The require Directives

The Require Directives

Apache's Require directives are used during the authorization phase to ensure that @@ -318,7 +318,7 @@ ldap-filter. Other authorization types may also be used but may require that additional authorization modules be loaded.

require valid-user

Require valid-user

If this directive exists, mod_authnz_ldap grants access to any user that has successfully authenticated during the @@ -326,42 +326,42 @@ loaded.

require ldap-user

Require ldap-user

The require ldap-user directive specifies what +

The Require ldap-user directive specifies what usernames can access the resource. Once mod_authnz_ldap has retrieved a unique DN from the directory, it does an LDAP compare operation using the username - specified in the require ldap-user to see if that username + specified in the Require ldap-user to see if that username is part of the just-fetched LDAP entry. Multiple users can be granted access by putting multiple usernames on the line, separated with spaces. If a username has a space in it, then it must be surrounded with double quotes. Multiple users can also be - granted access by using multiple require ldap-user + granted access by using multiple Require ldap-user directives, with one user per line. For example, with a AuthLDAPURL of ldap://ldap/o=Airius?cn (i.e., cn is - used for searches), the following require directives could be used + used for searches), the following Require directives could be used to restrict access:

-require ldap-user "Barbara Jenson" -require ldap-user "Fred User" -require ldap-user "Joe Manager" +Require ldap-user "Barbara Jenson" +Require ldap-user "Fred User" +Require ldap-user "Joe Manager"

Because of the way that mod_authnz_ldap handles this directive, Barbara Jenson could sign on as Barbara Jenson, Babs Jenson or any other cn that - she has in her LDAP entry. Only the single require + she has in her LDAP entry. Only the single Require ldap-user line is needed to support all values of the attribute in the user's entry.


 
     If the uid attribute was used instead of the
     cn attribute in the URL above, the above three lines
     could be condensed to
-require ldap-user bjenson fuser jmanager
+Require ldap-user bjenson fuser jmanager
 
 
-require ldap-group
+Require ldap-group
 
     This directive specifies an LDAP group whose members are
     allowed access. It takes the distinguished name of the LDAP
@@ -377,34 +377,34 @@
 
     
The following directive would grant access to both Fred and
     Barbara:
-require ldap-group cn=Administrators, o=Airius
+Require ldap-group cn=Administrators, o=Airius
 
     Behavior of this directive is modified by the AuthLDAPGroupAttribute and
     AuthLDAPGroupAttributeIsDN
     directives.
 
 
-require ldap-dn
+Require ldap-dn
 
-    The require ldap-dn directive allows the administrator
+    
The Require ldap-dn directive allows the administrator
     to grant access based on distinguished names. It specifies a DN
     that must match for access to be granted. If the distinguished
     name that was retrieved from the directory server matches the
-    distinguished name in the require ldap-dn, then
+    distinguished name in the Require ldap-dn, then
     authorization is granted. Note: do not surround the distinguished
     name with quotes.
 
     The following directive would grant access to a specific
     DN:
-require ldap-dn cn=Barbara Jenson, o=Airius
+Require ldap-dn cn=Barbara Jenson, o=Airius
 
     Behavior of this directive is modified by the AuthLDAPCompareDNOnServer
     directive.
 
 
-require ldap-attribute
+Require ldap-attribute
 
-    The require ldap-attribute directive allows the
+    
The Require ldap-attribute directive allows the
     administrator to grant access based on attributes of the authenticated
     user in the LDAP directory.  If the attribute in the directory
     matches the value given in the configuration, access is granted.
@@ -412,11 +412,11 @@
     The following directive would grant access to anyone with
     the attribute employeeType = active
 
-    require ldap-attribute employeeType=active
+    Require ldap-attribute employeeType=active
 
     Multiple attribute/value pairs can be specified on the same line
     separated by spaces or they can be specified in multiple 
-    require ldap-attribute directives. The effect of listing 
+    Require ldap-attribute directives. The effect of listing 
     multiple attribute/values pairs is an OR operation. Access will be 
     granted if any of the listed attribute values match the value of the 
     corresponding attribute in the user object. If the value of the 
@@ -425,13 +425,13 @@
     
The following directive would grant access to anyone with
     the city attribute equal to "San Jose" or status equal to "Active"
 
-    require ldap-attribute city="San Jose" status=active
+    Require ldap-attribute city="San Jose" status=active
 
 
 
-require ldap-filter
+Require ldap-filter
 
-    The require ldap-filter directive allows the
+    
The Require ldap-filter directive allows the
     administrator to grant access based on a complex LDAP search filter.
     If the dn returned by the filter search matches the authenticated user
     dn, access is granted.
@@ -439,10 +439,10 @@
     The following directive would grant access to anyone having a cell phone
     and is in the marketing department
 
