mod_authnz_ldap.html

这个是我在web培训时老师提供的手册

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<meta name="keywords" content="Apache, 中文, 手册, 中文版, 中文手册, 中文版手册, 参考手册, 中文参考手册, 金步国" />
<meta name="description" content="Apache 2.2 中文版参考手册" />
<meta name="author" content="金步国" />
<link href="../style/css/manual-zip.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-zip-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
<title>mod_authnz_ldap － Apache 2.2 中文版参考手册</title>
</head>
<body><div id="page-header">
<p class="menu"><a href="../mod/index.html">模块索引</a> | <a href="../mod/directives.html">指令索引</a> | <a href="../faq/index.html">常见问题</a> | <a href="../glossary.html">词汇表</a> | <a href="../sitemap.html">站点导航</a></p><p class="apache">Apache HTTP Server 版本2.2</p><img alt="" src="../images/feather.gif" /></div>
<div class="up"><a href="./index.html"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
<div id="path"><a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">文档</a> &gt; <a href="../index.html">版本2.2</a> &gt; <a href="./index.html">模块</a></div>

<div id="translation-info">　　 <a href="../translator_announcement.html#thanks">致谢</a> | <a href="../translator_announcement.html#announcement">译者声明</a> | 本篇译者：&lt;<a href="../translator_announcement.html#join">虚位以待</a>&gt; | 本篇译稿完成时间：?年?月?日 | <a href="../translator_announcement.html#last_new">获取最新版本</a></div>
<div id="page-content"><div id="preamble"><h1>Apache模块 mod_authnz_ldap</h1>

<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="module">
<tr><th><a href="module-dict.html#Description">说明</a></th><td>允许使用一个LDAP目录存储用户名和密码数据库来执行基本认证和授权</td></tr>
<tr><th><a href="module-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="module-dict.html#ModuleIdentifier">模块名</a></th><td>authnz_ldap_module</td></tr>
<tr><th><a href="module-dict.html#SourceFile">源文件</a></th><td>mod_authnz_ldap.c</td></tr>
<tr><th><a href="module-dict.html#Compatibility">兼容性</a></th><td>仅在 Apache 2.1 及以后的版本中可用</td></tr>
</table>
<h3>概述</h3>

    <p>This module provides authentication front-ends such as
    <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code> to authenticate users through 
    an ldap directory.</p>
    
    <p><code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> supports the following features:</p>

    <ul>
      <li>Known to support the <a href="http://www.openldap.org/">OpenLDAP SDK</a> (both 1.x
      and 2.x), <a href="http://developer.novell.com/ndk/cldap.htm">
      Novell LDAP SDK</a> and the <a href="http://www.iplanet.com/downloads/developer/">iPlanet
      (Netscape)</a> SDK.</li>

      <li>Complex authorization policies can be implemented by
      representing the policy with LDAP filters.</li>

      <li>Uses extensive caching of LDAP operations via <a href="mod_ldap.html">mod_ldap</a>.</li>

      <li>Support for LDAP over SSL (requires the Netscape SDK) or
      TLS (requires the OpenLDAP 2.x SDK or Novell LDAP SDK).</li>
    </ul>

    <p>When using <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code>, this module is invoked
    via the <code class="directive"><a href="../mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code>
    directive with the <code>ldap</code> value.</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="contents" id="contents">Contents</a></h2>

    <ul>
      <li>
        <a href="#operation">Operation</a> 

        <ul>
          <li><a href="#authenphase">The Authentication
          Phase</a></li>

          <li><a href="#authorphase">The Authorization
          Phase</a></li>
        </ul>
      </li>

      <li>
        <a href="#requiredirectives">The require Directives</a> 

        <ul>
          <li><a href="#reqvaliduser">require valid-user</a></li>
          <li><a href="#requser">require ldap-user</a></li>
          <li><a href="#reqgroup">require ldap-group</a></li>
          <li><a href="#reqdn">require ldap-dn</a></li>
          <li><a href="#reqattribute">require ldap-attribute</a></li>
          <li><a href="#reqfilter">require ldap-filter</a></li>
        </ul>
      </li>

      <li><a href="#examples">Examples</a></li>
      <li><a href="#usingtls">Using TLS</a></li>
      <li><a href="#usingssl">Using SSL</a></li>

      <li>
        <a href="#frontpage">Using Microsoft FrontPage with
        <code class="module"></code></a><code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> 

        <ul>
          <li><a href="#howitworks">How It Works</a></li>
          <li><a href="#fpcaveats">Caveats</a></li>
        </ul>
      </li>
    </ul>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="operation" id="operation">Operation</a></h2>

