
90a5c9 |
of qpagePagerID . The example will grant access
|
|
Packit |
90a5c9 |
only to people (authenticated via their UID) who have
|
|
Packit |
90a5c9 |
alphanumeric pagers:
|
|
Packit |
90a5c9 |
AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(qpagePagerID=*)
|
|
Packit |
90a5c9 |
Require valid-user
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The next example demonstrates the power of using filters
|
|
Packit |
90a5c9 |
to accomplish complicated administrative requirements.
|
|
Packit |
90a5c9 |
Without filters, it would have been necessary to create a
|
|
Packit |
90a5c9 |
new LDAP group and ensure that the group's members remain
|
|
Packit |
90a5c9 |
synchronized with the pager users. This becomes trivial
|
|
Packit |
90a5c9 |
with filters. The goal is to grant access to anyone who has
|
|
Packit |
90a5c9 |
a pager, plus grant access to Joe Manager, who doesn't
|
|
Packit |
90a5c9 |
have a pager, but does need to access the same
|
|
Packit |
90a5c9 |
resource:
|
|
Packit |
90a5c9 |
AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(|(qpagePagerID=*)(uid=jmanager))
|
|
Packit |
90a5c9 |
Require valid-user
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
This last may look confusing at first, so it helps to
|
|
Packit |
90a5c9 |
evaluate what the search filter will look like based on who
|
|
Packit |
90a5c9 |
connects, as shown below. If
|
|
Packit |
90a5c9 |
Fred User connects as fuser , the filter would look
|
|
Packit |
90a5c9 |
like
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
(&(|(qpagePagerID=*)(uid=jmanager))(uid=fuser))
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The above search will only succeed if fuser has a
|
|
Packit |
90a5c9 |
pager. When Joe Manager connects as jmanager, the
|
|
Packit |
90a5c9 |
filter looks like
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
(&(|(qpagePagerID=*)(uid=jmanager))(uid=jmanager))
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The above search will succeed whether jmanager
|
|
Packit |
90a5c9 |
has a pager or not.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
To use TLS, see the mod_ldap directives LDAPTrustedClientCert , LDAPTrustedGlobalCert and LDAPTrustedMode .
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
An optional second parameter can be added to the
|
|
Packit |
90a5c9 |
AuthLDAPURL to override
|
|
Packit |
90a5c9 |
the default connection type set by LDAPTrustedMode .
|
|
Packit |
90a5c9 |
This will allow the connection established by an ldap:// Url
|
|
Packit |
90a5c9 |
to be upgraded to a secure connection on the same port.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
To use SSL, see the mod_ldap directives LDAPTrustedClientCert , LDAPTrustedGlobalCert and LDAPTrustedMode .
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
To specify a secure LDAP server, use ldaps:// in the
|
|
Packit |
90a5c9 |
AuthLDAPURL
|
|
Packit |
90a5c9 |
directive, instead of ldap://.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
when this module performs authentication, ldap attributes specified
|
|
Packit |
90a5c9 |
in the authldapurl
|
|
Packit |
90a5c9 |
directive are placed in environment variables with the prefix "AUTHENTICATE_".
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
when this module performs authorization, ldap attributes specified
|
|
Packit |
90a5c9 |
in the authldapurl
|
|
Packit |
90a5c9 |
directive are placed in environment variables with the prefix "AUTHORIZE_".
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
If the attribute field contains the username, common name
|
|
Packit |
90a5c9 |
and telephone number of a user, a CGI program will have access to
|
|
Packit |
90a5c9 |
this information without the need to make a second independent LDAP
|
|
Packit |
90a5c9 |
query to gather this additional information.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
This has the potential to dramatically simplify the coding and
|
|
Packit |
90a5c9 |
configuration required in some web applications.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
An Active Directory installation may support multiple domains at the
|
|
Packit |
90a5c9 |
same time. To distinguish users between domains, an identifier called
|
|
Packit |
90a5c9 |
a User Principle Name (UPN) can be added to a user's entry in the
|
|
Packit |
90a5c9 |
directory. This UPN usually takes the form of the user's account
|
|
Packit |
90a5c9 |
name, followed by the domain components of the particular domain,
|
|
Packit |
90a5c9 |
for example somebody@nz.example.com.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
You may wish to configure the mod_authnz_ldap
|
|
Packit |
90a5c9 |
module to authenticate users present in any of the domains making up
|
|
Packit |
90a5c9 |
the Active Directory forest. In this way both
|
|
Packit |
90a5c9 |
somebody@nz.example.com and someone@au.example.com
|
|
Packit |
90a5c9 |
can be authenticated using the same query at the same time.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
To make this practical, Active Directory supports the concept of
|
|
Packit |
90a5c9 |
a Global Catalog. This Global Catalog is a read only copy of selected
|
|
Packit |
90a5c9 |
attributes of all the Active Directory servers within the Active
|
|
Packit |
90a5c9 |
Directory forest. Querying the Global Catalog allows all the domains
|
|
Packit |
90a5c9 |
to be queried in a single query, without the query spanning servers
|
|
Packit |
90a5c9 |
over potentially slow links.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
If enabled, the Global Catalog is an independent directory server
|
|
Packit |
90a5c9 |
that runs on port 3268 (3269 for SSL). To search for a user, do a
|
|
Packit |
90a5c9 |
subtree search for the attribute userPrincipalName, with
|
|
Packit |
90a5c9 |
an empty search root, like so:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AuthLDAPBindDN apache@example.com
|
|
Packit |
90a5c9 |
AuthLDAPBindPassword password
|
|
Packit |
90a5c9 |
AuthLDAPURL ldap://10.0.0.1:3268/?userPrincipalName?sub
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Users will need to enter their User Principal Name as a login, in
|
|
Packit |
90a5c9 |
the form somebody@nz.example.com.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
FrontPage with mod_authnz_ldap
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Normally, FrontPage uses FrontPage-web-specific user/group
|
|
Packit |
90a5c9 |
files (i.e., the mod_authn_file and
|
|
Packit |
90a5c9 |
mod_authz_groupfile modules) to handle all
|
|
Packit |
90a5c9 |
authentication. Unfortunately, it is not possible to just
|
|
Packit |
90a5c9 |
change to LDAP authentication by adding the proper directives,
|
|
Packit |
90a5c9 |
because it will break the Permissions forms in
|
|
Packit |
90a5c9 |
the FrontPage client, which attempt to modify the standard
|
|
Packit |
90a5c9 |
text-based authorization files.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Once a FrontPage web has been created, adding LDAP
|
|
Packit |
90a5c9 |
authentication to it is a matter of adding the following
|
|
Packit |
90a5c9 |
directives to every .htaccess file
|
|
Packit |
90a5c9 |
that gets created in the web
|
|
Packit |
90a5c9 |
AuthLDAPURL "the url"
|
|
Packit |
90a5c9 |
AuthGroupFile "mygroupfile"
|
|
Packit |
90a5c9 |
Require group "mygroupfile"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
FrontPage restricts access to a web by adding the Require
|
|
Packit |
90a5c9 |
valid-user directive to the .htaccess
|
|
Packit |
90a5c9 |
files. The Require valid-user directive will succeed for
|
|
Packit |
90a5c9 |
any user who is valid as far as LDAP is
|
|
Packit |
90a5c9 |
concerned. This means that anybody who has an entry in
|
|
Packit |
90a5c9 |
the LDAP directory is considered a valid user, whereas FrontPage
|
|
Packit |
90a5c9 |
considers only those people in the local user file to be
|
|
Packit |
90a5c9 |
valid. By substituting the ldap-group with group file authorization,
|
|
Packit |
90a5c9 |
Apache is allowed to consult the local user file (which is managed by
|
|
Packit |
90a5c9 |
FrontPage) - instead of LDAP - when handling authorizing the user.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Once directives have been added as specified above,
|
|
Packit |
90a5c9 |
FrontPage users will be able to perform all management
|
|
Packit |
90a5c9 |
operations from the FrontPage client.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
When choosing the LDAP URL, the attribute to use for
|
|
Packit |
90a5c9 |
authentication should be something that will also be valid
|
|
Packit |
90a5c9 |
for putting into a mod_authn_file user file.
