AuthType Basic<br />
AuthName LDAP_Protected_Place<br />
- AuthzLDAPAuthoritative off<br />
require valid-user<br />
</indent>
</Directory><br />
<p>If this directive exists, <module>mod_authnz_ldap</module> grants
access to any user that has successfully authenticated during the
search/bind phase. Requires that <module>mod_authz_user</module> be
- loaded and that the
- <directive module="mod_authnz_ldap">AuthzLDAPAuthoritative</directive>
- directive be set to off.</p>
+ loaded.</p>
</section>
<section id="requser"><title>require ldap-user</title>
that gets created in the web</p>
<example><pre>
AuthLDAPURL "the url"
-AuthzLDAPAuthoritative off
AuthGroupFile <em>mygroupfile</em>
require group <em>mygroupfile</em>
</pre></example>
- <p><directive module="mod_authnz_ldap">AuthzLDAPAuthoritative</directive>
- must be off to allow <module>mod_authnz_ldap</module> to decline group
- authentication so that Apache will fall back to file
- authentication for checking group membership. This allows the
- FrontPage-managed group file to be used.</p>
-
<section id="howitworks"><title>How It Works</title>
<p>FrontPage restricts access to a web by adding the <code>require
</section>
</section>
-<directivesynopsis>
-<name>AuthzLDAPAuthoritative</name>
-<description>Prevent other authentication modules from
-authenticating the user if this one fails</description>
-<syntax>AuthzLDAPAuthoritative on|off</syntax>
-<default>AuthzLDAPAuthoritative on</default>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>AuthConfig</override>
-
-<usage>
- <p>Set to <code>off</code> if this module should let other
- authentication modules attempt to authenticate the user, should
- authentication with this module fail. Control is only passed on
- to lower modules if there is no DN or rule that matches the
- supplied user name (as passed by the client).</p>
-</usage>
-</directivesynopsis>
-
<directivesynopsis>
<name>AuthLDAPBindDN</name>
<description>Optional DN to use in binding to the LDAP server</description>
</usage>
</directivesynopsis>
-<directivesynopsis>
-<name>AuthzDBDAuthoritative</name>
-<description>Sets whether authorization will be passed on to lower level
-modules</description>
-<syntax>AuthzDBDAuthoritative On|Off</syntax>
-<default>AuthzDBDAuthoritative On</default>
-<contextlist><context>directory</context></contextlist>
-
-<usage>
- <p>Setting the <directive>AuthzDBDAuthoritative</directive>
- directive explicitly to <code>Off</code> allows group authorization
- to be handled by another authz module if the userID is not
- in any authorized dbd-group. If there are any groups
- specified, the usual checks will be applied and a failure will
- give an Authentication Required reply.</p>
-
- <p>So if a userID appears in the database of more than one module;
- or if a valid <directive module="core">Require</directive>
- directive applies to more than one module; then the first module
- will verify the credentials; and no access is passed on;
- regardless of the <directive>AuthAuthoritative</directive> setting.</p>
-
- <p>A common use for this is in conjunction with one of the
- auth providers; such or
- <module>mod_authn_file</module>. Whereas this DBD module supplies
- the bulk of the user credential checking; a few (administrator) related
- accesses fall through to a lower level with a well protected
- <code>.htpasswd</code> file.</p>
-
- <p>By default, control is not passed on and an unknown group
- will result in an Authentication Required reply. Not
- setting it thus keeps the system secure and forces an NCSA
- compliant behaviour.</p>
-</usage>
-</directivesynopsis>
-
</modulesynopsis>
</usage>
</directivesynopsis>
-<directivesynopsis>
-<name>AuthzDBMAuthoritative</name>
-<description>Sets whether authorization will be passed on to lower level
-modules</description>
-<syntax>AuthzDBMAuthoritative On|Off</syntax>
-<default>AuthzDBMAuthoritative On</default>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>AuthConfig</override>
-
-<usage>
- <p>Setting the <directive>AuthzDBMAuthoritative</directive>
- directive explicitly to <code>Off</code> allows group authorization
- to be passed on to lower level modules (as defined in the
- <code>modules.c</code> file) if there is no group found
- for the the supplied userID. If there are any groups
- specified, the usual checks will be applied and a failure will
- give an Authentication Required reply.</p>
-
- <p>So if a userID appears in the database of more than one module;
- or if a valid <directive module="core">Require</directive>
- directive applies to more than one module; then the first module
- will verify the credentials; and no access is passed on;
- regardless of the <directive>AuthAuthoritative</directive> setting.</p>
-
- <p>A common use for this is in conjunction with one of the
- auth providers; such as <module>mod_authn_dbm</module> or
- <module>mod_authn_file</module>. Whereas this DBM module supplies
- the bulk of the user credential checking; a few (administrator) related
- accesses fall through to a lower level with a well protected
- <code>.htpasswd</code> file.</p>
-
- <p>By default, control is not passed on and an unknown group
- will result in an Authentication Required reply. Not
- setting it thus keeps the system secure and forces an NCSA
- compliant behaviour.</p>
-
