</highlight>
<p>Because of the way that <module>mod_authnz_ldap</module> handles this
- directive, Barbara Jenson could sign on as <em>Barbara
- Jenson</em>, <em>Babs Jenson</em> or any other <code>cn</code> that
+ directive, Barbara Jenson could sign on as <code>Barbara
+ Jenson</code>, <code>Babs Jenson</code> or any other <code>cn</code> that
she has in her LDAP entry. Only the single <code>Require
ldap-user</code> line is needed to support all values of the attribute
in the user's entry.</p>
<example>(&(|(qpagePagerID=*)(uid=jmanager))(uid=fuser))</example>
- <p>The above search will only succeed if <em>fuser</em> has a
- pager. When Joe Manager connects as <em>jmanager</em>, the
+ <p>The above search will only succeed if <code>fuser</code> has a
+ pager. When Joe Manager connects as <code>jmanager</code>, the
filter looks like</p>
<example>(&(|(qpagePagerID=*)(uid=jmanager))(uid=jmanager))</example>
- <p>The above search will succeed whether <em>jmanager</em>
+ <p>The above search will succeed whether <code>jmanager</code>
has a pager or not.</p>
</li>
</ul>
<p>An optional second parameter can be added to the
<directive module="mod_authnz_ldap">AuthLDAPURL</directive> to override
the default connection type set by <directive module="mod_ldap">LDAPTrustedMode</directive>.
- This will allow the connection established by an <em>ldap://</em> Url
+ This will allow the connection established by an <code>ldap://</code> Url
to be upgraded to a secure connection on the same port.</p>
</section>
module="mod_ldap">LDAPTrustedGlobalCert</directive> and <directive
module="mod_ldap">LDAPTrustedMode</directive>.</p>
- <p>To specify a secure LDAP server, use <em>ldaps://</em> in the
+ <p>To specify a secure LDAP server, use <code>ldaps://</code> in the
<directive module="mod_authnz_ldap">AuthLDAPURL</directive>
- directive, instead of <em>ldap://</em>.</p>
+ directive, instead of <code>ldap://</code>.</p>
</section>
<section id="exposed"><title>Exposing Login Information</title>
a User Principle Name (UPN) can be added to a user's entry in the
directory. This UPN usually takes the form of the user's account
name, followed by the domain components of the particular domain,
- for example <em>somebody@nz.example.com</em>.</p>
+ for example <code>somebody@nz.example.com</code>.</p>
<p>You may wish to configure the <module>mod_authnz_ldap</module>
module to authenticate users present in any of the domains making up
the Active Directory forest. In this way both
- <em>somebody@nz.example.com</em> and <em>someone@au.example.com</em>
+ <code>somebody@nz.example.com</code> and <code>someone@au.example.com</code>
can be authenticated using the same query at the same time.</p>
<p>To make this practical, Active Directory supports the concept of
<p>If enabled, the Global Catalog is an independent directory server
that runs on port 3268 (3269 for SSL). To search for a user, do a
- subtree search for the attribute <em>userPrincipalName</em>, with
+ subtree search for the attribute <code>userPrincipalName</code>, with
an empty search root, like so:</p>
<highlight language="config">
</highlight>
<p>Users will need to enter their User Principal Name as a login, in
- the form <em>somebody@nz.example.com</em>.</p>
+ the form <code>somebody@nz.example.com</code>.</p>
</section>
<name>AuthLDAPAuthorizePrefix</name>
<description>Specifies the prefix for environment variables set during
authorization</description>
-<syntax>AuthLDAPAuthorizePrefix <em>prefix</em></syntax>
+<syntax>AuthLDAPAuthorizePrefix <var>prefix</var></syntax>
<default>AuthLDAPAuthorizePrefix AUTHORIZE_</default>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<compatibility>Available in version 2.3.6 and later</compatibility>
<usage>
<p>This directive allows you to override the prefix used for environment
- variables set during LDAP authorization. If <em>AUTHENTICATE_</em> is
+ variables set during LDAP authorization. If <code>AUTHENTICATE_</code> is
specified, consumers of these environment variables see the same information
whether LDAP has performed authentication, authorization, or both.</p>
user cannot be mapped to a DN, but not if the user can be mapped to a DN and their
password cannot be verified with an LDAP bind.
If <directive>AuthLDAPBindAuthoritative</directive>
- is set to <em>off</em>, other configured authentication modules will have
+ is set to <code>off</code>, other configured authentication modules will have
a chance to validate the user if the LDAP bind (with the current user's credentials)
fails for any reason.</p>
<p> This allows users present in both LDAP and
<name>AuthLDAPInitialBindPattern</name>
<description>Specifies the transformation of the basic authentication username to be used when binding to the LDAP server
to perform a DN lookup</description>
-<syntax>AuthLDAPInitialBindPattern <em><var>regex</var> <var>substitution</var></em></syntax>
+<syntax>AuthLDAPInitialBindPattern <var>regex</var> <var>substitution</var></syntax>
<default>AuthLDAPInitialBindPattern (.*) $1 (remote username used verbatim)</default>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<compatibility>Available in version 2.3.6 and later</compatibility>
<usage>
<p>If <directive module="mod_authnz_ldap">AuthLDAPInitialBindAsUser</directive> is set to
- <em>ON</em>, the basic authentication username will be transformed according to the
+ <code>ON</code>, the basic authentication username will be transformed according to the
regular expression and substitution arguments.</p>
<p> The regular expression argument is compared against the current basic authentication username.
</note>
<note><title>debugging</title>
The substituted DN is recorded in the environment variable
- <em>LDAP_BINDASUSER</em>. If the regular expression does not match the input,
+ <code>LDAP_BINDASUSER</code>. If the regular expression does not match the input,
the verbatim username is used.
</note>
</usage>
<directivesynopsis>
<name>AuthLDAPBindDN</name>
<description>Optional DN to use in binding to the LDAP server</description>
-<syntax>AuthLDAPBindDN <em>distinguished-name</em></syntax>
+<syntax>AuthLDAPBindDN <var>distinguished-name</var></syntax>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>AuthConfig</override>
<directivesynopsis>
<name>AuthLDAPBindPassword</name>
<description>Password used in conjunction with the bind DN</description>
-<syntax>AuthLDAPBindPassword <em>password</em></syntax>
+<syntax>AuthLDAPBindPassword <var>password</var></syntax>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>AuthConfig</override>
-<compatibility><em>exec:</em> was added in 2.4.5.</compatibility>
+<compatibility><code>exec:</code> was added in 2.4.5.</compatibility>
<usage>
<p>A bind password to use in conjunction with the bind DN. Note
<directivesynopsis>
<name>AuthLDAPCharsetConfig</name>
<description>Language to charset conversion configuration file</description>
-<syntax>AuthLDAPCharsetConfig <em>file-path</em></syntax>
+<syntax>AuthLDAPCharsetConfig <var>file-path</var></syntax>
<contextlist><context>server config</context>
</contextlist>
and HTTP basic authentication password of the authenticated user instead of
the servers configured credentials.</p>
- <p> The <em>ldap-attribute</em>, <em>ldap-user</em>, and <em>ldap-group</em> (single-level only)
+ <p> The <code>ldap-attribute</code>, <code>ldap-user</code>, and <code>ldap-group</code> (single-level only)
authorization checks use comparisons.</p>
<p>This directive only has effect on the comparisons performed during
<name>AuthLDAPGroupAttribute</name>
<description>LDAP attributes used to identify the user members of
groups.</description>
-<syntax>AuthLDAPGroupAttribute <em>attribute</em></syntax>
+<syntax>AuthLDAPGroupAttribute <var>attribute</var></syntax>
<default>AuthLDAPGroupAttribute member uniqueMember</default>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
and HTTP basic authentication password of the authenticated user instead of
the servers configured credentials.</p>
- <p> The <em>ldap-filter</em> and <em>ldap-dn</em> authorization
+ <p> The <code>ldap-filter</code> and <code>ldap-dn</code> authorization
checks use searches.</p>
<p>This directive only has effect on the comparisons performed during
<description>Specifies the attribute labels, one value per
directive line, used to distinguish the members of the current group that
are groups.</description>
-<syntax>AuthLDAPSubGroupAttribute <em>attribute</em></syntax>
+<syntax>AuthLDAPSubGroupAttribute <var>attribute</var></syntax>
<default>AuthLDAPSubGroupAttribute member uniqueMember</default>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<name>AuthLDAPSubGroupClass</name>
<description>Specifies which LDAP objectClass values identify directory
objects that are groups during sub-group processing.</description>
-<syntax>AuthLDAPSubGroupClass <em>LdapObjectClass</em></syntax>
+<syntax>AuthLDAPSubGroupClass <var>LdapObjectClass</var></syntax>
<default>AuthLDAPSubGroupClass groupOfNames groupOfUniqueNames</default>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<directivesynopsis>
<name>AuthLDAPURL</name>
<description>URL specifying the LDAP search parameters</description>
-<syntax>AuthLDAPURL <em>url</em> [NONE|SSL|TLS|STARTTLS]</syntax>
+<syntax>AuthLDAPURL <var>url</var> [NONE|SSL|TLS|STARTTLS]</syntax>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>AuthConfig</override>
<highlight language="config">
AuthLDAPURL "ldap://ldap1.example.com ldap2.example.com/dc=..."
</highlight>
-<p><em><strong>Caveat: </strong>If you specify multiple servers, you need to enclose the entire URL string in quotes;
-otherwise you will get an error: "AuthLDAPURL takes one argument, URL to define LDAP connection.." </em>
+<note type="warning"><title>Caveat</title>
+<p>If you specify multiple servers, you need to enclose the entire URL string in quotes;
+otherwise you will get an error: "AuthLDAPURL takes one argument, URL to define LDAP connection.."
You can of course use search parameters on each of these.</p>
+</note>
<dl>
<dt>ldap</dt>
<p>When doing searches, the attribute, filter and username passed
by the HTTP client are combined to create a search filter that
looks like
- <code>(&(<em>filter</em>)(<em>attribute</em>=<em>username</em>))</code>.</p>
+ <code>(&(<var>filter</var>)(<var>attribute</var>=<var>username</var>))</code>.</p>
<p>For example, consider an URL of
<code>ldap://ldap.example.com/o=Example?cn?sub?(posixid=*)</code>. When
projects / thirdparty / apache / httpd.git / commitdiff
