Return-Path:
X-Original-To: apmail-httpd-cvs-archive@www.apache.org
Delivered-To: apmail-httpd-cvs-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
by minotaur.apache.org (Postfix) with SMTP id 954AA9319
for ;
Fri, 4 May 2012 15:00:27 +0000 (UTC)
Received: (qmail 42263 invoked by uid 500); 4 May 2012 15:00:27 -0000
Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org
Received: (qmail 42212 invoked by uid 500); 4 May 2012 15:00:27 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help:
list-unsubscribe:
List-Post:
List-Id:
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 42203 invoked by uid 99); 4 May 2012 15:00:27 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 May 2012 15:00:27 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 May 2012 15:00:23 +0000
Received: from eris.apache.org (localhost [127.0.0.1])
by eris.apache.org (Postfix) with ESMTP id 4EB572388B3A;
Fri, 4 May 2012 15:00:03 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1334008 [2/2] -
/httpd/httpd/branches/2.4.x/docs/manual/mod/
Date: Fri, 04 May 2012 15:00:01 -0000
To: cvs@httpd.apache.org
From: humbedooh@apache.org
X-Mailer: svnmailer-1.0.8-patched
Message-Id: <20120504150003.4EB572388B3A@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org
Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_core.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_core.xml?rev=1334008&r1=1334007&r2=1334008&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_core.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_core.xml Fri May 4 14:59:59 2012
@@ -54,30 +54,25 @@
files.
Checking multiple text password files
-
- # Check here first
- <AuthnProviderAlias file file1>
-
- AuthUserFile /www/conf/passwords1
-
- </AuthnProviderAlias>
-
- # Then check here
- <AuthnProviderAlias file file2>
-
- AuthUserFile /www/conf/passwords2
-
- </AuthnProviderAlias>
-
- <Directory /var/web/pages/secure>
-
- AuthBasicProvider file1 file2
-
- AuthType Basic
- AuthName "Protected Area"
- Require valid-user
-
- </Directory>
+
+# Check here first
+<AuthnProviderAlias file file1>
+ AuthUserFile /www/conf/passwords1
+</AuthnProviderAlias>
+
+# Then check here
+<AuthnProviderAlias file file2>
+ AuthUserFile /www/conf/passwords2
+</AuthnProviderAlias>
+
+<Directory /var/web/pages/secure>
+ AuthBasicProvider file1 file2
+
+ AuthType Basic
+ AuthName "Protected Area"
+ Require valid-user
+</Directory>
+
The example below creates two different ldap authentication
@@ -86,34 +81,30 @@
hosts:
Checking multiple LDAP servers
- <AuthnProviderAlias ldap ldap-alias1>
-
- AuthLDAPBindDN cn=youruser,o=ctx
- AuthLDAPBindPassword yourpassword
- AuthLDAPURL ldap://ldap.host/o=ctx
-
- </AuthnProviderAlias>
- <AuthnProviderAlias ldap ldap-other-alias>
-
- AuthLDAPBindDN cn=yourotheruser,o=dev
- AuthLDAPBindPassword yourotherpassword
- AuthLDAPURL ldap://other.ldap.host/o=dev?cn
-
- </AuthnProviderAlias>
-
- Alias /secure /webpages/secure
- <Directory /webpages/secure>
-
- Order deny,allow
- Allow from all
-
- AuthBasicProvider ldap-other-alias ldap-alias1
-
- AuthType Basic
- AuthName LDAP_Protected_Place
- Require valid-user
-
- </Directory>
+
+<AuthnProviderAlias ldap ldap-alias1>
+ AuthLDAPBindDN cn=youruser,o=ctx
+ AuthLDAPBindPassword yourpassword
+ AuthLDAPURL ldap://ldap.host/o=ctx
+ </AuthnProviderAlias>
+ <AuthnProviderAlias ldap ldap-other-alias>
+ AuthLDAPBindDN cn=yourotheruser,o=dev
+ AuthLDAPBindPassword yourotherpassword
+ AuthLDAPURL ldap://other.ldap.host/o=dev?cn
+</AuthnProviderAlias>
+
+Alias /secure /webpages/secure
+<Directory /webpages/secure>
+ Order deny,allow
+ Allow from all
+
+ AuthBasicProvider ldap-other-alias ldap-alias1
+
+ AuthType Basic
+ AuthName LDAP_Protected_Place
+ Require valid-user
+</Directory>
+
@@ -144,9 +135,9 @@ authentication
For example:
-
+
AuthName "Top Secret"
-
+
The string provided for the AuthName
is what will
appear in the password dialog provided by most browsers.
@@ -189,24 +180,20 @@ authentication
in the following example, clients may access the
/www/docs/public
directory without authenticating:
-
- <Directory /www/docs>
-
- AuthType Basic
- AuthName Documents
- AuthBasicProvider file
- AuthUserFile /usr/local/apache/passwd/passwords
- Require valid-user
-
- </Directory>
-
- <Directory /www/docs/public>
-
- AuthType None
- Require all granted
-
- </Directory>
-
+
+<Directory /www/docs>
+ AuthType Basic
+ AuthName Documents
+ AuthBasicProvider file
+ AuthUserFile /usr/local/apache/passwd/passwords
+ Require valid-user
+</Directory>
+
+<Directory /www/docs/public>
+ AuthType None
+ Require all granted
+</Directory>
+
When disabling authentication, note that clients which have
already authenticated against another portion of the server's document
Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_dbd.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_dbd.xml?rev=1334008&r1=1334007&r2=1334008&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_dbd.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_dbd.xml Fri May 4 14:59:59 2012
@@ -72,7 +72,7 @@ to cache credentials and take most of th
Configuration Example
This simple example shows use of this module in the context of
the Authentication and DBD frameworks.
-
+
# mod_dbd configuration
# UPDATED to include authentication cacheing
DBDriver pgsql
@@ -100,10 +100,9 @@ DBDExptime 300
Require valid-user
# mod_authn_dbd SQL query to authenticate a user
- AuthDBDUserPWQuery \
- "SELECT password FROM authn WHERE user = %s"
+ AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
</Directory>
-
+
@@ -136,10 +135,9 @@ configuration required in some web appli
will be passed as a single string parameter when the SQL query is
executed. It may be referenced within the query statement using
a %s
format specifier.
- Example
-AuthDBDUserPWQuery \
- "SELECT password FROM authn WHERE user = %s"
-
+
+AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
+
The first column value of the first row returned by the query
statement should be a string containing the encrypted password.
Subsequent rows will be ignored. If no rows are returned, the user
@@ -171,10 +169,9 @@ AuthDBDUserPWQuery \
The user's ID and the realm, in that order, will be passed as string
parameters when the SQL query is executed. They may be referenced
within the query statement using %s
format specifiers.
- Example
-AuthDBDUserRealmQuery \
- "SELECT password FROM authn WHERE user = %s AND realm = %s"
-
+
+AuthDBDUserRealmQuery "SELECT password FROM authn WHERE user = %s AND realm = %s"
+
The first column value of the first row returned by the query
statement should be a string containing the encrypted password.
Subsequent rows will be ignored. If no rows are returned, the user
Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_socache.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_socache.xml?rev=1334008&r1=1334007&r2=1334008&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_socache.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_socache.xml Fri May 4 14:59:59 2012
@@ -69,18 +69,18 @@ the load on backends
A simple usage example to accelerate mod_authn_dbd
using dbm as a cache engine:
-
- <Directory /usr/www/myhost/private>
- AuthType Basic
- AuthName "Cached Authentication Example"
- AuthBasicProvider socache dbd
- AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
- AuthnCacheProvideFor dbd
- AuthnCacheContext dbd-authn-example
- AuthnCacheSOCache dbm
- Require valid-user
- </Directory>
-
+
+<Directory /usr/www/myhost/private>
+ AuthType Basic
+ AuthName "Cached Authentication Example"
+ AuthBasicProvider socache dbd
+ AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
+ AuthnCacheProvideFor dbd
+ AuthnCacheContext dbd-authn-example
+ AuthnCacheSOCache dbm
+ Require valid-user
+</Directory>
+
Cacheing with custom modules
@@ -142,9 +142,9 @@ the load on backends
For example, to cache credentials found by mod_authn_dbd
or by a custom provider myprovider, but leave those looked
up by lightweight providers like file or dbm lookup alone:
-
- AuthnCacheProvideFor dbd myprovider
-
+
+AuthnCacheProvideFor dbd myprovider
+
Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authnz_ldap.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authnz_ldap.xml?rev=1334008&r1=1334007&r2=1334008&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authnz_ldap.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authnz_ldap.xml Fri May 4 14:59:59 2012
@@ -340,11 +340,11 @@ for HTTP Basic authentication.ldap://ldap/o=Example?cn (i.e., cn
is
used for searches), the following Require directives could be used
to restrict access:
-
-Require ldap-user "Barbara Jenson"
-Require ldap-user "Fred User"
-Require ldap-user "Joe Manager"
-
+
+Require ldap-user "Barbara Jenson"
+Require ldap-user "Fred User"
+Require ldap-user "Joe Manager"
+
Because of the way that mod_authnz_ldap handles this
directive, Barbara Jenson could sign on as Barbara
@@ -356,7 +356,7 @@ Require ldap-user "Joe Manager"
If the uid
attribute was used instead of the
cn
attribute in the URL above, the above three lines
could be condensed to
-Require ldap-user bjenson fuser jmanager
+Require ldap-user bjenson fuser jmanager
Require ldap-group
@@ -366,58 +366,58 @@ Require ldap-user "Joe Manager"
group. Note: Do not surround the group name with quotes.
For example, assume that the following entry existed in
the LDAP directory:
-
-dn: cn=Administrators, o=Example
-objectClass: groupOfUniqueNames
-uniqueMember: cn=Barbara Jenson, o=Example
-uniqueMember: cn=Fred User, o=Example
-
+
+dn: cn=Administrators, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Barbara Jenson, o=Example
+uniqueMember: cn=Fred User, o=Example
+
The following directive would grant access to both Fred and
Barbara:
-Require ldap-group cn=Administrators, o=Example
+Require ldap-group cn=Administrators, o=Example
Members can also be found within sub-groups of a specified LDAP group
if AuthLDAPMaxSubGroupDepth
is set to a value greater than 0. For example, assume the following entries
exist in the LDAP directory:
-
-dn: cn=Employees, o=Example
-objectClass: groupOfUniqueNames
-uniqueMember: cn=Managers, o=Example
-uniqueMember: cn=Administrators, o=Example
-uniqueMember: cn=Users, o=Example
-
-dn: cn=Managers, o=Example
-objectClass: groupOfUniqueNames
-uniqueMember: cn=Bob Ellis, o=Example
-uniqueMember: cn=Tom Jackson, o=Example
-
-dn: cn=Administrators, o=Example
-objectClass: groupOfUniqueNames
-uniqueMember: cn=Barbara Jenson, o=Example
-uniqueMember: cn=Fred User, o=Example
-
-dn: cn=Users, o=Example
-objectClass: groupOfUniqueNames
-uniqueMember: cn=Allan Jefferson, o=Example
-uniqueMember: cn=Paul Tilley, o=Example
-uniqueMember: cn=Temporary Employees, o=Example
-
-dn: cn=Temporary Employees, o=Example
-objectClass: groupOfUniqueNames
-uniqueMember: cn=Jim Swenson, o=Example
-uniqueMember: cn=Elliot Rhodes, o=Example
-
+
+dn: cn=Employees, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Managers, o=Example
+uniqueMember: cn=Administrators, o=Example
+uniqueMember: cn=Users, o=Example
+
+dn: cn=Managers, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Bob Ellis, o=Example
+uniqueMember: cn=Tom Jackson, o=Example
+
+dn: cn=Administrators, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Barbara Jenson, o=Example
+uniqueMember: cn=Fred User, o=Example
+
+dn: cn=Users, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Allan Jefferson, o=Example
+uniqueMember: cn=Paul Tilley, o=Example
+uniqueMember: cn=Temporary Employees, o=Example
+
+dn: cn=Temporary Employees, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Jim Swenson, o=Example
+uniqueMember: cn=Elliot Rhodes, o=Example
+
The following directives would allow access for Bob Ellis, Tom Jackson,
Barbara Jensen, Fred User, Allan Jefferson, and Paul Tilley but would not
allow access for Jim Swenson, or Elliot Rhodes (since they are at a
sub-group depth of 2):
-
-Require ldap-group cn=Employees, o-Example
-AuthLDAPSubGroupDepth 1
-
+
+Require ldap-group cn=Employees, o-Example
+AuthLDAPSubGroupDepth 1
+
Behavior of this directive is modified by the AuthLDAPGroupAttribute,
The following directive would grant access to a specific
DN:
-Require ldap-dn cn=Barbara Jenson, o=Example
+Require ldap-dn cn=Barbara Jenson, o=Example
Behavior of this directive is modified by the AuthLDAPCompareDNOnServer
@@ -457,7 +457,7 @@ AuthLDAPSubGroupDepth 1
The following directive would grant access to anyone with
the attribute employeeType = active
- Require ldap-attribute employeeType=active
+ Require ldap-attribute employeeType=active
Multiple attribute/value pairs can be specified on the same line
separated by spaces or they can be specified in multiple
@@ -470,7 +470,7 @@ AuthLDAPSubGroupDepth 1
The following directive would grant access to anyone with
the city attribute equal to "San Jose" or status equal to "Active"
- Require ldap-attribute city="San Jose" status=active
+ Require ldap-attribute city="San Jose" status=active
@@ -484,7 +484,7 @@ AuthLDAPSubGroupDepth 1
The following directive would grant access to anyone having a cell phone
and is in the marketing department
- Require ldap-filter &(cell=*)(department=marketing)
+ Require ldap-filter &(cell=*)(department=marketing)
The difference between the Require ldap-filter
directive and the
Require ldap-attribute
directive is that ldap-filter
@@ -504,19 +504,19 @@ AuthLDAPSubGroupDepth 1
Grant access to anyone who exists in the LDAP directory,
using their UID for searches.
-
-AuthLDAPURL "ldap://ldap1.example.com:389/ou=People, o=Example?uid?sub?(objectClass=*)"
+
+AuthLDAPURL "ldap://ldap1.example.com:389/ou=People, o=Example?uid?sub?(objectClass=*)"
Require valid-user
-
+
The next example is the same as above; but with the fields
that have useful defaults omitted. Also, note the use of a
redundant LDAP server.
-AuthLDAPURL "ldap://ldap1.example.com ldap2.example.com/ou=People, o=Example"
+AuthLDAPURL "ldap://ldap1.example.com ldap2.example.com/ou=People, o=Example"
Require valid-user
-
+
@@ -528,19 +528,19 @@ Require valid-user
this approach is not recommended: it's a better idea to
choose an attribute that is guaranteed unique in your
directory, such as uid
.
-
-AuthLDAPURL "ldap://ldap.example.com/ou=People, o=Example?cn"
+
+AuthLDAPURL "ldap://ldap.example.com/ou=People, o=Example?cn"
Require valid-user
-
+
Grant access to anybody in the Administrators group. The
users must authenticate using their UID.
-
-AuthLDAPURL ldap://ldap.example.com/o=Example?uid
+
+AuthLDAPURL ldap://ldap.example.com/o=Example?uid
Require ldap-group cn=Administrators, o=Example
-
+
@@ -549,10 +549,10 @@ Require ldap-group cn=Administrators, o=
of qpagePagerID
. The example will grant access
only to people (authenticated via their UID) who have
alphanumeric pagers:
-
-AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(qpagePagerID=*)
+
+AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(qpagePagerID=*)
Require valid-user
-
+
@@ -565,10 +565,10 @@ Require valid-user
a pager, plus grant access to Joe Manager, who doesn't
have a pager, but does need to access the same
resource:
-
-AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(|(qpagePagerID=*)(uid=jmanager))
+
+AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(|(qpagePagerID=*)(uid=jmanager))
Require valid-user
-
+
This last may look confusing at first, so it helps to
evaluate what the search filter will look like based on who
@@ -663,11 +663,11 @@ Require valid-user
subtree search for the attribute userPrincipalName, with
an empty search root, like so:
-
-AuthLDAPBindDN apache@example.com
-AuthLDAPBindPassword password
+
+AuthLDAPBindDN apache@example.com
+AuthLDAPBindPassword password
AuthLDAPURL ldap://10.0.0.1:3268/?userPrincipalName?sub
-
+
Users will need to enter their User Principal Name as a login, in
the form somebody@nz.example.com.
@@ -690,11 +690,11 @@ AuthLDAPURL ldap://10.0.0.1:3268/?userPr
authentication to it is a matter of adding the following
directives to every .htaccess
file
that gets created in the web
-
+
AuthLDAPURL "the url"
AuthGroupFile mygroupfile
Require group mygroupfile
-
+
How It Works
@@ -864,8 +864,8 @@ to perform a DN lookup
AuthLDAPBindDN.
- AuthLDAPInitialBindPattern (.+) $1@example.com
- AuthLDAPInitialBindPattern (.+) cn=$1,dc=example,dc=com
+ AuthLDAPInitialBindPattern (.+) $1@example.com
+ AuthLDAPInitialBindPattern (.+) cn=$1,dc=example,dc=com
Not available with authorization-only
This directive can only be used if this module authenticates the user, and
@@ -1215,7 +1215,7 @@ objects that are groups during sub-group
to use. The syntax of the URL is
ldap://host:port/basedn?attribute?scope?filter
If you want to specify more than one LDAP URL that Apache should try in turn, the syntax is:
-AuthLDAPUrl "ldap://ldap1.example.com ldap2.example.com/dc=..."
+AuthLDAPUrl "ldap://ldap1.example.com ldap2.example.com/dc=..."
Caveat: If you specify multiple servers, you need to enclose the entire URL string in quotes;
otherwise you will get an error: "AuthLDAPURL takes one argument, URL to define LDAP connection.."
You can of course use search parameters on each of these.
Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.xml?rev=1334008&r1=1334007&r2=1334008&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.xml Fri May 4 14:59:59 2012
@@ -58,38 +58,33 @@
multiple ldap hosts:
- Example
- <AuthzProviderAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx>
-
- AuthLDAPBindDN cn=youruser,o=ctx
- AuthLDAPBindPassword yourpassword
- AuthLDAPURL ldap://ldap.host/o=ctx
-
- </AuthzProviderAlias>
- <AuthzProviderAlias ldap-group ldap-group-alias2
- cn=my-other-group,o=dev>
-
- AuthLDAPBindDN cn=yourotheruser,o=dev
- AuthLDAPBindPassword yourotherpassword
- AuthLDAPURL ldap://other.ldap.host/o=dev?cn
-
- </AuthzProviderAlias>
-
- Alias /secure /webpages/secure
- <Directory /webpages/secure>
-
- Require all granted
-
- AuthBasicProvider file
-
- AuthType Basic
- AuthName LDAP_Protected_Place
-
- #implied OR operation
- Require ldap-group-alias1
- Require ldap-group-alias2
- </Directory>
-
+
+<AuthzProviderAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx>
+ AuthLDAPBindDN cn=youruser,o=ctx
+ AuthLDAPBindPassword yourpassword
+ AuthLDAPURL ldap://ldap.host/o=ctx
+</AuthzProviderAlias>
+
+<AuthzProviderAlias ldap-group ldap-group-alias2 cn=my-other-group,o=dev>
+ AuthLDAPBindDN cn=yourotheruser,o=dev
+ AuthLDAPBindPassword yourotherpassword
+ AuthLDAPURL ldap://other.ldap.host/o=dev?cn
+</AuthzProviderAlias>
+
+Alias /secure /webpages/secure
+<Directory /webpages/secure>
+ Require all granted
+
+ AuthBasicProvider file
+
+ AuthType Basic
+ AuthName LDAP_Protected_Place
+
+ #implied OR operation
+ Require ldap-group-alias1
+ Require ldap-group-alias2
+</Directory>
+
@@ -115,39 +110,27 @@
not belong to either the temps
group or the
LDAP group Temporary Employees
.
-
- <Directory /www/mydocs>
-
+
+<Directory /www/mydocs>
+ <RequireAll>
+ <RequireAny>
+ Require user superadmin
<RequireAll>
-
+ Require group admins
+ Require ldap-group cn=Administrators,o=Airius
<RequireAny>
-
- Require user superadmin
- <RequireAll>
-
- Require group admins
- Require ldap-group cn=Administrators,o=Airius
- <RequireAny>
-
- Require group sales
- Require ldap-attribute dept="sales"
-
- </RequireAny>
-
- </RequireAll>
-
- </RequireAny>
- <RequireNone>
-
- Require group temps
- Require ldap-group cn=Temporary Employees,o=Airius
-
- </RequireNone>
-
+ Require group sales
+ Require ldap-attribute dept="sales"
+ </RequireAny>
</RequireAll>
-
- </Directory>
-
+ </RequireAny>
+ <RequireNone>
+ Require group temps
+ Require ldap-group cn=Temporary Employees,o=Airius
+ </RequireNone>
+ </RequireAll>
+</Directory>
+
The Require Directives
@@ -171,14 +154,12 @@
User-Agent
(browser type), Referer
, or
other HTTP request header fields.
- Example:
- SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
- <Directory /docroot>
-
- Require env let_me_in
-
- </Directory>
-
+
+SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
+<Directory /docroot>
+ Require env let_me_in
+</Directory>
+
In this case, browsers with a user-agent string beginning
with KnockKnock/2.0
will be allowed access, and all
@@ -194,13 +175,13 @@
'granted' or 'denied'. The following examples will grant or deny
access to all requests.
-
- Require all granted
-
-
-
- Require all denied
-
+
+ Require all granted
+
+
+
+ Require all denied
+
@@ -214,20 +195,20 @@
The following example will only allow GET, HEAD, POST, and OPTIONS
requests:
-
- Require method GET POST OPTIONS
-
+
+ Require method GET POST OPTIONS
+
The following example will allow GET, HEAD, POST, and OPTIONS
requests without authentication, and require a valid user for all other
methods:
-
- <RequireAny>
- Require method GET POST OPTIONS
- Require valid-user
- </RequireAny>
-
+
+<RequireAny>
+ Require method GET POST OPTIONS
+ Require valid-user
+</RequireAny>
+
@@ -236,9 +217,9 @@
The expr
provider allows to base authorization
decisions on arbitrary expressions.
-
- Require expr %{TIME_HOUR} >= 9 && %{TIME_HOUR} <= 17
-
+
+ Require expr %{TIME_HOUR} >= 9 && %{TIME_HOUR} <= 17
+
The syntax is described in the ap_expr
documentation.
@@ -321,14 +302,14 @@ an authorization provider.
and AuthGroupFile (to
define users and groups) in order to work correctly. Example:
-
- AuthType Basic
- AuthName "Restricted Resource"
- AuthBasicProvider file
- AuthUserFile /web/users
- AuthGroupFile /web/groups
- Require group admin
-
+
+AuthType Basic
+AuthName "Restricted Resource"
+AuthBasicProvider file
+AuthUserFile /web/users
+AuthGroupFile /web/groups
+Require group admin
+
Access controls which are applied in this way are effective for
all methods. This is what is normally
@@ -350,18 +331,14 @@ an authorization provider.
and beta
groups are authorized, except for those who
are also in the reject
group.
-
- <Directory /www/docs>
-
- <RequireAll>
-
- Require group alpha beta
- Require not group reject
-
- </RequireAll>
-
- </Directory>
-
+
+<Directory /www/docs>
+ <RequireAll>
+ Require group alpha beta
+ Require not group reject
+ </RequireAll>
+</Directory>
+
When multiple Require directives are
used in a single
@@ -540,30 +517,24 @@ sections.
preceding sections. Thus only users belong to the group
gamma
may access /www/docs/ab/gamma
.
-
- <Directory /www/docs>
-
- AuthType Basic
- AuthName Documents
- AuthBasicProvider file
- AuthUserFile /usr/local/apache/passwd/passwords
- Require group alpha
-
- </Directory>
-
- <Directory /www/docs/ab>
-
- AuthMerging Or
- Require group beta
-
- </Directory>
-
- <Directory /www/docs/ab/gamma>
-
- Require group gamma
-
- </Directory>
-
+
+<Directory /www/docs>
+ AuthType Basic
+ AuthName Documents
+ AuthBasicProvider file
+ AuthUserFile /usr/local/apache/passwd/passwords
+ Require group alpha
+</Directory>
+
+<Directory /www/docs/ab>
+ AuthMerging Or
+ Require group beta
+</Directory>
+
+<Directory /www/docs/ab/gamma>
+ Require group gamma
+</Directory>
+
Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_dbd.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_dbd.xml?rev=1334008&r1=1334007&r2=1334008&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_dbd.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_dbd.xml Fri May 4 14:59:59 2012
@@ -80,8 +80,8 @@ to implement functions that start and en
-Configuration Example
-
+Configuration example
+
# mod_dbd configuration
DBDriver pgsql
DBDParams "dbname=apacheauth user=apache pass=xxxxxx"
@@ -115,13 +115,11 @@ DBDExptime 300
<Files login.html>
# don't require user to already be logged in!
- AuthDBDUserPWQuery \
- "SELECT password FROM authn WHERE user = %s"
+ AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
# dbd-login action executes a statement to log user in
Require dbd-login
- AuthzDBDQuery \
- "UPDATE authn SET login = 'true' WHERE user = %s"
+ AuthzDBDQuery "UPDATE authn SET login = 'true' WHERE user = %s"
# return user to referring page (if any) after
# successful login
@@ -131,11 +129,10 @@ DBDExptime 300
<Files logout.html>
# dbd-logout action executes a statement to log user out
Require dbd-logout
- AuthzDBDQuery \
- "UPDATE authn SET login = 'false' WHERE user = %s"
+ AuthzDBDQuery "UPDATE authn SET login = 'false' WHERE user = %s"
</Files>
</Directory>
-
+
@@ -157,22 +154,20 @@ DBDExptime 300
The first column value of each row returned by the query statement
should be a string containing a group name. Zero, one, or more rows
may be returned.
- Example
+
Require dbd-group
-AuthzDBDQuery \
- "SELECT group FROM groups WHERE user = %s"
-
+AuthzDBDQuery "SELECT group FROM groups WHERE user = %s"
+
When used with a Require dbd-login
or
Require dbd-logout
directive, it will never deny access,
but will instead execute a SQL statement designed to log the user
in or out. The user must already be authenticated with
mod_authn_dbd.
- Example
+
Require dbd-login
-AuthzDBDQuery \
- "UPDATE authn SET login = 'true' WHERE user = %s"
-
+AuthzDBDQuery "UPDATE authn SET login = 'true' WHERE user = %s"
+
In all cases, the user's ID will be passed as a single string
@@ -193,10 +188,9 @@ AuthzDBDQuery \
specific to the user. The user's ID will be passed as a single string
parameter when the SQL query is executed. It may be referenced within
the query statement using a %s
format specifier.
- Example
-AuthzDBDRedirectQuery \
- "SELECT userpage FROM userpages WHERE user = %s"
-
+
+AuthzDBDRedirectQuery "SELECT userpage FROM userpages WHERE user = %s"
+
The first column value of the first row returned by the query
statement should be a string containing a URL to which to redirect
the client. Subsequent rows will be ignored. If no rows are returned,
Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_dbm.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_dbm.xml?rev=1334008&r1=1334007&r2=1334008&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_dbm.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_dbm.xml Fri May 4 14:59:59 2012
@@ -75,10 +75,10 @@ of user groups for authorization
-
- AuthDBMGroupFile /www/userbase
- AuthDBMUserFile /www/userbase
-
+
+AuthDBMGroupFile /www/userbase
+AuthDBMUserFile /www/userbase
+
The key for the single DBM is the username. The value consists
of
Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_host.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_host.xml?rev=1334008&r1=1334007&r2=1334008&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_host.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_host.xml Fri May 4 14:59:59 2012
@@ -75,35 +75,35 @@ address)
A full IP address:
-
- Require ip 10.1.2.3
- Require ip 192.168.1.104 192.168.1.205
-
+
+Require ip 10.1.2.3
+Require ip 192.168.1.104 192.168.1.205
+
An IP address of a host allowed access
A partial IP address:
-
- Require ip 10.1
- Require ip 10 172.20 192.168.2
-
+
+Require ip 10.1
+Require ip 10 172.20 192.168.2
+
The first 1 to 3 bytes of an IP address, for subnet
restriction.
A network/netmask pair:
-
+
Require ip 10.1.0.0/255.255.0.0
-
+
A network a.b.c.d, and a netmask w.x.y.z. For more
fine-grained subnet restriction.
A network/nnn CIDR specification:
-
+
Require ip 10.1.0.0/16
-
+
Similar to the previous case, except the netmask consists of
nnn high-order 1 bits.
@@ -113,10 +113,10 @@ address)
IPv6 addresses and IPv6 subnets can be specified as shown
below:
-
- Require ip 2001:db8::a00:20ff:fea7:ccea
- Require ip 2001:db8::a00:20ff:fea7:ccea/10
-
+
+Require ip 2001:db8::a00:20ff:fea7:ccea
+Require ip 2001:db8::a00:20ff:fea7:ccea/10
+
@@ -130,10 +130,10 @@ address)
A (partial) domain-name
-
- Require host example.org
- Require host .net example.edu
-
+
+Require host example.org
+Require host .net example.edu
+
Hosts whose names match, or end in, this string are allowed
access. Only complete components are matched, so the above
@@ -164,9 +164,9 @@ address)
This allows a convenient way to match connections that originate from
the local host:
-
+
Require local
-
+
Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_owner.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_owner.xml?rev=1334008&r1=1334007&r2=1334008&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_owner.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_owner.xml Fri May 4 14:59:59 2012
@@ -85,17 +85,15 @@
files in /home/smith/public_html/private
unless they
were owned by jones
instead of smith
.
-
- <Directory /home/*/public_html/private>
-
- AuthType Basic
- AuthName MyPrivateFiles
- AuthBasicProvider dbm
- AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all
- Require file-owner
-
- </Directory>
-
+
+<Directory /home/*/public_html/private>
+ AuthType Basic
+ AuthName MyPrivateFiles
+ AuthBasicProvider dbm
+ AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all
+ Require file-owner
+</Directory>
+
Require file-group
@@ -111,22 +109,20 @@
authorized to access the project-foo
directories of
each other.
-
- <Directory /home/*/public_html/project-foo>
-
- AuthType Basic
- AuthName "Project Foo Files"
- AuthBasicProvider dbm
-
- # combined user/group database
- AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all
- AuthDBMGroupFile /usr/local/apache2/etc/.htdbm-all
-
- Satisfy All
- Require file-group
-
- </Directory>
-
+
+<Directory /home/*/public_html/project-foo>
+ AuthType Basic
+ AuthName "Project Foo Files"
+ AuthBasicProvider dbm
+
+ # combined user/group database
+ AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all
+ AuthDBMGroupFile /usr/local/apache2/etc/.htdbm-all
+
+ Satisfy All
+ Require file-group
+</Directory>
+
Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_autoindex.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_autoindex.xml?rev=1334008&r1=1334007&r2=1334008&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_autoindex.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_autoindex.xml Fri May 4 14:59:59 2012
@@ -69,7 +69,8 @@
same header repeatedly toggles between ascending and descending
order. These column header links are suppressed with the
IndexOptions directive's
- SuppressColumnSorting
option.
+ SuppressColumnSorting
+ option.
Note that when the display is sorted by "Size", it's the
actual size of the files that's used, not the
@@ -201,10 +202,10 @@ icon selected by filename
is displayed if the client is image-incapable, has image loading
disabled, or fails to retrieve the icon.
- Examples
- AddAlt "PDF file" *.pdf
- AddAlt Compressed *.gz *.zip *.Z
-
+
+AddAlt "PDF file" *.pdf
+AddAlt Compressed *.gz *.zip *.Z
+
@@ -229,9 +230,9 @@ selected by MIME-encoding
This alternate text is displayed if the client is image-incapable,
has image loading disabled, or fails to retrieve the icon.
- Example
+
AddAltByEncoding gzip x-gzip
-
+
@@ -256,9 +257,9 @@ icon selected by MIME content-type
- Example
+
AddAltByType 'plain text' text/plain
-
+
@@ -279,10 +280,10 @@ icon selected by MIME content-typeString is enclosed in double quotes ("
).
- Example
- AddDescription "The planet Mars" mars.gif
- AddDescription "My friend Marshall" friends/mars.gif
-
+
+AddDescription "The planet Mars" mars.gif
+AddDescription "My friend Marshall" friends/mars.gif
+
The typical, default description field is 23 bytes wide. 6
more bytes are added by the IndexOptions
HTMLTable
.