-    require ldap-filter &(cell=*)(department=marketing)
+    Require ldap-filter &(cell=*)(department=marketing)
 
-    The difference between the require ldap-filter directive and the 
-    require ldap-attribute directive is that ldap-filter 
+    
The difference between the Require ldap-filter directive and the 
+    Require ldap-attribute directive is that ldap-filter 
     performs a search operation on the LDAP directory using the specified search 
     filter rather than a simple attribute comparison. If a simple attribute 
     comparison is all that is required, the comparison operation performed by 
@@ -461,7 +461,7 @@
         using their UID for searches. 
 

 AuthLDAPURL ldap://ldap1.airius.com:389/ou=People, o=Airius?uid?sub?(objectClass=*)

-require valid-user
+Require valid-user
 
       
 
@@ -470,7 +470,7 @@
         that have useful defaults omitted. Also, note the use of a
         redundant LDAP server. 
 AuthLDAPURL ldap://ldap1.airius.com ldap2.airius.com/ou=People, o=Airius

-require valid-user
+Require valid-user
 
       
 
@@ -485,7 +485,7 @@
         directory, such as uid. 
 
 AuthLDAPURL ldap://ldap.airius.com/ou=People, o=Airius?cn

-require valid-user
+Require valid-user
 
       
 
@@ -494,7 +494,7 @@
         users must authenticate using their UID. 
 
 AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid

-require ldap-group cn=Administrators, o=Airius
+Require ldap-group cn=Administrators, o=Airius
 
       
 
@@ -506,7 +506,7 @@
         alphanumeric pagers: 
 
 AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(qpagePagerID=*)

-require valid-user
+Require valid-user
 
       
 
@@ -522,7 +522,7 @@
         resource:
 
 AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(|(qpagePagerID=*)(uid=jmanager))

-require valid-user
+Require valid-user
 
 
         This last may look confusing at first, so it helps to
@@ -622,14 +622,14 @@
 
 AuthLDAPURL            "the url"
 AuthGroupFile mygroupfile
-require group mygroupfile
+Require group mygroupfile
 
 
 How It Works
 
-    FrontPage restricts access to a web by adding the require
+    
FrontPage restricts access to a web by adding the Require
     valid-user directive to the .htaccess
-    files. The require valid-user directive will succeed for
+    files. The Require valid-user directive will succeed for
     any user who is valid as far as LDAP is
     concerned. This means that anybody who has an entry in
     the LDAP directory is considered a valid user, whereas FrontPage
@@ -752,7 +752,7 @@
     
When set, mod_authnz_ldap will use the LDAP
     server to compare the DNs. This is the only foolproof way to
     compare DNs.  mod_authnz_ldap will search the
-    directory for the DN specified with the require dn directive, then,
+    directory for the DN specified with the Require dn directive, then,
     retrieve the DN and compare it with the DN retrieved from the user
     entry. If this directive is not set,
     mod_authnz_ldap simply does a string comparison. It

Modified: httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml?rev=569402&r1=569401&r2=569402&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml Fri Aug 24 07:45:31 2007
@@ -81,15 +81,15 @@
       
 
       

-        The require Directives 
+        The Require Directives 
 
         
-          require valid-user
-          require ldap-user
-          require ldap-group
-          require ldap-dn
-          require ldap-attribute
-          require ldap-filter
+          Require valid-user
+          Require ldap-user
+          Require ldap-group
+          Require ldap-dn
+          Require ldap-attribute
+          Require ldap-filter
         
       

 
@@ -200,26 +200,26 @@
 
     
       Grant access if there is a require ldap-user directive, and the
+      href="#reqgroup">Require ldap-user directive, and the
       username in the directive matches the username passed by the
       client.
 
-      Grant access if there is a require
+      
Grant access if there is a Require
       ldap-dn directive, and the DN in the directive matches
       the DN fetched from the LDAP directory.

 
       Grant access if there is a require ldap-group directive, and
+      href="#reqgroup">Require ldap-group directive, and
       the DN fetched from the LDAP directory (or the username
       passed by the client) occurs in the LDAP group.
 
       Grant access if there is a 
-      require ldap-attribute 
+      Require ldap-attribute 
       directive, and the attribute fetched from the LDAP directory
       matches the given value. 
 
       Grant access if there is a 
-      require ldap-filter 
+      Require ldap-filter 
       directive, and the search filter successfully finds a single user
       object that matches the dn of the authenticated user. 
 