|
|
Packit |
90a5c9 |
The user ID is ideal for this.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
When adding users via FrontPage, FrontPage administrators
|
|
Packit |
90a5c9 |
should choose usernames that already exist in the LDAP
|
|
Packit |
90a5c9 |
directory (for obvious reasons). Also, the password that the
|
|
Packit |
90a5c9 |
administrator enters into the form is ignored, since Apache
|
|
Packit |
90a5c9 |
will actually be authenticating against the password in the
|
|
Packit |
90a5c9 |
LDAP database, and not against the password in the local user
|
|
Packit |
90a5c9 |
file. This could cause confusion for web administrators.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Apache must be compiled with mod_auth_basic ,
|
|
Packit |
90a5c9 |
mod_authn_file and
|
|
Packit |
90a5c9 |
mod_authz_groupfile in order to
|
|
Packit |
90a5c9 |
use FrontPage support. This is because Apache will still use
|
|
Packit |
90a5c9 |
the mod_authz_groupfile group file for determine
|
|
Packit |
90a5c9 |
the extent of a user's access to the FrontPage web.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The directives must be put in the .htaccess
|
|
Packit |
90a5c9 |
files. Attempting to put them inside <Location> or <Directory> directives won't work. This
|
|
Packit |
90a5c9 |
is because mod_authnz_ldap has to be able to grab
|
|
Packit |
90a5c9 |
the AuthGroupFile
|
|
Packit |
90a5c9 |
directive that is found in FrontPage .htaccess
|
|
Packit |
90a5c9 |
files so that it knows where to look for the valid user list. If
|
|
Packit |
90a5c9 |
the mod_authnz_ldap directives aren't in the same
|
|
Packit |
90a5c9 |
.htaccess file as the FrontPage directives, then
|
|
Packit |
90a5c9 |
the hack won't work, because mod_authnz_ldap will
|
|
Packit |
90a5c9 |
never get a chance to process the .htaccess file,
|
|
Packit |
90a5c9 |
and won't be able to find the FrontPage-managed user file.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Specifies the prefix for environment variables set during
|
|
Packit |
90a5c9 |
authorization
|
|
Packit |
90a5c9 |
Syntax:AuthLDAPAuthorizePrefix prefix
|
|
Packit |
90a5c9 |
Default:AuthLDAPAuthorizePrefix AUTHORIZE_
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_authnz_ldap
|
|
Packit |
90a5c9 |
Compatibility:Available in version 2.3.6 and later
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
This directive allows you to override the prefix used for environment
|
|
Packit |
90a5c9 |
variables set during LDAP authorization. If AUTHENTICATE_ is
|
|
Packit |
90a5c9 |
specified, consumers of these environment variables see the same information
|
|
Packit |
90a5c9 |
whether LDAP has performed authentication, authorization, or both.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Note
|
|
Packit |
90a5c9 |
No authorization variables are set when a user is authorized on the basis of
|
|
Packit |
90a5c9 |
Require valid-user .
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Determines if other authentication providers are used when a user can be mapped to a DN but the server cannot successfully bind with the user's credentials.
|
|
Packit |
90a5c9 |
Syntax:AuthLDAPBindAuthoritative off|on
|
|
Packit |
90a5c9 |
Default:AuthLDAPBindAuthoritative on
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_authnz_ldap
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
By default, subsequent authentication providers are only queried if a
|
|
Packit |
90a5c9 |
user cannot be mapped to a DN, but not if the user can be mapped to a DN and their
|
|
Packit |
90a5c9 |
password cannot be verified with an LDAP bind.
|
|
Packit |
90a5c9 |
If AuthLDAPBindAuthoritative
|
|
Packit |
90a5c9 |
is set to off, other configured authentication modules will have
|
|
Packit |
90a5c9 |
a chance to validate the user if the LDAP bind (with the current user's credentials)
|
|
Packit |
90a5c9 |
fails for any reason.
|
|
Packit |
90a5c9 |
This allows users present in both LDAP and
|
|
Packit |
90a5c9 |
AuthUserFile to authenticate
|
|
Packit |
90a5c9 |
when the LDAP server is available but the user's account is locked or password
|
|
Packit |
90a5c9 |
is otherwise unusable.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
See also
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AuthUserFile
|
|
Packit |
90a5c9 |
AuthBasicProvider
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Optional DN to use in binding to the LDAP server
|
|
Packit |
90a5c9 |
Syntax:AuthLDAPBindDN distinguished-name
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_authnz_ldap
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
An optional DN used to bind to the server when searching for
|
|
Packit |
90a5c9 |
entries. If not provided, mod_authnz_ldap will use
|
|
Packit |
90a5c9 |
an anonymous bind.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Password used in conjunction with the bind DN
|
|
Packit |
90a5c9 |
Syntax:AuthLDAPBindPassword password
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_authnz_ldap
|
|
Packit |
90a5c9 |
Compatibility:exec: was added in 2.4.5.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
A bind password to use in conjunction with the bind DN. Note
|
|
Packit |
90a5c9 |
that the bind password is probably sensitive data, and should be
|
|
Packit |
90a5c9 |
properly protected. You should only use the AuthLDAPBindDN and AuthLDAPBindPassword if you
|
|
Packit |
90a5c9 |
absolutely need them to search the directory.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
If the value begins with exec: the resulting command will be
|
|
Packit |
90a5c9 |
executed and the first line returned to standard output by the
|
|
Packit |
90a5c9 |
program will be used as the password.
|
|
Packit |
90a5c9 |
#Password used as-is
|
|
Packit |
90a5c9 |
AuthLDAPBindPassword secret
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#Run /path/to/program to get my password
|
|
Packit |
90a5c9 |
AuthLDAPBindPassword exec:/path/to/program
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#Run /path/to/otherProgram and provide arguments
|
|
Packit |
90a5c9 |
AuthLDAPBindPassword "exec:/path/to/otherProgram argument1"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Language to charset conversion configuration file
|
|
Packit |
90a5c9 |
Syntax:AuthLDAPCharsetConfig file-path
|
|
Packit |
90a5c9 |
Context:server config
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_authnz_ldap
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The AuthLDAPCharsetConfig directive sets the location
|
|
Packit |
90a5c9 |
of the language to charset conversion configuration file. File-path is relative
|
|
Packit |
90a5c9 |
to the ServerRoot . This file specifies
|
|
Packit |
90a5c9 |
the list of language extensions to character sets.
|
|
Packit |
90a5c9 |
Most administrators use the provided charset.conv
|
|
Packit |
90a5c9 |
file, which associates common language extensions to character sets.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The file contains lines in the following format:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Language-Extension charset [Language-String] ...