- Examples
- AddIcon (IMG,/icons/image.png) .gif .jpg .png
- AddIcon /icons/dir.png ^^DIRECTORY^^
- AddIcon /icons/backup.png *~
-
+
+#Examples
+AddIcon (IMG,/icons/image.png) .gif .jpg .png
+AddIcon /icons/dir.png ^^DIRECTORY^^
+AddIcon /icons/backup.png *~
+
AddIconByType
should be used in preference to AddIcon,
@@ -388,9 +390,9 @@ content-encoding
MIME-encoding is a valid content-encoding, such as
x-compress
.
- Example
+
AddIconByEncoding /icons/compress.png x-compress
-
+
@@ -418,9 +420,9 @@ content-type
MIME-type is a wildcard expression matching
required the mime types.
- Example
+
AddIconByType (IMG,/icons/image.png) image/*
-
+
@@ -441,9 +443,9 @@ configured
Url-path is a (%-escaped) relative URL to the icon,
or a fully qualified remote URL.
- Example
+
DefaultIcon /icon/unknown.png
-
+
@@ -462,9 +464,9 @@ of the index listing
of the file that will be inserted at the top of the index
listing. Filename is the name of the file to include.
- Example
+
HeaderName HEADER.html
-
+
Both HeaderName and
with a slash, it will be taken to be relative to the DocumentRoot.
- Example
+
HeaderName /include/HEADER.html
-
+
Filename must resolve to a document with a major
content type of text/*
(e.g.,
@@ -485,9 +487,9 @@ of the index listing
actual file type (as opposed to its output) is marked as
text/html
such as with a directive like:
-
+
AddType text/html .cgi
-
+
Content negotiation
will be performed if Options
@@ -530,9 +532,9 @@ a directory
files. By default, the list contains .
(the current
directory).
-
+
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
-
+
Regular Expressions
This directive does not currently work in configuration sections
@@ -560,15 +562,15 @@ a directory
any files ignored by IndexIgnore otherwise
inherited from other configuration sections.
-
- <Directory /var/www>
- IndexIgnore *.bak .??* *~ *# HEADER* README* RCS CVS *,v *,t
- </Directory>
- <Directory /var/www/backups>
- IndexIgnoreReset ON
- IndexIgnore .??* *# HEADER* README* RCS CVS *,v *,t
- </Directory>
-
+
+<Directory /var/www>
+ IndexIgnore *.bak .??* *~ *# HEADER* README* RCS CVS *,v *,t
+</Directory>
+<Directory /var/www/backups>
+ IndexIgnoreReset ON
+ IndexIgnore .??* *# HEADER* README* RCS CVS *,v *,t
+</Directory>
+
Review the default configuration for a list of
patterns that you might want to explicitly ignore after using this
@@ -620,9 +622,9 @@ indexing
(It depends on whether the underlying file system
uses Unicode filenames or not.)
- Example:
+
IndexOptions Charset=UTF-8
-
+
specify the MIME content-type of the generated page. The default
is text/html.
- Example:
+
IndexOptions Type=text/plain
-
+
Multiple IndexOptions directives for a
single directory are now merged together. The result of:
-
- <Directory /foo>
-
- IndexOptions HTMLTable
- IndexOptions SuppressColumnsorting
-
- </Directory>
-
+
+<Directory /foo>
+ IndexOptions HTMLTable
+ IndexOptions SuppressColumnsorting
+</Directory>
+
will be the equivalent of
-
+
IndexOptions HTMLTable SuppressColumnsorting
-
+
The addition of the incremental syntax (i.e., prefixing
@@ -945,10 +945,10 @@ indexing
clears all inherited options and any incremental settings encountered
so far. Consider the following example:
-
- IndexOptions +ScanHTMLTitles -IconsAreLinks FancyIndexing
- IndexOptions +SuppressSize
-
+
+IndexOptions +ScanHTMLTitles -IconsAreLinks FancyIndexing
+IndexOptions +SuppressSize
+
The net effect is equivalent to IndexOptions FancyIndexing
+SuppressSize
, because the unprefixed FancyIndexing
@@ -1014,10 +1014,9 @@ Name|Date|Size|Description
The IndexStyleSheet directive sets the name of
the file that will be used as the CSS for the index listing.
-
- Example
+
IndexStyleSheet "/css/style.css"
-
+
Using this directive in conjunction with IndexOptions
HTMLTable
adds a number of CSS classes to the resulting HTML.
@@ -1053,10 +1052,9 @@ Name|Date|Size|Description
The IndexHeadInsert directive specifies a
string to insert in the <head> section of the HTML
generated for the index page.
-
- Example
+
IndexHeadInsert "<link rel=\"sitemap\" href=\"/sitemap.html\">"
-
+
@@ -1079,13 +1077,15 @@ of the index listing
relative to the DocumentRoot.
- Example 1
- ReadmeName FOOTER.html
-
-
- Example 2
- ReadmeName /include/FOOTER.html
-
+
+# Example 1
+ReadmeName FOOTER.html
+
+
+
+# Example 2
+ReadmeName /include/FOOTER.html
+
See also HeaderName, where this behavior is described in greater