@@ -236,12 +236,12 @@
     Require value.
 
     
-        Grant access if there is a require
+        
Grant access if there is a Require
         valid-user directive. (requires 
         mod_authz_user)

 
         Grant access if there is a require group directive, and
+        href="#reqgroup">Require group directive, and
         mod_authz_groupfile has been loaded with the 
         AuthGroupFile 
         directive set.
@@ -259,7 +259,7 @@
         AuthLDAPURL 
 
         The attribute specified in the
-        URL is used in compare operations for the require
+        URL is used in compare operations for the Require
         ldap-user operation.
       
 
@@ -268,7 +268,7 @@
         module="mod_authnz_ldap">AuthLDAPCompareDNOnServer
 
         Determines the behavior of the
-        require ldap-dn directive.
+        Require ldap-dn directive.
       
 
       
@@ -276,7 +276,7 @@
         module="mod_authnz_ldap">AuthLDAPGroupAttribute
 
         Determines the attribute to
-        use for comparisons in the require ldap-group
+        use for comparisons in the Require ldap-group
         directive.
       
 
@@ -286,13 +286,13 @@
 
         Specifies whether to use the
         user DN or the username when doing comparisons for the
-        require ldap-group directive.
+        Require ldap-group directive.
       
     
 
 
 
-The require Directives
+The Require Directives
 
     Apache's Require
     directives are used during the authorization phase to ensure that
@@ -302,7 +302,7 @@
     ldap-filter.  Other authorization types may also be 
     used but may require that additional authorization modules be loaded.
 
-require valid-user
+Require valid-user
 
     If this directive exists, mod_authnz_ldap grants
     access to any user that has successfully authenticated during the
@@ -310,43 +310,43 @@
     loaded.
 
 
-require ldap-user
+Require ldap-user
 
-    The require ldap-user directive specifies what
+    
The Require ldap-user directive specifies what
     usernames can access the resource. Once
     mod_authnz_ldap has retrieved a unique DN from the
     directory, it does an LDAP compare operation using the username
-    specified in the require ldap-user to see if that username
+    specified in the Require ldap-user to see if that username
     is part of the just-fetched LDAP entry.  Multiple users can be
     granted access by putting multiple usernames on the line,
     separated with spaces. If a username has a space in it, then it
     must be surrounded with double quotes. Multiple users can also be
-    granted access by using multiple require ldap-user
+    granted access by using multiple Require ldap-user
     directives, with one user per line. For example, with a AuthLDAPURL of
     ldap://ldap/o=Airius?cn (i.e., cn is
-    used for searches), the following require directives could be used
+    used for searches), the following Require directives could be used
     to restrict access:
 
-require ldap-user "Barbara Jenson"

-require ldap-user "Fred User"

-require ldap-user "Joe Manager"

+Require ldap-user "Barbara Jenson"

+Require ldap-user "Fred User"

+Require ldap-user "Joe Manager"

 
 
     Because of the way that mod_authnz_ldap handles this
     directive, Barbara Jenson could sign on as Barbara
     Jenson, Babs Jenson or any other cn that
-    she has in her LDAP entry. Only the single require
+    she has in her LDAP entry. Only the single Require
     ldap-user line is needed to support all values of the attribute
     in the user's entry.

 
     If the uid attribute was used instead of the
     cn attribute in the URL above, the above three lines
     could be condensed to
-require ldap-user bjenson fuser jmanager
+Require ldap-user bjenson fuser jmanager
 

 
-require ldap-group
+Require ldap-group
 
     This directive specifies an LDAP group whose members are
     allowed access. It takes the distinguished name of the LDAP
@@ -362,7 +362,7 @@
 
     
The following directive would grant access to both Fred and
     Barbara:
-require ldap-group cn=Administrators, o=Airius
+Require ldap-group cn=Administrators, o=Airius
 
     Behavior of this directive is modified by the AuthLDAPGroupAttribute and
@@ -371,28 +371,28 @@
     directives.
 
 
-require ldap-dn
+Require ldap-dn
 
-    The require ldap-dn directive allows the administrator
+    
The Require ldap-dn directive allows the administrator
     to grant access based on distinguished names. It specifies a DN
     that must match for access to be granted. If the distinguished
     name that was retrieved from the directory server matches the
-    distinguished name in the require ldap-dn, then
+    distinguished name in the Require ldap-dn, then
     authorization is granted. Note: do not surround the distinguished
     name with quotes.
 