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The case of the extension does not matter. Blank lines, and lines
|
|
Packit |
90a5c9 |
beginning with a hash character (# ) are ignored.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Use the authenticated user's credentials to perform authorization comparisons
|
|
Packit |
90a5c9 |
Syntax:AuthLDAPCompareAsUser on|off
|
|
Packit |
90a5c9 |
Default:AuthLDAPCompareAsUser off
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_authnz_ldap
|
|
Packit |
90a5c9 |
Compatibility:Available in version 2.3.6 and later
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
When set, and mod_authnz_ldap has authenticated the
|
|
Packit |
90a5c9 |
user, LDAP comparisons for authorization use the queried distinguished name (DN)
|
|
Packit |
90a5c9 |
and HTTP basic authentication password of the authenticated user instead of
|
|
Packit |
90a5c9 |
the servers configured credentials.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The ldap-attribute, ldap-user, and ldap-group (single-level only)
|
|
Packit |
90a5c9 |
authorization checks use comparisons.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
This directive only has effect on the comparisons performed during
|
|
Packit |
90a5c9 |
nested group processing when
|
|
Packit |
90a5c9 |
AuthLDAPSearchAsUser is also enabled.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
This directive should only be used when your LDAP server doesn't
|
|
Packit |
90a5c9 |
accept anonymous comparisons and you cannot use a dedicated
|
|
Packit |
90a5c9 |
AuthLDAPBindDN .
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
See also
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AuthLDAPInitialBindAsUser
|
|
Packit |
90a5c9 |
AuthLDAPSearchAsUser
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Use the LDAP server to compare the DNs
|
|
Packit |
90a5c9 |
Syntax:AuthLDAPCompareDNOnServer on|off
|
|
Packit |
90a5c9 |
Default:AuthLDAPCompareDNOnServer on
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_authnz_ldap
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
When set, mod_authnz_ldap will use the LDAP
|
|
Packit |
90a5c9 |
server to compare the DNs. This is the only foolproof way to
|
|
Packit |
90a5c9 |
compare DNs. mod_authnz_ldap will search the
|
|
Packit |
90a5c9 |
directory for the DN specified with the Require dn directive, then,
|
|
Packit |
90a5c9 |
retrieve the DN and compare it with the DN retrieved from the user
|
|
Packit |
90a5c9 |
entry. If this directive is not set,
|
|
Packit |
90a5c9 |
mod_authnz_ldap simply does a string comparison. It
|
|
Packit |
90a5c9 |
is possible to get false negatives with this approach, but it is
|
|
Packit |
90a5c9 |
much faster. Note the mod_ldap cache can speed up
|
|
Packit |
90a5c9 |
DN comparison in most situations.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:When will the module de-reference aliases
|
|
Packit |
90a5c9 |
Syntax:AuthLDAPDereferenceAliases never|searching|finding|always
|
|
Packit |
90a5c9 |
Default:AuthLDAPDereferenceAliases always
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_authnz_ldap
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
This directive specifies when mod_authnz_ldap will
|
|
Packit |
90a5c9 |
de-reference aliases during LDAP operations. The default is
|
|
Packit |
90a5c9 |
always .
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:LDAP attributes used to identify the user members of
|
|
Packit |
90a5c9 |
groups.