- <note type="warning"><title>Security</title>
- <p>Do consider the implications of allowing a user to
- allow fall-through in his .htaccess file; and verify that this
- is really what you want; Generally it is easier to just secure
- a single <code>.htpasswd</code> file, than it is to secure a
- database which might have more access interfaces.</p>
- </note>
-</usage>
-</directivesynopsis>
-
</modulesynopsis>
</usage>
</directivesynopsis>
-<directivesynopsis>
-<name>AuthzGroupFileAuthoritative</name>
-<description>Sets whether authorization will be passed on to lower level
-modules</description>
-<syntax>AuthzGroupFileAuthoritative On|Off</syntax>
-<default>AuthzGroupFileAuthoritative On</default>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>AuthConfig</override>
-
-<usage>
- <p>Setting the <directive>AuthzGroupFileAuthoritative</directive>
- directive explicitly to <code>Off</code> allows for
- group authorization to be passed on to lower level modules (as defined
- in the <code>modules.c</code> files) if there is <strong>no
- group</strong> matching the supplied userID.</p>
-
- <p>By default, control is not passed on and an unknown group
- will result in an Authentication Required reply. Not
- setting it thus keeps the system secure and forces an NCSA
- compliant behaviour.</p>
-
- <note type="warning"><title>Security</title>
- <p>Do consider the implications of allowing a user to
- allow fall-through in his <code>.htaccess</code> file; and verify
- that this is really what you want; Generally it is easier to just
- secure a single <code>.htpasswd</code> file, than it is to secure
- a database which might have more access interfaces.</p>
- </note>
-</usage>
-</directivesynopsis>
-
</modulesynopsis>
</section>
</section>
-<directivesynopsis>
-<name>AuthzOwnerAuthoritative</name>
-<description>Sets whether authorization will be passed on to lower level
-modules</description>
-<syntax>AuthzOwnerAuthoritative On|Off</syntax>
-<default>AuthzOwnerAuthoritative On</default>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>AuthConfig</override>
-
-<usage>
- <p>Setting the <directive>AuthzOwnerAuthoritative</directive>
- directive explicitly to <code>Off</code> allows for
- user authorization to be passed on to lower level modules (as defined
- in the <code>modules.c</code> files) if:</p>
-
- <ul>
- <li>in the case of <code>file-owner</code> the file-system owner does not
- match the supplied web-username or could not be determined, or</li>
-
- <li>in the case of <code>file-group</code> the file-system group does not
- contain the supplied web-username or could not be determined.</li>
- </ul>
-
- <p>Note that setting the value to <code>Off</code> also allows the
- combination of <code>file-owner</code> and <code>file-group</code>, so
- access will be allowed if either one or the other (or both) match.</p>
-
- <p>By default, control is not passed on and an authorization failure
- will result in an "Authentication Required" reply. Not
- setting it to <code>Off</code> thus keeps the system secure and forces
- an NCSA compliant behaviour.</p>
-</usage>
-</directivesynopsis>
-
</modulesynopsis>
<seealso><directive module="core">Require</directive></seealso>
<seealso><directive module="core">Satisfy</directive></seealso>
-<directivesynopsis>
-<name>AuthzUserAuthoritative</name>
-<description>Sets whether authorization will be passed on to lower level
-modules</description>
-<syntax>AuthzUserAuthoritative On|Off</syntax>
-<default>AuthzUserAuthoritative On</default>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>AuthConfig</override>
-
-<usage>
- <p>Setting the <directive>AuthzUserAuthoritative</directive>
- directive explicitly to <code>Off</code> allows for
- user authorization to be passed on to lower level modules (as defined
- in the <code>modules.c</code> files) if there is <strong>no
- user</strong> matching the supplied userID.</p>
-
- <p>By default, control is not passed on and an unknown user
- will result in an Authentication Required reply. Not
- setting it to <code>Off</code> thus keeps the system secure and forces
- an NCSA compliant behaviour.</p>
-</usage>
-</directivesynopsis>
-
</modulesynopsis>
Allow from yourdomain.example.com<br />
AuthLDAPEnabled on<br />
AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one<br />
- AuthLDAPAuthoritative on<br />
require valid-user<br />
</indent>
</Location>
Allow from yourdomain.example.com<br />
AuthLDAPEnabled on<br />
AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one<br />
- AuthLDAPAuthoritative on<br />
require valid-user<br />
</indent>
</Location>
AuthLDAPEnabled on<br />
LDAPTrustedMode TLS
AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one<br />
- AuthLDAPAuthoritative on<br />
require valid-user<br />
</indent>
</Location>
AuthLDAPEnabled on<br />
LDAPTrustedClientCert CERT_NICKNAME <nickname> [password]<br />
AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one<br />
- AuthLDAPAuthoritative on<br />
require valid-user<br />
</indent>
</Location>
LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem<br />
LDAPTrustedClientCert KEY_BASE64 /certs/key1.pem<br />
AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one<br />
- AuthLDAPAuthoritative on<br />
require valid-user<br />
</indent>
</Location>
projects / thirdparty / apache / httpd.git / commitdiff
