📄 mod_ldap.html
字号:
client certificates are required, an optional key3.db file may
be specified with an optional password. The secmod file can be
specified if required. These files are in the same format as
used by the Netscape Communicator or Mozilla web browsers. The easiest
way to obtain these files is to grab them from your browser
installation.</p>
<p>Client certificates are specified per connection using the
LDAPTrustedClientCert directive by referring
to the certificate "nickname". An optional password may be
specified to unlock the certificate's private key.</p>
<p>The SDK supports SSL only. An attempt to use STARTTLS will cause
an error when an attempt is made to contact the LDAP server at
runtime.</p>
<div class="example"><p><code>
# Specify a Netscape CA certificate file<br />
LDAPTrustedGlobalCert CA_CERT7_DB /certs/cert7.db<br />
# Specify an optional key3.db file for client certificate support<br />
LDAPTrustedGlobalCert CERT_KEY3_DB /certs/key3.db<br />
# Specify the secmod file if required<br />
LDAPTrustedGlobalCert CA_SECMOD /certs/secmod<br />
<Location /ldap-status><br />
<span class="indent">
SetHandler ldap-status<br />
Order deny,allow<br />
Deny from all<br />
Allow from yourdomain.example.com<br />
AuthLDAPEnabled on<br />
LDAPTrustedClientCert CERT_NICKNAME <nickname> [password]<br />
AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one<br />
AuthLDAPAuthoritative on<br />
require valid-user<br />
</span>
</Location>
</code></p></div>
<h3><a name="settingcerts-novell" id="settingcerts-novell">Novell SDK</a></h3>
<p>One or more CA certificates must be specified for the Novell
SDK to work correctly. These certificates can be specified as
binary DER or Base64 (PEM) encoded files.</p>
<p>Note: Client certificates are specified globally rather than per
connection, and so must be specified with the LDAPTrustedGlobalCert
directive as below. Trying to set client certificates via the
LDAPTrustedClientCert directive will cause an error to be logged
when an attempt is made to connect to the LDAP server..</p>
<p>The SDK supports both SSL and STARTTLS, set using the
LDAPTrustedMode parameter. If an ldaps:// URL is specified,
SSL mode is forced, override this directive.</p>
<div class="example"><p><code>
# Specify two CA certificate files<br />
LDAPTrustedGlobalCert CA_DER /certs/cacert1.der<br />
LDAPTrustedGlobalCert CA_BASE64 /certs/cacert2.pem<br />
# Specify a client certificate file and key<br />
LDAPTrustedGlobalCert CERT_BASE64 /certs/cert1.pem<br />
LDAPTrustedGlobalCert KEY_BASE64 /certs/key1.pem [password]<br />
# Do not use this directive, as it will throw an error<br />
#LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem<br />
</code></p></div>
<h3><a name="settingcerts-openldap" id="settingcerts-openldap">OpenLDAP SDK</a></h3>
<p>One or more CA certificates must be specified for the OpenLDAP
SDK to work correctly. These certificates can be specified as
binary DER or Base64 (PEM) encoded files.</p>
<p>Client certificates are specified per connection using the
LDAPTrustedClientCert directive.</p>
<p>The documentation for the SDK claims to support both SSL and
STARTTLS, however STARTTLS does not seem to work on all versions
of the SDK. The SSL/TLS mode can be set using the
LDAPTrustedMode parameter. If an ldaps:// URL is specified,
SSL mode is forced. The OpenLDAP documentation notes that SSL
(ldaps://) support has been deprecated to be replaced with TLS,
although the SSL functionality still works.</p>
<div class="example"><p><code>
# Specify two CA certificate files<br />
LDAPTrustedGlobalCert CA_DER /certs/cacert1.der<br />
LDAPTrustedGlobalCert CA_BASE64 /certs/cacert2.pem<br />
<Location /ldap-status><br />
<span class="indent">
SetHandler ldap-status<br />
Order deny,allow<br />
Deny from all<br />
Allow from yourdomain.example.com<br />
AuthLDAPEnabled on<br />
LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem<br />
LDAPTrustedClientCert KEY_BASE64 /certs/key1.pem<br />
AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one<br />
AuthLDAPAuthoritative on<br />
require valid-user<br />
</span>
</Location>
</code></p></div>
<h3><a name="settingcerts-solaris" id="settingcerts-solaris">Solaris SDK</a></h3>
<p>SSL/TLS for the native Solaris LDAP libraries is not yet
supported. If required, install and use the OpenLDAP libraries
instead.</p>
<h3><a name="settingcerts-microsoft" id="settingcerts-microsoft">Microsoft SDK</a></h3>
<p>SSL/TLS certificate configuration for the native Microsoft
LDAP libraries is done inside the system registry, and no
configuration directives are required.</p>
<p>Both SSL and TLS are supported by using the ldaps:// URL
format, or by using the LDAPTrustedMode directive accordingly.</p>
<p>Note: The status of support for client certificates is not yet known
for this toolkit.</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="LDAPCacheEntries" id="LDAPCacheEntries">LDAPCacheEntries</a> <a name="ldapcacheentries" id="ldapcacheentries">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>主LDAP缓冲的最大条目数</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>LDAPCacheEntries <var>number</var></code></td></tr>
<tr><th><a href="directive-dict.html#Default">默认值</a></th><td><code>LDAPCacheEntries 1024</code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ldap</td></tr>
</table>
<p>指定主LDAP缓冲的最大条目数。这个缓冲区包含了成功的search/bind对。把它设为0可以关闭search/bind缓冲。默认值是1024 。</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="LDAPCacheTTL" id="LDAPCacheTTL">LDAPCacheTTL</a> <a name="ldapcachettl" id="ldapcachettl">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>search/bind缓冲项目有效时限</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>LDAPCacheTTL <var>seconds</var></code></td></tr>
<tr><th><a href="directive-dict.html#Default">默认值</a></th><td><code>LDAPCacheTTL 600</code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ldap</td></tr>
</table>
<p>指定search/bind缓冲项目有效的时间,以秒为单位。默认为600秒(10分钟)。</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="LDAPConnectionTimeout" id="LDAPConnectionTimeout">LDAPConnectionTimeout</a> <a name="ldapconnectiontimeout" id="ldapconnectiontimeout">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>指定套接字连接超时秒数</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>LDAPConnectionTimeout <var>seconds</var></code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ldap</td></tr>
</table>
<p>Specifies the timeout value (in seconds) in which the module will
attempt to connect to the LDAP server. If a connection is not
successful with the timeout period, either an error will be
returned or the module will attempt to connect to a secondary LDAP
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -