📄 mod_authnz_ldap.html.en
字号:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
This file is generated from xml source: DO NOT EDIT
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-->
<title>mod_authnz_ldap - Apache HTTP Server</title>
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
<body>
<div id="page-header">
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
<p class="apache">Apache HTTP Server Version 2.2</p>
<img alt="" src="../images/feather.gif" /></div>
<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
<div id="path">
<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.2</a> > <a href="./">Modules</a></div>
<div id="page-content">
<div id="preamble"><h1>Apache Module mod_authnz_ldap</h1>
<div class="toplang">
<p><span>Available Languages: </span><a href="../en/mod/mod_authnz_ldap.html" title="English"> en </a></p>
</div>
<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Allows an LDAP directory to be used to store the database
for HTTP Basic authentication.</td></tr>
<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="module-dict.html#ModuleIdentifier">Module營dentifier:</a></th><td>authnz_ldap_module</td></tr>
<tr><th><a href="module-dict.html#SourceFile">Source燜ile:</a></th><td>mod_authnz_ldap.c</td></tr>
<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in version 2.1 and later</td></tr></table>
<h3>Summary</h3>
<p>This module provides authentication front-ends such as
<code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code> to authenticate users through
an ldap directory.</p>
<p><code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> supports the following features:</p>
<ul>
<li>Known to support the <a href="http://www.openldap.org/">OpenLDAP SDK</a> (both 1.x
and 2.x), <a href="http://developer.novell.com/ndk/cldap.htm">
Novell LDAP SDK</a> and the <a href="http://www.iplanet.com/downloads/developer/">iPlanet
(Netscape)</a> SDK.</li>
<li>Complex authorization policies can be implemented by
representing the policy with LDAP filters.</li>
<li>Uses extensive caching of LDAP operations via <a href="mod_ldap.html">mod_ldap</a>.</li>
<li>Support for LDAP over SSL (requires the Netscape SDK) or
TLS (requires the OpenLDAP 2.x SDK or Novell LDAP SDK).</li>
</ul>
<p>When using <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code>, this module is invoked
via the <code class="directive"><a href="../mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code>
directive with the <code>ldap</code> value.</p>
</div>
<div id="quickview"><h3 class="directives">Directives</h3>
<ul id="toc">
<li><img alt="" src="../images/down.gif" /> <a href="#authldapbinddn">AuthLDAPBindDN</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapbindpassword">AuthLDAPBindPassword</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapcharsetconfig">AuthLDAPCharsetConfig</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapcomparednonserver">AuthLDAPCompareDNOnServer</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapdereferencealiases">AuthLDAPDereferenceAliases</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapgroupattribute">AuthLDAPGroupAttribute</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapgroupattributeisdn">AuthLDAPGroupAttributeIsDN</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapremoteuserisdn">AuthLDAPRemoteUserIsDN</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapurl">AuthLDAPUrl</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authzldapauthoritative">AuthzLDAPAuthoritative</a></li>
</ul>
<h3>Topics</h3>
<ul id="topics">
<li><img alt="" src="../images/down.gif" /> <a href="#contents">Contents</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#operation">Operation</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#requiredirectives">The require Directives</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#examples">Examples</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#usingtls">Using TLS</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#usingssl">Using SSL</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#frontpage">Using Microsoft
FrontPage with mod_authnz_ldap</a></li>
</ul><h3>See also</h3>
<ul class="seealso">
<li><code class="module"><a href="../mod/mod_ldap.html">mod_ldap</a></code></li>
<li><code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code></li>
<li><code class="module"><a href="../mod/mod_authz_user.html">mod_authz_user</a></code></li>
<li><code class="module"><a href="../mod/mod_authz_groupfile.html">mod_authz_groupfile</a></code></li>
</ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="contents" id="contents">Contents</a></h2>
<ul>
<li>
<a href="#operation">Operation</a>
<ul>
<li><a href="#authenphase">The Authentication
Phase</a></li>
<li><a href="#authorphase">The Authorization
Phase</a></li>
</ul>
</li>
<li>
<a href="#requiredirectives">The require Directives</a>
<ul>
<li><a href="#reqvaliduser">require valid-user</a></li>
<li><a href="#requser">require ldap-user</a></li>
<li><a href="#reqgroup">require ldap-group</a></li>
<li><a href="#reqdn">require ldap-dn</a></li>
<li><a href="#reqattribute">require ldap-attribute</a></li>
<li><a href="#reqfilter">require ldap-filter</a></li>
</ul>
</li>
<li><a href="#examples">Examples</a></li>
<li><a href="#usingtls">Using TLS</a></li>
<li><a href="#usingssl">Using SSL</a></li>
<li>
<a href="#frontpage">Using Microsoft FrontPage with
<code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code></a>
<ul>
<li><a href="#howitworks">How It Works</a></li>
<li><a href="#fpcaveats">Caveats</a></li>
</ul>
</li>
</ul>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="operation" id="operation">Operation</a></h2>
<p>There are two phases in granting access to a user. The first
phase is authentication, in which the <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code>
authentication provider verifies that the user's credentials are valid.
