From: Rich Bowen Date: Thu, 16 Apr 2026 14:50:25 +0000 (+0000) Subject: Style guide: Fixes authnz_ldap doc markup X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;ds=inline;p=thirdparty%2Fapache%2Fhttpd.git Style guide: Fixes authnz_ldap doc markup git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1933116 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml index a25221b564..e74c56ead0 100644 --- a/docs/manual/mod/mod_authnz_ldap.xml +++ b/docs/manual/mod/mod_authnz_ldap.xml @@ -365,8 +365,8 @@ Require ldap-user "Joe Manager"

Because of the way that mod_authnz_ldap handles this - directive, Barbara Jenson could sign on as Barbara - Jenson, Babs Jenson or any other cn that + directive, Barbara Jenson could sign on as Barbara + Jenson, Babs Jenson or any other cn that she has in her LDAP entry. Only the single Require ldap-user line is needed to support all values of the attribute in the user's entry.

@@ -651,13 +651,13 @@ Require valid-user (&(|(qpagePagerID=*)(uid=jmanager))(uid=fuser)) -

The above search will only succeed if fuser has a - pager. When Joe Manager connects as jmanager, the +

The above search will only succeed if fuser has a + pager. When Joe Manager connects as jmanager, the filter looks like

(&(|(qpagePagerID=*)(uid=jmanager))(uid=jmanager)) -

The above search will succeed whether jmanager +

The above search will succeed whether jmanager has a pager or not.

@@ -673,7 +673,7 @@ Require valid-user

An optional second parameter can be added to the AuthLDAPURL to override the default connection type set by LDAPTrustedMode. - This will allow the connection established by an ldap:// Url + This will allow the connection established by an ldap:// Url to be upgraded to a secure connection on the same port.

@@ -684,9 +684,9 @@ Require valid-user module="mod_ldap">LDAPTrustedGlobalCert and LDAPTrustedMode.

-

To specify a secure LDAP server, use ldaps:// in the +

To specify a secure LDAP server, use ldaps:// in the AuthLDAPURL - directive, instead of ldap://.

+ directive, instead of ldap://.

Exposing Login Information @@ -716,12 +716,12 @@ Require valid-user a User Principle Name (UPN) can be added to a user's entry in the directory. This UPN usually takes the form of the user's account name, followed by the domain components of the particular domain, - for example somebody@nz.example.com.

+ for example somebody@nz.example.com.

You may wish to configure the mod_authnz_ldap module to authenticate users present in any of the domains making up the Active Directory forest. In this way both - somebody@nz.example.com and someone@au.example.com + somebody@nz.example.com and someone@au.example.com can be authenticated using the same query at the same time.

To make this practical, Active Directory supports the concept of @@ -733,7 +733,7 @@ Require valid-user

If enabled, the Global Catalog is an independent directory server that runs on port 3268 (3269 for SSL). To search for a user, do a - subtree search for the attribute userPrincipalName, with + subtree search for the attribute userPrincipalName, with an empty search root, like so:

@@ -743,7 +743,7 @@ AuthLDAPURL ldap://10.0.0.1:3268/?userPrincipalName?sub

Users will need to enter their User Principal Name as a login, in - the form somebody@nz.example.com.

+ the form somebody@nz.example.com.

@@ -832,7 +832,7 @@ Require group "mygroupfile" AuthLDAPAuthorizePrefix Specifies the prefix for environment variables set during authorization -AuthLDAPAuthorizePrefix prefix +AuthLDAPAuthorizePrefix prefix AuthLDAPAuthorizePrefix AUTHORIZE_ directory.htaccess @@ -840,7 +840,7 @@ authorization Available in version 2.3.6 and later

This directive allows you to override the prefix used for environment - variables set during LDAP authorization. If AUTHENTICATE_ is + variables set during LDAP authorization. If AUTHENTICATE_ is specified, consumers of these environment variables see the same information whether LDAP has performed authentication, authorization, or both.

@@ -865,7 +865,7 @@ authorization user cannot be mapped to a DN, but not if the user can be mapped to a DN and their password cannot be verified with an LDAP bind. If AuthLDAPBindAuthoritative - is set to off, other configured authentication modules will have + is set to off, other configured authentication modules will have a chance to validate the user if the LDAP bind (with the current user's credentials) fails for any reason.

This allows users present in both LDAP and @@ -918,7 +918,7 @@ own username, instead of anonymously or with hard-coded credentials for the serv AuthLDAPInitialBindPattern Specifies the transformation of the basic authentication username to be used when binding to the LDAP server to perform a DN lookup -AuthLDAPInitialBindPattern regex substitution +AuthLDAPInitialBindPattern regex substitution AuthLDAPInitialBindPattern (.*) $1 (remote username used verbatim) directory.htaccess @@ -926,7 +926,7 @@ to perform a DN lookup Available in version 2.3.6 and later

If AuthLDAPInitialBindAsUser is set to - ON, the basic authentication username will be transformed according to the + ON, the basic authentication username will be transformed according to the regular expression and substitution arguments.

