From: Christophe Jaillet Date: Sat, 26 Mar 2016 23:10:02 +0000 (+0000) Subject: Backport r1736683 + Synch with trunk X-Git-Tag: 2.4.20~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3e8db845b745a9ae74372bc938a89c775649a760;p=thirdparty%2Fapache%2Fhttpd.git Backport r1736683 + Synch with trunk git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1736707 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml index 26c4ef6e203..a17c14b09d6 100644 --- a/docs/manual/mod/mod_authnz_ldap.xml +++ b/docs/manual/mod/mod_authnz_ldap.xml @@ -369,7 +369,9 @@ Require ldap-user "Joe Manager"

If the uid attribute was used instead of the cn attribute in the URL above, the above three lines could be condensed to

-Require ldap-user bjenson fuser jmanager + +Require ldap-user bjenson fuser jmanager +
Require ldap-group @@ -388,7 +390,9 @@ uniqueMember: cn=Fred User, o=Example

The following directive would grant access to both Fred and Barbara:

-Require ldap-group cn=Administrators, o=Example + +Require ldap-group cn=Administrators, o=Example +

Members can also be found within sub-groups of a specified LDAP group if AuthLDAPMaxSubGroupDepth @@ -453,7 +457,9 @@ AuthLDAPMaxSubGroupDepth 1

The following directive would grant access to a specific DN:

-Require ldap-dn cn=Barbara Jenson, o=Example + +Require ldap-dn cn=Barbara Jenson, o=Example +

Behavior of this directive is modified by the AuthLDAPCompareDNOnServer @@ -470,7 +476,9 @@ AuthLDAPMaxSubGroupDepth 1

The following directive would grant access to anyone with the attribute employeeType = active

- Require ldap-attribute employeeType=active + +Require ldap-attribute "employeeType=active" +

Multiple attribute/value pairs can be specified on the same line separated by spaces or they can be specified in multiple @@ -483,7 +491,9 @@ AuthLDAPMaxSubGroupDepth 1

The following directive would grant access to anyone with the city attribute equal to "San Jose" or status equal to "Active"

- Require ldap-attribute city="San Jose" status=active + +Require ldap-attribute city="San Jose" "status=active" +
@@ -497,7 +507,9 @@ AuthLDAPMaxSubGroupDepth 1

The following directive would grant access to anyone having a cell phone and is in the marketing department

- Require ldap-filter &(cell=*)(department=marketing) + +Require ldap-filter "&(cell=*)(department=marketing)" +

The difference between the Require ldap-filter directive and the Require ldap-attribute directive is that ldap-filter @@ -527,7 +539,8 @@ Require valid-user The next example is the same as above; but with the fields that have useful defaults omitted. Also, note the use of a redundant LDAP server. -AuthLDAPURL "ldap://ldap1.example.com ldap2.example.com/ou=People, o=Example" + +AuthLDAPURL "ldap://ldap1.example.com ldap2.example.com/ou=People, o=Example" Require valid-user @@ -805,7 +818,7 @@ authorization AuthLDAPBindAuthoritative Determines if other authentication providers are used when a user can be mapped to a DN but the server cannot successfully bind with the user's credentials. -AuthLDAPBindAuthoritativeoff|on +AuthLDAPBindAuthoritative off|on AuthLDAPBindAuthoritative on directory.htaccess @@ -814,7 +827,7 @@ authorization

By default, subsequent authentication providers are only queried if a user cannot be mapped to a DN, but not if the user can be mapped to a DN and their password cannot be verified with an LDAP bind. - If AuthLDAPBindAuthoritative + If AuthLDAPBindAuthoritative is set to off, other configured authentication modules will have a chance to validate the user if the LDAP bind (with the current user's credentials) fails for any reason.

@@ -831,7 +844,7 @@ authorization AuthLDAPInitialBindAsUser Determines if the server does the initial DN lookup using the basic authentication users' own username, instead of anonymously or with hard-coded credentials for the server -AuthLDAPInitialBindAsUser off|on +AuthLDAPInitialBindAsUser off|on AuthLDAPInitialBindAsUser off directory.htaccess @@ -868,7 +881,7 @@ own username, instead of anonymously or with hard-coded credentials for the serv AuthLDAPInitialBindPattern Specifies the transformation of the basic authentication username to be used when binding to the LDAP server to perform a DN lookup -AuthLDAPInitialBindPatternregex substitution +AuthLDAPInitialBindPattern regex substitution AuthLDAPInitialBindPattern (.*) $1 (remote username used verbatim) directory.htaccess @@ -887,8 +900,12 @@ to perform a DN lookup AuthLDAPBindDN.

- AuthLDAPInitialBindPattern (.+) $1@example.com - AuthLDAPInitialBindPattern (.+) cn=$1,dc=example,dc=com + +AuthLDAPInitialBindPattern (.+) $1@example.com + + +AuthLDAPInitialBindPattern (.+) cn=$1,dc=example,dc=com + Not available with authorization-only This directive can only be used if this module authenticates the user, and @@ -933,7 +950,7 @@ to perform a DN lookup that the bind password is probably sensitive data, and should be properly protected. You should only use the AuthLDAPBindDN and AuthLDAPBindPassword if you + >AuthLDAPBindPassword if you absolutely need them to search the directory.

If the value begins with exec: the resulting command will be @@ -1142,7 +1159,8 @@ query to set the REMOTE_USER environment variable value of the attribute specified. Make sure that this attribute is included in the list of attributes in the AuthLDAPUrl definition, otherwise this directive will have no effect. This directive, if - present, takes precedence over AuthLDAPRemoteUserIsDN. This + present, takes precedence over AuthLDAPRemoteUserIsDN. This directive is useful should you want people to log into a website using an email address, but a backend application expects the username as a userid.

@@ -1215,8 +1233,9 @@ are groups.

An LDAP group object may contain members that are users and members that are groups (called nested or sub groups). The - AuthLDAPSubGroupAttribute directive identifies the - labels of group members and the AuthLDAPGroupAttribute + AuthLDAPSubGroupAttribute directive identifies the + labels of group members and the AuthLDAPGroupAttribute directive identifies the labels of the user members. Multiple attributes can be used by specifying this directive multiple times. If not specified, then mod_authnz_ldap uses the @@ -1238,9 +1257,10 @@ objects that are groups during sub-group processing.

An LDAP group object may contain members that are users and members that are groups (called nested or sub groups). The - AuthLDAPSubGroupAttribute directive identifies the + AuthLDAPSubGroupAttribute + directive identifies the labels of members that may be sub-groups of the current group - (as opposed to user members). The AuthLDAPSubGroupClass + (as opposed to user members). The AuthLDAPSubGroupClass directive specifies the LDAP objectClass values used in verifying that these potential sub-groups are in fact group objects. Verified sub-groups can then be searched for more user or sub-group members. Multiple @@ -1263,7 +1283,9 @@ objects that are groups during sub-group processing. to use. The syntax of the URL is

ldap://host:port/basedn?attribute?scope?filter

If you want to specify more than one LDAP URL that Apache should try in turn, the syntax is:

-AuthLDAPUrl "ldap://ldap1.example.com ldap2.example.com/dc=..." + +AuthLDAPUrl "ldap://ldap1.example.com ldap2.example.com/dc=..." +

Caveat: If you specify multiple servers, you need to enclose the entire URL string in quotes; otherwise you will get an error: "AuthLDAPURL takes one argument, URL to define LDAP connection.." You can of course use search parameters on each of these.

@@ -1336,7 +1358,7 @@ You can of course use search parameters on each of these.

limited to approximately 8000 characters (the definition of MAX_STRING_LEN in the Apache source code). This should be more than sufficient for any application. In 2.4.10 and later, - The word "none" may be used to not use any filter, which may be + the keyword none disables the use of a filter; this is required by some primitive LDAP servers. @@ -1368,7 +1390,7 @@ You can of course use search parameters on each of these.

See above for examples of AuthLDAPURL URLs.

+ module="mod_authnz_ldap">AuthLDAPUrl URLs.