     The following directive would grant access to a specific
     DN:
-require ldap-dn cn=Barbara Jenson, o=Airius
+Require ldap-dn cn=Barbara Jenson, o=Airius
 
     Behavior of this directive is modified by the AuthLDAPCompareDNOnServer
     directive.
 
 
-require ldap-attribute
+Require ldap-attribute
 
-    The require ldap-attribute directive allows the
+    
The Require ldap-attribute directive allows the
     administrator to grant access based on attributes of the authenticated
     user in the LDAP directory.  If the attribute in the directory
     matches the value given in the configuration, access is granted.
@@ -400,11 +400,11 @@
     The following directive would grant access to anyone with
     the attribute employeeType = active
 
-    require ldap-attribute employeeType=active
+    Require ldap-attribute employeeType=active
 
     Multiple attribute/value pairs can be specified on the same line
     separated by spaces or they can be specified in multiple 
-    require ldap-attribute directives. The effect of listing 
+    Require ldap-attribute directives. The effect of listing 
     multiple attribute/values pairs is an OR operation. Access will be 
     granted if any of the listed attribute values match the value of the 
     corresponding attribute in the user object. If the value of the 
@@ -413,13 +413,13 @@
     
The following directive would grant access to anyone with
     the city attribute equal to "San Jose" or status equal to "Active"
 
-    require ldap-attribute city="San Jose" status=active
+    Require ldap-attribute city="San Jose" status=active
 
 
 
-require ldap-filter
+Require ldap-filter
 
-    The require ldap-filter directive allows the
+    
The Require ldap-filter directive allows the
     administrator to grant access based on a complex LDAP search filter.
     If the dn returned by the filter search matches the authenticated user
     dn, access is granted.
@@ -427,10 +427,10 @@
     The following directive would grant access to anyone having a cell phone
     and is in the marketing department
 
-    require ldap-filter &(cell=*)(department=marketing)
+    Require ldap-filter &(cell=*)(department=marketing)
 
-    The difference between the require ldap-filter directive and the 
-    require ldap-attribute directive is that ldap-filter 
+    
The difference between the Require ldap-filter directive and the 
+    Require ldap-attribute directive is that ldap-filter 
     performs a search operation on the LDAP directory using the specified search 
     filter rather than a simple attribute comparison. If a simple attribute 
     comparison is all that is required, the comparison operation performed by 
@@ -449,7 +449,7 @@
         using their UID for searches. 
 
 AuthLDAPURL ldap://ldap1.airius.com:389/ou=People, o=Airius?uid?sub?(objectClass=*)

-require valid-user
+Require valid-user
 
       
 
@@ -458,7 +458,7 @@
         that have useful defaults omitted. Also, note the use of a
         redundant LDAP server. 
 AuthLDAPURL ldap://ldap1.airius.com ldap2.airius.com/ou=People, o=Airius

-require valid-user
+Require valid-user
 
       
 
@@ -473,7 +473,7 @@
         directory, such as uid. 
 
 AuthLDAPURL ldap://ldap.airius.com/ou=People, o=Airius?cn

-require valid-user
+Require valid-user
 
       
 
@@ -482,7 +482,7 @@
         users must authenticate using their UID. 
 
 AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid

-require ldap-group cn=Administrators, o=Airius
+Require ldap-group cn=Administrators, o=Airius
 
       
 
@@ -494,7 +494,7 @@
         alphanumeric pagers: 
 
 AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(qpagePagerID=*)

-require valid-user
+Require valid-user
 
       
 
@@ -510,7 +510,7 @@
         resource:
 
 AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(|(qpagePagerID=*)(uid=jmanager))

-require valid-user
+Require valid-user
 
 
         This last may look confusing at first, so it helps to
@@ -616,14 +616,14 @@
 
 AuthLDAPURL            "the url"
 AuthGroupFile mygroupfile
-require group mygroupfile
+Require group mygroupfile
 
 
 How It Works
 
-    FrontPage restricts access to a web by adding the require
+    
FrontPage restricts access to a web by adding the Require
     valid-user directive to the .htaccess
-    files. The require valid-user directive will succeed for
+    files. The Require valid-user directive will succeed for
     any user who is valid as far as LDAP is
     concerned. This means that anybody who has an entry in
     the LDAP directory is considered a valid user, whereas FrontPage
@@ -751,7 +751,7 @@
     server to compare the DNs. This is the only foolproof way to
     compare DNs.  mod_authnz_ldap will search the
     directory for the DN specified with the require dn directive, then,
+    href="#reqdn">Require dn directive, then,
     retrieve the DN and compare it with the DN retrieved from the user
     entry. If this directive is not set,
     mod_authnz_ldap simply does a string comparison. It