The regular expression argument is compared against the current basic authentication username. @@ -950,7 +950,7 @@ AuthLDAPInitialBindPattern (.+) cn=$1,dc=example,dc=com debugging The substituted DN is recorded in the environment variable - LDAP_BINDASUSER. If the regular expression does not match the input, + LDAP_BINDASUSER. If the regular expression does not match the input, the verbatim username is used. @@ -961,7 +961,7 @@ AuthLDAPInitialBindPattern (.+) cn=$1,dc=example,dc=com AuthLDAPBindDN Optional DN to use in binding to the LDAP server -AuthLDAPBindDN distinguished-name +AuthLDAPBindDN distinguished-name directory.htaccess AuthConfig @@ -976,11 +976,11 @@ AuthLDAPInitialBindPattern (.+) cn=$1,dc=example,dc=com AuthLDAPBindPassword Password used in conjunction with the bind DN -AuthLDAPBindPassword password +AuthLDAPBindPassword password directory.htaccess AuthConfig -exec: was added in 2.4.5. +exec: was added in 2.4.5.

A bind password to use in conjunction with the bind DN. Note @@ -1010,7 +1010,7 @@ AuthLDAPBindPassword "exec:/path/to/otherProgram argument1" AuthLDAPCharsetConfig Language to charset conversion configuration file -AuthLDAPCharsetConfig file-path +AuthLDAPCharsetConfig file-path server config @@ -1049,7 +1049,7 @@ AuthLDAPBindPassword "exec:/path/to/otherProgram argument1" and HTTP basic authentication password of the authenticated user instead of the servers configured credentials.

-

The ldap-attribute, ldap-user, and ldap-group (single-level only) +

The ldap-attribute, ldap-user, and ldap-group (single-level only) authorization checks use comparisons.

This directive only has effect on the comparisons performed during @@ -1109,7 +1109,7 @@ AuthLDAPBindPassword "exec:/path/to/otherProgram argument1" AuthLDAPGroupAttribute LDAP attributes used to identify the user members of groups. -AuthLDAPGroupAttribute attribute +AuthLDAPGroupAttribute attribute AuthLDAPGroupAttribute member uniqueMember directory.htaccess @@ -1244,7 +1244,7 @@ environment variable and HTTP basic authentication password of the authenticated user instead of the servers configured credentials.

-

The ldap-filter and ldap-dn authorization +

The ldap-filter and ldap-dn authorization checks use searches.

This directive only has effect on the comparisons performed during @@ -1265,7 +1265,7 @@ environment variable Specifies the attribute labels, one value per directive line, used to distinguish the members of the current group that are groups. -AuthLDAPSubGroupAttribute attribute +AuthLDAPSubGroupAttribute attribute AuthLDAPSubGroupAttribute member uniqueMember directory.htaccess @@ -1289,7 +1289,7 @@ are groups. AuthLDAPSubGroupClass Specifies which LDAP objectClass values identify directory objects that are groups during sub-group processing. -AuthLDAPSubGroupClass LdapObjectClass +AuthLDAPSubGroupClass LdapObjectClass AuthLDAPSubGroupClass groupOfNames groupOfUniqueNames directory.htaccess @@ -1315,7 +1315,7 @@ objects that are groups during sub-group processing. AuthLDAPURL URL specifying the LDAP search parameters -AuthLDAPURL url [NONE|SSL|TLS|STARTTLS] +AuthLDAPURL url [NONE|SSL|TLS|STARTTLS] directory.htaccess AuthConfig @@ -1328,9 +1328,11 @@ objects that are groups during sub-group processing. AuthLDAPURL "ldap://ldap1.example.com ldap2.example.com/dc=..." -

Caveat: If you specify multiple servers, you need to enclose the entire URL string in quotes; -otherwise you will get an error: "AuthLDAPURL takes one argument, URL to define LDAP connection.." +Caveat +

If you specify multiple servers, you need to enclose the entire URL string in quotes; +otherwise you will get an error: "AuthLDAPURL takes one argument, URL to define LDAP connection.." You can of course use search parameters on each of these.

+
ldap
@@ -1407,7 +1409,7 @@ You can of course use search parameters on each of these.

When doing searches, the attribute, filter and username passed by the HTTP client are combined to create a search filter that looks like - (&(filter)(attribute=username)).

+ (&(filter)(attribute=username)).

For example, consider an URL of ldap://ldap.example.com/o=Example?cn?sub?(posixid=*). When