|
|
Packit |
90a5c9 |
Syntax:AuthLDAPGroupAttribute attribute
|
|
Packit |
90a5c9 |
Default:AuthLDAPGroupAttribute member uniquemember
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_authnz_ldap
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
This directive specifies which LDAP attributes are used to
|
|
Packit |
90a5c9 |
check for user members within groups. Multiple attributes can be used
|
|
Packit |
90a5c9 |
by specifying this directive multiple times. If not specified,
|
|
Packit |
90a5c9 |
then mod_authnz_ldap uses the member and
|
|
Packit |
90a5c9 |
uniquemember attributes.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Use the DN of the client username when checking for
|
|
Packit |
90a5c9 |
group membership
|
|
Packit |
90a5c9 |
Syntax:AuthLDAPGroupAttributeIsDN on|off
|
|
Packit |
90a5c9 |
Default:AuthLDAPGroupAttributeIsDN on
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_authnz_ldap
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
When set on , this directive says to use the
|
|
Packit |
90a5c9 |
distinguished name of the client username when checking for group
|
|
Packit |
90a5c9 |
membership. Otherwise, the username will be used. For example,
|
|
Packit |
90a5c9 |
assume that the client sent the username bjenson ,
|
|
Packit |
90a5c9 |
which corresponds to the LDAP DN cn=Babs Jenson,
|
|
Packit |
90a5c9 |
o=Example. If this directive is set,
|
|
Packit |
90a5c9 |
mod_authnz_ldap will check if the group has
|
|
Packit |
90a5c9 |
cn=Babs Jenson, o=Example as a member. If this
|
|
Packit |
90a5c9 |
directive is not set, then mod_authnz_ldap will
|
|
Packit |
90a5c9 |
check if the group has bjenson as a member.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Determines if the server does the initial DN lookup using the basic authentication users'
|
|
Packit |
90a5c9 |
own username, instead of anonymously or with hard-coded credentials for the server
|
|
Packit |
90a5c9 |
Syntax:AuthLDAPInitialBindAsUser off|on
|
|
Packit |
90a5c9 |
Default:AuthLDAPInitialBindAsUser off
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_authnz_ldap
|
|
Packit |
90a5c9 |
Compatibility:Available in version 2.3.6 and later
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
By default, the server either anonymously, or with a dedicated user and
|
|
Packit |
90a5c9 |
password, converts the basic authentication username into an LDAP
|
|
Packit |
90a5c9 |
distinguished name (DN). This directive forces the server to use the verbatim username
|
|
Packit |
90a5c9 |
and password provided by the incoming user to perform the initial DN
|
|
Packit |
90a5c9 |
search.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
If the verbatim username can't directly bind, but needs some
|
|
Packit |
90a5c9 |
cosmetic transformation, see
|
|
Packit |
90a5c9 |
AuthLDAPInitialBindPattern.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
This directive should only be used when your LDAP server doesn't
|
|
Packit |
90a5c9 |
accept anonymous searches and you cannot use a dedicated
|
|
Packit |
90a5c9 |
AuthLDAPBindDN .
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Not available with authorization-only
|
|
Packit |
90a5c9 |
This directive can only be used if this module authenticates the user, and
|
|
Packit |
90a5c9 |
has no effect when this module is used exclusively for authorization.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
See also
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AuthLDAPInitialBindPattern
|
|
Packit |
90a5c9 |
AuthLDAPBindDN
|
|
Packit |
90a5c9 |
AuthLDAPCompareAsUser
|
|
Packit |
90a5c9 |
AuthLDAPSearchAsUser
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Specifies the transformation of the basic authentication username to be used when binding to the LDAP server
|
|
Packit |
90a5c9 |
to perform a DN lookup
|
|
Packit |
90a5c9 |
Syntax:AuthLDAPInitialBindPattern regex substitution
|
|
Packit |
90a5c9 |
Default:AuthLDAPInitialBindPattern (.*) $1 (remote username used verbatim)
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_authnz_ldap
|
|
Packit |
90a5c9 |
Compatibility:Available in version 2.3.6 and later
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
If AuthLDAPInitialBindAsUser is set to
|
|
Packit |
90a5c9 |
ON, the basic authentication username will be transformed according to the
|
|
Packit |
90a5c9 |
regular expression and substitution arguments.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The regular expression argument is compared against the current basic authentication username.
|
|
Packit |
90a5c9 |
The substitution argument may contain backreferences, but has no other variable interpolation.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
This directive should only be used when your LDAP server doesn't
|
|
Packit |
90a5c9 |
accept anonymous searches and you cannot use a dedicated
|
|
Packit |
90a5c9 |
AuthLDAPBindDN .
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AuthLDAPInitialBindPattern (.+) $1@example.com
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AuthLDAPInitialBindPattern (.+) cn=$1,dc=example,dc=com
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Not available with authorization-only
|
|
Packit |
90a5c9 |
This directive can only be used if this module authenticates the user, and
|
|
Packit |
90a5c9 |
has no effect when this module is used exclusively for authorization.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
debugging
|
|
Packit |
90a5c9 |
The substituted DN is recorded in the environment variable
|
|
Packit |
90a5c9 |
LDAP_BINDASUSER. If the regular expression does not match the input,
|
|
Packit |
90a5c9 |
the verbatim username is used.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
See also
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AuthLDAPInitialBindAsUser
|
|
Packit |
90a5c9 |
AuthLDAPBindDN
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Specifies the maximum sub-group nesting depth that will be
|
|
Packit |
90a5c9 |
evaluated before the user search is discontinued.
|
|
Packit |
90a5c9 |
Syntax:AuthLDAPMaxSubGroupDepth Number
|
|
Packit |
90a5c9 |
Default:AuthLDAPMaxSubGroupDepth 10
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_authnz_ldap
|
|
Packit |
90a5c9 |
Compatibility:Available in version 2.3.0 and later
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
When this directive is set to a non-zero value X
|
|
Packit |
90a5c9 |
combined with use of the Require ldap-group someGroupDN
|
|
Packit |
90a5c9 |
directive, the provided user credentials will be searched for
|
|
Packit |
90a5c9 |
as a member of the someGroupDN directory object or of
|
|
Packit |
90a5c9 |
any group member of the current group up to the maximum nesting
|
|
Packit |
90a5c9 |
level X specified by this directive.
