mod_auth_ldap.html.en

apache的软件linux版本

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
              This file is generated from xml source: DO NOT EDIT
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      -->
<title>mod_auth_ldap - Apache HTTP Server</title>
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
<body>
<div id="page-header">
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
<p class="apache">Apache HTTP Server Version 2.0</p>
<img alt="" src="../images/feather.gif" /></div>
<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
<div id="path">
<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="../">Version 2.0</a> &gt; <a href="./">Modules</a></div>
<div id="page-content">
<div id="preamble"><h1>Apache Module mod_auth_ldap</h1>
<div class="toplang">
<p><span>Available Languages: </span><a href="../en/mod/mod_auth_ldap.html" title="English">&nbsp;en&nbsp;</a></p>
</div>
<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Allows an LDAP directory to be used to store the database
for HTTP Basic authentication.</td></tr>
<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
<tr><th><a href="module-dict.html#ModuleIdentifier">Module營dentifier:</a></th><td>auth_ldap_module</td></tr>
<tr><th><a href="module-dict.html#SourceFile">Source燜ile:</a></th><td>mod_auth_ldap.c</td></tr>
<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in version 2.0.41 and later</td></tr></table>
<h3>Summary</h3>

    <p><code class="module"><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> supports the following features:</p>

    <ul>
      <li>Known to support the <a href="http://www.openldap.org/">OpenLDAP SDK</a> (both 1.x
      and 2.x), <a href="http://developer.novell.com/ndk/cldap.htm">
      Novell LDAP SDK</a> and the <a href="http://www.iplanet.com/downloads/developer/">iPlanet
      (Netscape)</a> SDK.</li>

      <li>Complex authorization policies can be implemented by
      representing the policy with LDAP filters.</li>

      <li>Support for Microsoft FrontPage allows FrontPage users to
      control access to their webs, while retaining LDAP for user
      authentication.</li>

      <li>Uses extensive caching of LDAP operations via <a href="mod_ldap.html">mod_ldap</a>.</li>

      <li>Support for LDAP over SSL (requires the Netscape SDK) or
      TLS (requires the OpenLDAP 2.x SDK or Novell LDAP SDK).</li>
    </ul>
</div>
<div id="quickview"><h3 class="directives">Directives</h3>
<ul id="toc">
<li><img alt="" src="../images/down.gif" /> <a href="#authldapauthoritative">AuthLDAPAuthoritative</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapbinddn">AuthLDAPBindDN</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapbindpassword">AuthLDAPBindPassword</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapcharsetconfig">AuthLDAPCharsetConfig</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapcomparednonserver">AuthLDAPCompareDNOnServer</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapdereferencealiases">AuthLDAPDereferenceAliases</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapenabled">AuthLDAPEnabled</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapfrontpagehack">AuthLDAPFrontPageHack</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapgroupattribute">AuthLDAPGroupAttribute</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapgroupattributeisdn">AuthLDAPGroupAttributeIsDN</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapremoteuserisdn">AuthLDAPRemoteUserIsDN</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authldapurl">AuthLDAPUrl</a></li>
</ul>
<h3>Topics</h3>
<ul id="topics">
<li><img alt="" src="../images/down.gif" /> <a href="#contents">Contents</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#operation">Operation</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#requiredirectives">The Require Directives</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#examples">Examples</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#usingtls">Using TLS</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#usingssl">Using SSL</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#frontpage">Using Microsoft
    FrontPage with mod_auth_ldap</a></li>
</ul><h3>See also</h3>
<ul class="seealso">
<li><code class="module"><a href="../mod/mod_ldap.html">mod_ldap</a></code></li>
</ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="contents" id="contents">Contents</a></h2>

    <ul>
      <li>
        <a href="#operation">Operation</a> 

        <ul>
          <li><a href="#authenphase">The Authentication
          Phase</a></li>

          <li><a href="#authorphase">The Authorization
          Phase</a></li>
        </ul>
      </li>