This is also called the <em>search/bind</em> phase. The second phase is
authorization, in which <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> determines
if the authenticated user is allowed access to the resource in
question. This is also known as the <em>compare</em>
phase.</p>
<p><code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> registers both an authn_ldap authentication
provider and an authz_ldap authorization handler. The authn_ldap
authentication provider can be enabled through the
<code class="directive"><a href="../mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code> directive
using the <code>ldap</code> value. The authz_ldap handler extends the
<code class="directive"><a href="../mod/core.html#require">Require</a></code> directive's authorization types
by adding <code>ldap-user</code>, <code>ldap-dn</code> and <code>ldap-group</code>
values.</p>
<h3><a name="authenphase" id="authenphase">The Authentication
Phase</a></h3>
<p>During the authentication phase, <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code>
searches for an entry in the directory that matches the username
that the HTTP client passes. If a single unique match is found,
then <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> attempts to bind to the
directory server using the DN of the entry plus the password
provided by the HTTP client. Because it does a search, then a
bind, it is often referred to as the search/bind phase. Here are
the steps taken during the search/bind phase.</p>
<ol>
<li>Generate a search filter by combining the attribute and
filter provided in the <code class="directive"><a href="#authldapurl">AuthLDAPURL</a></code> directive with
the username passed by the HTTP client.</li>
<li>Search the directory using the generated filter. If the
search does not return exactly one entry, deny or decline
access.</li>
<li>Fetch the distinguished name of the entry retrieved from
the search and attempt to bind to the LDAP server using the
DN and the password passed by the HTTP client. If the bind is
unsuccessful, deny or decline access.</li>
</ol>
<p>The following directives are used during the search/bind
phase</p>
<table>
<tr>
<td><code class="directive"><a href="#authldapurl">AuthLDAPURL</a></code></td>
<td>Specifies the LDAP server, the
base DN, the attribute to use in the search, as well as the
extra search filter to use.</td>
</tr>
<tr>
<td><code class="directive"><a href="#authldapbinddn">AuthLDAPBindDN</a></code></td>
<td>An optional DN to bind with
during the search phase.</td>
</tr>
<tr>
<td><code class="directive"><a href="#authldapbindpassword">AuthLDAPBindPassword</a></code></td>
<td>An optional password to bind
with during the search phase.</td>
</tr>
</table>
<h3><a name="authorphase" id="authorphase">The Authorization Phase</a></h3>
<p>During the authorization phase, <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code>
attempts to determine if the user is authorized to access the
resource. Many of these checks require
<code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> to do a compare operation on the
LDAP server. This is why this phase is often referred to as the
compare phase. <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> accepts the
following <code class="directive"><a href="../mod/core.html#require">Require</a></code>
directives to determine if the credentials are acceptable:</p>
<ul>
<li>Grant access if there is a <a href="#reqgroup"><code>require ldap-user</code></a> directive, and the
username in the directive matches the username passed by the
client.</li>
<li>Grant access if there is a <a href="#reqdn"><code>require
ldap-dn</code></a> directive, and the DN in the directive matches
the DN fetched from the LDAP directory.</li>
<li>Grant access if there is a <a href="#reqgroup"><code>require ldap-group</code></a> directive, and
the DN fetched from the LDAP directory (or the username
passed by the client) occurs in the LDAP group.</li>
<li>Grant access if there is a <a href="#reqattribute">
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -