httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bnicho...@apache.org
Subject cvs commit: httpd-2.0/docs/manual/mod mod_ldap.xml mod_auth_ldap.xml
Date Mon, 10 Mar 2003 16:51:21 GMT
bnicholes    2003/03/10 08:51:21

  Modified:    docs/manual/mod Tag: APACHE_2_0_BRANCH mod_ldap.xml
                        mod_auth_ldap.xml
  Log:
  Update the auth_ldap docs to reflect the SSL standardization changes that
  were back ported from the 2.1 tree.
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.3.2.1   +72 -9     httpd-2.0/docs/manual/mod/mod_ldap.xml
  
  Index: mod_ldap.xml
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_ldap.xml,v
  retrieving revision 1.3
  retrieving revision 1.3.2.1
  diff -u -r1.3 -r1.3.2.1
  --- mod_ldap.xml	16 Nov 2002 20:21:38 -0000	1.3
  +++ mod_ldap.xml	10 Mar 2003 16:51:20 -0000	1.3.2.1
  @@ -22,6 +22,13 @@
       apr-util. This is achieved by adding the <code>--with-ldap</code>
       flag to the <code>./configure</code> script when building
       Apache.</p>
  +
  +    <p>SSL support requires that <module>mod_ldap</module> be linked
  +    with one of the following LDAP SDKs: <a href="http://www.openldap.org/">
  +    OpenLDAP SDK</a> (both 1.x and 2.x), <a href="http://developer.novell.com/ndk/cldap.htm">
  +    Novell LDAP SDK</a> or the <a href="http://www.iplanet.com/downloads/developer/">
  +    iPlanet(Netscape)</a> SDK.</p>
  +
   </summary>
   
   <section id="exampleconfig"><title>Example Configuration</title>
  @@ -156,6 +163,51 @@
       </section>
   </section>
   
  +<section id="usingssltls"><title>Using SSL</title>
  +
  +    <p>The ability to create an SSL connections to an LDAP server 
  +    is defined by the directives <directive module="mod_ldap">
  +    LDAPTrustedCA</directive> and <directive module="mod_ldap">
  +    LDAPTrustedCAType</directive>. These directives specify the certificate
  +    file or database and the certificate type. Whenever the LDAP url
  +    includes <em>ldaps://</em>, <module>mod_ldap</module> will
establish
  +    a secure connection to the LDAP server.</p>
  +
  +    <example>
  +      # Establish an SSL LDAP connection. Requires that <br />
  +      # mod_ldap and mod_auth_ldap be loaded. Change the <br />
  +      # "yourdomain.example.com" to match your domain.<br />
  +      <br />
  +      LDAPTrustedCA /certs/certfile.der<br />
  +      LDAPTrustedCAType DER_FILE<br />
  +      <br />
  +      &lt;Location /ldap-status&gt;<br />
  +      <indent>
  +        SetHandler ldap-status<br />
  +        Order deny,allow<br />
  +        Deny from all<br />
  +        Allow from yourdomain.example.com<br />
  +        AuthLDAPEnabled on<br />
  +        AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one<br />
  +        AuthLDAPAuthoritative on<br />
  +        require valid-user<br />
  +      </indent>
  +      &lt;/Location&gt;
  +    </example>
  +
  +    <p>If <module>mod_ldap</module> is linked against the
  +    Netscape/iPlanet LDAP SDK, it will not talk to any SSL server
  +    unless that server has a certificate signed by a known Certificate
  +    Authority. As part of the configuration
  +    <module>mod_ldap</module> needs to be told where it can find
  +    a database containing the known CAs. This database is in the same
  +    format as Netscape Communicator's <code>cert7.db</code>
  +    database. The easiest way to get this file is to start up a fresh
  +    copy of Netscape, and grab the resulting
  +    <code>$HOME/.netscape/cert7.db</code> file.</p>
  +
  +</section>
  +
   <directivesynopsis>
   <name>LDAPSharedCacheSize</name>
   <description>Size in bytes of the shared-memory cache</description>
  @@ -228,19 +280,30 @@
   </directivesynopsis>
   
   <directivesynopsis>
  -<name>LDAPCertDBPath</name>
  -<description>Directory containing certificates for SSL support</description>
  -<syntax>LDAPCertDBPath <var>directory-path</var></syntax>
  +<name>LDAPTrustedCA</name>
  +<description>Sets the file containing the trusted Certificate Authority certificate
or database</description>
  +<syntax>LDAPTrustedCA <var>directory-path/filename</var></syntax>
   <contextlist><context>server config</context></contextlist>
   
   <usage>
  -    <p>This directive is only valid if Apache has been linked
  -    against the Netscape/iPlanet Directory SDK.</p>
  +    <p>It specifies the directory path and file name of the trusted CA
  +    <module>mod_ldap</module> should use when establishing an SSL
  +    connection to an LDAP server. If using the Netscape/iPlanet Directory
  +    SDK, the file name should be <code>cert7.db</code>.</p>
  +</usage>
  +</directivesynopsis>
   
  -    <p>It specifies in which directory <module>mod_ldap</module>
  -    should look for the certificate authorities database for SSL
  -    support. There should be a file named <code>cert7.db</code> in that
  -    directory.</p>
  +<directivesynopsis>
  +<name>LDAPTrustedCAType</name>
  +<description>Specifies the type of the Certificate Authority file</description>
  +<syntax>LDAPTrustedCAType <var>type</var></syntax>
  +<contextlist><context>server config</context></contextlist>
  +
  +<usage>
  +    <p>The following types are supported:<br />
  +          DER_FILE      - file in binary DER format<br />
  +          BASE64_FILE   - file in Base64 format<br />
  +          CERT7_DB_PATH - Netscape certificate database file ")</p>
   </usage>
   </directivesynopsis>
   
  
  
  
  1.6.2.6   +9 -33     httpd-2.0/docs/manual/mod/mod_auth_ldap.xml
  
  Index: mod_auth_ldap.xml
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_auth_ldap.xml,v
  retrieving revision 1.6.2.5
  retrieving revision 1.6.2.6
  diff -u -r1.6.2.5 -r1.6.2.6
  --- mod_auth_ldap.xml	22 Jan 2003 10:33:53 -0000	1.6.2.5
  +++ mod_auth_ldap.xml	10 Mar 2003 16:51:20 -0000	1.6.2.6
  @@ -17,7 +17,8 @@
       <ul>
         <li>Known to support the <a
         href="http://www.openldap.org/">OpenLDAP SDK</a> (both 1.x
  -      and 2.x), and the <a
  +      and 2.x), <a href="http://developer.novell.com/ndk/cldap.htm">
  +      Novell LDAP SDK</a> and the <a
         href="http://www.iplanet.com/downloads/developer/">iPlanet
         (Netscape)</a> SDK.</li>
   
  @@ -32,7 +33,7 @@
         href="mod_ldap.html">mod_ldap</a>.</li>
   
         <li>Support for LDAP over SSL (requires the Netscape SDK) or
  -      TLS (requires the OpenLDAP 2.x SDK).</li>
  +      TLS (requires the OpenLDAP 2.x SDK or Novell LDAP SDK).</li>
       </ul>
   </summary>
   
  @@ -413,24 +414,16 @@
   
   <section id="usingtls"><title>Using TLS</title>
   
  -    <p>To use TLS, simply set the <directive
  -    module="mod_auth_ldap">AuthLDAPStartTLS</directive> to on.
  -    Nothing else needs to be done (other than ensure that your LDAP
  -    server is configured for TLS).</p>
  +    <p>To use TLS, see the <module>mod_ldap</module> directives <directive
  +    module="mod_ldap">LDAPTrustedCA</directive> and <directive
  +    module="mod_ldap">LDAPTrustedCAType</directive>.</p>
   </section>
   
   <section id="usingssl"><title>Using SSL</title>
   
  -    <p>If <module>mod_auth_ldap</module> is linked against the
  -    Netscape/iPlanet LDAP SDK, it will not talk to any SSL server
  -    unless that server has a certificate signed by a known Certificate
  -    Authority. As part of the configuration
  -    <module>mod_auth_ldap</module> needs to be told where it can find
  -    a database containing the known CAs. This database is in the same
  -    format as Netscape Communicator's <code>cert7.db</code>
  -    database. The easiest way to get this file is to start up a fresh
  -    copy of Netscape, and grab the resulting
  -    <code>$HOME/.netscape/cert7.db</code> file.</p>
  +    <p>To use SSL, see the <module>mod_ldap</module> directives <directive
  +    module="mod_ldap">LDAPTrustedCA</directive> and <directive
  +    module="mod_ldap">LDAPTrustedCAType</directive>.</p>
   
       <p>To specify a secure LDAP server, use <em>ldaps://</em> in the
       <directive module="mod_auth_ldap">AuthLDAPURL</directive>
  @@ -732,23 +725,6 @@
       distinguished name of the authenticated user, rather than just
       the username that was passed by the client. It is turned off by
       default.</p>
  -</usage>
  -</directivesynopsis>
  -
  -<directivesynopsis>
  -<name>AuthLDAPStartTLS</name>
  -<description>Use a secure TLS connection to the LDAP server</description>
  -<syntax>AuthLDAPStartTLS on|off</syntax>
  -<default>AuthLDAPStartTLS off</default>
  -<contextlist><context>directory</context><context>.htaccess</context>
  -</contextlist>
  -<override>AuthConfig</override>
  -
  -<usage>
  -    <p>If this directive is set to <code>on</code>,
  -    <module>mod_auth_ldap</module> will start a secure TLS session
  -    after connecting to the LDAP server. This requires your LDAP
  -    server to support TLS.</p>
   </usage>
   </directivesynopsis>
   
  
  
  

Mime
View raw message