|
|
Packit |
90a5c9 |
See the Require ldap-group
|
|
Packit |
90a5c9 |
section for a more detailed example.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Nested groups performance
|
|
Packit |
90a5c9 |
When AuthLDAPSubGroupAttribute overlaps with
|
|
Packit |
90a5c9 |
AuthLDAPGroupAttribute (as it does by default and
|
|
Packit |
90a5c9 |
as required by common LDAP schemas), uncached searching for subgroups in
|
|
Packit |
90a5c9 |
large groups can be very slow. If you use large, non-nested groups, set
|
|
Packit |
90a5c9 |
AuthLDAPMaxSubGroupDepth to zero.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Use the value of the attribute returned during the user
|
|
Packit |
90a5c9 |
query to set the REMOTE_USER environment variable
|
|
Packit |
90a5c9 |
Syntax:AuthLDAPRemoteUserAttribute uid
|
|
Packit |
90a5c9 |
Default:none
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_authnz_ldap
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
If this directive is set, the value of the
|
|
Packit |
90a5c9 |
REMOTE_USER environment variable will be set to the
|
|
Packit |
90a5c9 |
value of the attribute specified. Make sure that this attribute is
|
|
Packit |
90a5c9 |
included in the list of attributes in the AuthLDAPUrl definition,
|
|
Packit |
90a5c9 |
otherwise this directive will have no effect. This directive, if
|
|
Packit |
90a5c9 |
present, takes precedence over AuthLDAPRemoteUserIsDN . This
|
|
Packit |
90a5c9 |
directive is useful should you want people to log into a website
|
|
Packit |
90a5c9 |
using an email address, but a backend application expects the
|
|
Packit |
90a5c9 |
username as a userid.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Use the DN of the client username to set the REMOTE_USER
|
|
Packit |
90a5c9 |
environment variable
|
|
Packit |
90a5c9 |
Syntax:AuthLDAPRemoteUserIsDN on|off
|
|
Packit |
90a5c9 |
Default:AuthLDAPRemoteUserIsDN off
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_authnz_ldap
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
If this directive is set to on, the value of the
|
|
Packit |
90a5c9 |
REMOTE_USER environment variable will be set to the full
|
|
Packit |
90a5c9 |
distinguished name of the authenticated user, rather than just
|
|
Packit |
90a5c9 |
the username that was passed by the client. It is turned off by
|
|
Packit |
90a5c9 |
default.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Use the authenticated user's credentials to perform authorization searches
|
|
Packit |
90a5c9 |
Syntax:AuthLDAPSearchAsUser on|off
|
|
Packit |
90a5c9 |
Default:AuthLDAPSearchAsUser off
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_authnz_ldap
|
|
Packit |
90a5c9 |
Compatibility:Available in version 2.3.6 and later
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
When set, and mod_authnz_ldap has authenticated the
|
|
Packit |
90a5c9 |
user, LDAP searches for authorization use the queried distinguished name (DN)
|
|
Packit |
90a5c9 |
and HTTP basic authentication password of the authenticated user instead of
|
|
Packit |
90a5c9 |
the servers configured credentials.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The ldap-filter and ldap-dn authorization
|
|
Packit |
90a5c9 |
checks use searches.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
This directive only has effect on the comparisons performed during
|
|
Packit |
90a5c9 |
nested group processing when
|
|
Packit |
90a5c9 |
AuthLDAPCompareAsUser is also enabled.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
This directive should only be used when your LDAP server doesn't
|
|
Packit |
90a5c9 |
accept anonymous searches and you cannot use a dedicated
|
|
Packit |
90a5c9 |
AuthLDAPBindDN .
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
See also
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AuthLDAPInitialBindAsUser
|
|
Packit |
90a5c9 |
AuthLDAPCompareAsUser
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Specifies the attribute labels, one value per
|
|
Packit |
90a5c9 |
directive line, used to distinguish the members of the current group that
|
|
Packit |
90a5c9 |
are groups.
|
|
Packit |
90a5c9 |
Syntax:AuthLDAPSubGroupAttribute attribute
|
|
Packit |
90a5c9 |
Default:AuthLDAPSubgroupAttribute member uniquemember
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_authnz_ldap
|
|
Packit |
90a5c9 |
Compatibility:Available in version 2.3.0 and later
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
An LDAP group object may contain members that are users and
|
|
Packit |
90a5c9 |
members that are groups (called nested or sub groups). The
|
|
Packit |
90a5c9 |
AuthLDAPSubGroupAttribute directive identifies the
|
|
Packit |
90a5c9 |
labels of group members and the AuthLDAPGroupAttribute
|
|
Packit |
90a5c9 |
directive identifies the labels of the user members. Multiple
|
|
Packit |
90a5c9 |
attributes can be used by specifying this directive multiple times.
|
|
Packit |
90a5c9 |
If not specified, then mod_authnz_ldap uses the
|
|
Packit |
90a5c9 |
member and uniqueMember attributes.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Specifies which LDAP objectClass values identify directory
|
|
Packit |
90a5c9 |
objects that are groups during sub-group processing.
|
|
Packit |
90a5c9 |
Syntax:AuthLDAPSubGroupClass LdapObjectClass
|
|
Packit |
90a5c9 |
Default:AuthLDAPSubGroupClass groupOfNames groupOfUniqueNames
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_authnz_ldap
|
|
Packit |
90a5c9 |
Compatibility:Available in version 2.3.0 and later
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
An LDAP group object may contain members that are users and
|
|
Packit |
90a5c9 |
members that are groups (called nested or sub groups). The
|
|
Packit |
90a5c9 |
AuthLDAPSubGroupAttribute
|
|
Packit |
90a5c9 |
directive identifies the
|
|
Packit |
90a5c9 |
labels of members that may be sub-groups of the current group
|
|
Packit |
90a5c9 |
(as opposed to user members). The AuthLDAPSubGroupClass
|
|
Packit |
90a5c9 |
directive specifies the LDAP objectClass values used in verifying that
|
|
Packit |
90a5c9 |
these potential sub-groups are in fact group objects. Verified sub-groups
|
|
Packit |
90a5c9 |
can then be searched for more user or sub-group members. Multiple
|
|
Packit |
90a5c9 |
attributes can be used by specifying this directive multiple times.
|
|
Packit |
90a5c9 |
If not specified, then mod_authnz_ldap uses the
|
|
Packit |
90a5c9 |
groupOfNames and groupOfUniqueNames values.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:URL specifying the LDAP search parameters
|
|
Packit |
90a5c9 |
Syntax:AuthLDAPUrl url [NONE|SSL|TLS|STARTTLS]
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_authnz_ldap
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
An RFC 2255 URL which specifies the LDAP search parameters
|
|
Packit |
90a5c9 |
to use. The syntax of the URL is
|
|
Packit |
90a5c9 |
ldap://host:port/basedn?attribute?scope?filter
|
|
Packit |
90a5c9 |
If you want to specify more than one LDAP URL that Apache should try in turn, the syntax is:
|
|
Packit |
90a5c9 |
AuthLDAPUrl "ldap://ldap1.example.com ldap2.example.com/dc=..."
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Caveat: If you specify multiple servers, you need to enclose the entire URL string in quotes;
|
|
Packit |
90a5c9 |
otherwise you will get an error: "AuthLDAPURL takes one argument, URL to define LDAP connection.."
|
|
Packit |
90a5c9 |
You can of course use search parameters on each of these.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ldap
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
For regular ldap, use the
|
|
Packit |
90a5c9 |
string ldap . For secure LDAP, use ldaps
|
|
Packit |
90a5c9 |
instead. Secure LDAP is only available if Apache was linked
|
|
Packit |
90a5c9 |
to an LDAP library with SSL support.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
host:port
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The name/port of the ldap server (defaults to
|
|
Packit |
90a5c9 |
localhost:389 for ldap , and
|
|
Packit |
90a5c9 |
localhost:636 for ldaps ). To
|
|
Packit |
90a5c9 |
specify multiple, redundant LDAP servers, just list all
|
|
Packit |
90a5c9 |
servers, separated by spaces. mod_authnz_ldap
|
|
Packit |
90a5c9 |
will try connecting to each server in turn, until it makes a
|
|
Packit |
90a5c9 |
successful connection. If multiple ldap servers are specified,
|
|
Packit |
90a5c9 |
then entire LDAP URL must be encapsulated in double quotes.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Once a connection has been made to a server, that
|
|
Packit |
90a5c9 |
connection remains active for the life of the
|
|
Packit |
90a5c9 |
httpd process, or until the LDAP server goes
|
|
Packit |
90a5c9 |
down.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
If the LDAP server goes down and breaks an existing
|
|
Packit |
90a5c9 |
connection, mod_authnz_ldap will attempt to
|
|
Packit |
90a5c9 |
re-connect, starting with the primary server, and trying
|
|
Packit |
90a5c9 |
each redundant server in turn. Note that this is different
|
|
Packit |
90a5c9 |
than a true round-robin search.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
basedn
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The DN of the branch of the
|
|
Packit |
90a5c9 |
directory where all searches should start from. At the very
|
|
Packit |
90a5c9 |
least, this must be the top of your directory tree, but
|
|
Packit |
90a5c9 |
could also specify a subtree in the directory.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
attribute
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The attribute to search for.
|
|
Packit |
90a5c9 |
Although RFC 2255 allows a comma-separated list of
|
|
Packit |
90a5c9 |
attributes, only the first attribute will be used, no
|
|
Packit |
90a5c9 |
matter how many are provided. If no attributes are
|
|
Packit |
90a5c9 |
provided, the default is to use uid . It's a good
|
|
Packit |
90a5c9 |
idea to choose an attribute that will be unique across all
|
|
Packit |
90a5c9 |
entries in the subtree you will be using. All attributes
|
|
Packit |
90a5c9 |
listed will be put into the environment with an AUTHENTICATE_ prefix
|
|
Packit |
90a5c9 |
for use by other modules.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
scope
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The scope of the search. Can be either one or
|
|
Packit |
90a5c9 |
sub . Note that a scope of base is
|
|
Packit |
90a5c9 |
also supported by RFC 2255, but is not supported by this
|
|
Packit |
90a5c9 |
module. If the scope is not provided, or if base scope
|
|
Packit |
90a5c9 |
is specified, the default is to use a scope of
|
|
Packit |
90a5c9 |
sub .
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
filter
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
A valid LDAP search filter. If
|
|
Packit |
90a5c9 |
not provided, defaults to (objectClass=*) , which
|
|
Packit |
90a5c9 |
will search for all objects in the tree. Filters are
|
|
Packit |
90a5c9 |
limited to approximately 8000 characters (the definition of
|
|
Packit |
90a5c9 |
MAX_STRING_LEN in the Apache source code). This
|
|
Packit |
90a5c9 |
should be more than sufficient for any application. In 2.4.10 and later,
|
|
Packit |
90a5c9 |
the keyword none disables the use of a filter; this is
|
|
Packit |
90a5c9 |
required by some primitive LDAP servers.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
When doing searches, the attribute, filter and username passed
|
|
Packit |
90a5c9 |
by the HTTP client are combined to create a search filter that
|
|
Packit |
90a5c9 |
looks like
|
|
Packit |
90a5c9 |
(&(filter)(attribute=username)) .
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
For example, consider an URL of
|
|
Packit |
90a5c9 |
ldap://ldap.example.com/o=Example?cn?sub?(posixid=*) . When
|
|
Packit |
90a5c9 |
a client attempts to connect using a username of Babs
|
|
Packit |
90a5c9 |
Jenson, the resulting search filter will be
|
|
Packit |
90a5c9 |
(&(posixid=*)(cn=Babs Jenson)) .
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
An optional parameter can be added to allow the LDAP Url to override
|
|
Packit |
90a5c9 |
the connection type. This parameter can be one of the following:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
NONE
|
|
Packit |
90a5c9 |
Establish an unsecure connection on the default LDAP port. This
|
|
Packit |
90a5c9 |
is the same as ldap:// on port 389.
|
|
Packit |
90a5c9 |
SSL
|
|
Packit |
90a5c9 |
Establish a secure connection on the default secure LDAP port.
|
|
Packit |
90a5c9 |
This is the same as ldaps://
|
|
Packit |
90a5c9 |
TLS | STARTTLS
|
|
Packit |
90a5c9 |
Establish an upgraded secure connection on the default LDAP port.
|
|
Packit |
90a5c9 |
This connection will be initiated on port 389 by default and then
|
|
Packit |
90a5c9 |
upgraded to a secure connection on the same port.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
See above for examples of AuthLDAPUrl URLs.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Available Languages: en |
|
|
Packit |
90a5c9 |
fr
|
|
Packit |
90a5c9 |
Notice:This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our mailing lists.
|
|
Packit |
90a5c9 |
<script type="text/javascript">
|
|
Packit |
90a5c9 |
var comments_shortname = 'httpd';
|
|
Packit |
90a5c9 |
var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html';
|
|
Packit |
90a5c9 |
(function(w, d) {
|
|
Packit |
90a5c9 |
if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
|
|
Packit |
90a5c9 |
d.write('
|
|
Packit |
90a5c9 |
var s = d.createElement('script');
|
|
Packit |
90a5c9 |
s.type = 'text/javascript';
|
|
Packit |
90a5c9 |
s.async = true;
|
|
Packit |
90a5c9 |
s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
|
|
Packit |
90a5c9 |
(d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
d.write('
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
})(window, document);
|
|
Packit |
90a5c9 |
//--></script>
|
|
Packit |
90a5c9 |
Copyright 2018 The Apache Software Foundation. Licensed under the Apache License, Version 2.0.
|
|
Packit |
90a5c9 |
Modules | Directives | FAQ | Glossary | Sitemap <script type="text/javascript">
|
|
Packit |
90a5c9 |
if (typeof(prettyPrint) !== 'undefined') {
|
|
Packit |
90a5c9 |
prettyPrint();
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
//--></script>
|
|
Packit |
90a5c9 |
</body></html>
|