      <li>
        <a href="#requiredirectives">The Require Directives</a> 

        <ul>
          <li><a href="#reqvaliduser">Require valid-user</a></li>
          <li><a href="#requser">Require user</a></li>
          <li><a href="#reqgroup">Require group</a></li>
          <li><a href="#reqdn">Require dn</a></li>
          <li><a href="#reqattribute">Require ldap-attribute</a></li>
        </ul>
      </li>

      <li><a href="#examples">Examples</a></li>
      <li><a href="#usingtls">Using TLS</a></li>
      <li><a href="#usingssl">Using SSL</a></li>

      <li>
        <a href="#frontpage">Using Microsoft FrontPage with
        <code class="module"><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code></a> 

        <ul>
          <li><a href="#howitworks">How It Works</a></li>
          <li><a href="#fpcaveats">Caveats</a></li>
        </ul>
      </li>
    </ul>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="operation" id="operation">Operation</a></h2>

    <p>There are two phases in granting access to a user. The first
    phase is authentication, in which <code class="module"><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code>
    verifies that the user's credentials are valid. This also called
    the <em>search/bind</em> phase. The second phase is
    authorization, in which <code class="module"><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> determines
    if the authenticated user is allowed access to the resource in
    question. This is also known as the <em>compare</em>
    phase.</p>

<h3><a name="authenphase" id="authenphase">The Authentication
    Phase</a></h3>

    <p>During the authentication phase, <code class="module"><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code>
    searches for an entry in the directory that matches the username
    that the HTTP client passes. If a single unique match is found,
    then <code class="module"><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> attempts to bind to the
    directory server using the DN of the entry plus the password
    provided by the HTTP client. Because it does a search, then a
    bind, it is often referred to as the search/bind phase. Here are
    the steps taken during the search/bind phase.</p>

    <ol>
      <li>Generate a search filter by combining the attribute and
      filter provided in the <code class="directive"><a href="#authldapurl">AuthLDAPURL</a></code> directive with
      the username passed by the HTTP client.</li>

      <li>Search the directory using the generated filter. If the
      search does not return exactly one entry, deny or decline
      access.</li>

      <li>Fetch the distinguished name of the entry retrieved from
      the search and attempt to bind to the LDAP server using the
      DN and the password passed by the HTTP client. If the bind is
      unsuccessful, deny or decline access.</li>
    </ol>

    <p>The following directives are used during the search/bind
    phase</p>

    <table>
      
      <tr>
        <td><code class="directive"><a href="#authldapurl">AuthLDAPURL</a></code></td>

        <td>Specifies the LDAP server, the
        base DN, the attribute to use in the search, as well as the
        extra search filter to use.</td>
      </tr>

      <tr>
        <td><code class="directive"><a href="#authldapbinddn">AuthLDAPBindDN</a></code></td>

        <td>An optional DN to bind with
        during the search phase.</td>
      </tr>

      <tr>
        <td><code class="directive"><a href="#authldapbindpassword">AuthLDAPBindPassword</a></code></td>

        <td>An optional password to bind
        with during the search phase.</td>
      </tr>
    </table>


<h3><a name="authorphase" id="authorphase">The Authorization
    Phase</a></h3>

    <p>During the authorization phase, <code class="module"><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code>
    attempts to determine if the user is authorized to access the
    resource.  Many of these checks require
    <code class="module"><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> to do a compare operation on the
    LDAP server. This is why this phase is often referred to as the
    compare phase. <code class="module"><a href="../mod/mod_auth_ldap.html">mod_auth_ldap</a></code> accepts the
    following <code class="directive"><a href="../mod/core.html#require">Require</a></code>
    directives to determine if the credentials are acceptable:</p>

    <ul>
      <li>Grant access if there is a <a href="#requser"><code>Require
      valid-user</code></a> directive.</li>

      <li>Grant access if there is a <a href="#reqgroup"><code>Require user</code></a> directive, and the
      username in the directive matches the username passed by the
      client.</li>

      <li>Grant access if there is a <a href="#reqdn"><code>Require
      dn</code></a> directive, and the DN in the directive matches
      the DN fetched from the LDAP directory.</li>

      <li>Grant access if there is a <a href="#reqgroup"><code>Require group</code></a> directive, and
      the DN fetched from the LDAP directory (or the username
      passed by the client) occurs in the LDAP group.</li>