    <p>There are two phases in granting access to a user. The first
    phase is authentication, in which the <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code>
    authentication provider verifies that the user's credentials are valid. 
    This is also called the <em>search/bind</em> phase. The second phase is
    authorization, in which <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> determines
    if the authenticated user is allowed access to the resource in
    question. This is also known as the <em>compare</em>
    phase.</p>

    <p><code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> registers both an authn_ldap authentication
    provider and an authz_ldap authorization handler.  The authn_ldap
    authentication provider can be enabled through the 
    <code class="directive"><a href="../mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code> directive 
    using the <code>ldap</code> value. The authz_ldap handler extends the 
    <code class="directive"><a href="../mod/core.html#require">Require</a></code> directive's authorization types
    by adding <code>ldap-user</code>, <code>ldap-dn</code>和<code>ldap-group</code> 
    values.</p>

<h3><a name="authenphase" id="authenphase">The Authentication
    Phase</a></h3>

    <p>During the authentication phase, <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code>
    searches for an entry in the directory that matches the username
    that the HTTP client passes. If a single unique match is found,
    then <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> attempts to bind to the
    directory server using the DN of the entry plus the password
    provided by the HTTP client. Because it does a search, then a
    bind, it is often referred to as the search/bind phase. Here are
    the steps taken during the search/bind phase.</p>

    <ol>
      <li>Generate a search filter by combining the attribute and
      filter provided in the <code class="directive"><a href="#authldapurl">AuthLDAPURL</a></code> directive with
      the username passed by the HTTP client.</li>

      <li>Search the directory using the generated filter. If the
      search does not return exactly one entry, deny or decline
      access.</li>

      <li>Fetch the distinguished name of the entry retrieved from
      the search and attempt to bind to the LDAP server using the
      DN and the password passed by the HTTP client. If the bind is
      unsuccessful, deny or decline access.</li>
    </ol>

    <p>The following directives are used during the search/bind
    phase</p>

    <table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA">
<tr><td><code class="directive"><a href="#authldapurl">AuthLDAPURL</a></code></td><td>Specifies the LDAP server, the
        base DN, the attribute to use in the search, as well as the
        extra search filter to use.</td></tr>
<tr><td><code class="directive"><a href="#authldapbinddn">AuthLDAPBindDN</a></code></td><td>An optional DN to bind with
        during the search phase.</td></tr>
<tr><td><code class="directive"><a href="#authldapbindpassword">AuthLDAPBindPassword</a></code></td><td>An optional password to bind
        with during the search phase.</td></tr>
</table>


<h3><a name="authorphase" id="authorphase">The Authorization Phase</a></h3>

    <p>During the authorization phase, <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code>
    attempts to determine if the user is authorized to access the
    resource.  Many of these checks require
    <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> to do a compare operation on the
    LDAP server. This is why this phase is often referred to as the
    compare phase. <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> accepts the
    following <code class="directive"><a href="../mod/core.html#require">Require</a></code>
    directives to determine if the credentials are acceptable:</p>

    <ul>
      <li>Grant access if there is a <a href="#reqgroup"><code>require ldap-user</code></a> directive, and the
      username in the directive matches the username passed by the
      client.</li>

      <li>Grant access if there is a <a href="#reqdn"><code>require
      ldap-dn</code></a> directive, and the DN in the directive matches
      the DN fetched from the LDAP directory.</li>

      <li>Grant access if there is a <a href="#reqgroup"><code>require ldap-group</code></a> directive, and
      the DN fetched from the LDAP directory (or the username
      passed by the client) occurs in the LDAP group.</li>

      <li>Grant access if there is a <a href="#reqattribute">
      <code>require ldap-attribute</code></a> 
      directive, and the attribute fetched from the LDAP directory
      matches the given value.</li> 

      <li>Grant access if there is a <a href="#reqfilter">
      <code>require ldap-filter</code></a> 
      directive, and the search filter successfully finds a single user
      object that matches the dn of the authenticated user.</li> 

      <li>otherwise, deny or decline access</li>
    </ul>

    <p>Other <code class="directive"><a href="../mod/core.html#require">Require</a></code> values may also be 
    used which may require loading additional authorization modules.</p>

    <ul>
        <li>Grant access if there is a <a href="#requser"><code>require
        valid-user</code></a> directive. (requires 
        <code class="module"><a href="../mod/mod_authz_user.html">mod_authz_user</a></code>)</li>

        <li>Grant access if there is a <a href="#reqgroup"><code>require group</code></a> directive, and
        <code class="module"><a href="../mod/mod_authz_groupfile.html">mod_authz_groupfile</a></code> has been loaded with the 
        <code class="directive"><a href="../mod/mod_authz_groupfile.html#authgroupfile">AuthGroupFile</a></code> 
        directive set.</li>
    
        <li>others...</li>
     </ul>


    <p><code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> uses the following directives during the
    compare phase:</p>