Return-Path: X-Original-To: apmail-httpd-cvs-archive@www.apache.org Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 954AA9319 for ; Fri, 4 May 2012 15:00:27 +0000 (UTC) Received: (qmail 42263 invoked by uid 500); 4 May 2012 15:00:27 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 42212 invoked by uid 500); 4 May 2012 15:00:27 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 42203 invoked by uid 99); 4 May 2012 15:00:27 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 May 2012 15:00:27 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 May 2012 15:00:23 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 4EB572388B3A; Fri, 4 May 2012 15:00:03 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1334008 [2/2] - /httpd/httpd/branches/2.4.x/docs/manual/mod/ Date: Fri, 04 May 2012 15:00:01 -0000 To: cvs@httpd.apache.org From: humbedooh@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20120504150003.4EB572388B3A@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_core.xml URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_core.xml?rev=1334008&r1=1334007&r2=1334008&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_core.xml (original) +++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_core.xml Fri May 4 14:59:59 2012 @@ -54,30 +54,25 @@ files.

Checking multiple text password files - - # Check here first
- <AuthnProviderAlias file file1>
- - AuthUserFile /www/conf/passwords1
- - </AuthnProviderAlias>
-
- # Then check here
- <AuthnProviderAlias file file2>
- - AuthUserFile /www/conf/passwords2
- - </AuthnProviderAlias>
-
- <Directory /var/web/pages/secure>
- - AuthBasicProvider file1 file2
-
- AuthType Basic
- AuthName "Protected Area"
- Require valid-user
- - </Directory>
+ +# Check here first +<AuthnProviderAlias file file1> + AuthUserFile /www/conf/passwords1 +</AuthnProviderAlias> + +# Then check here +<AuthnProviderAlias file file2> + AuthUserFile /www/conf/passwords2 +</AuthnProviderAlias> + +<Directory /var/web/pages/secure> + AuthBasicProvider file1 file2 + + AuthType Basic + AuthName "Protected Area" + Require valid-user +</Directory> +

The example below creates two different ldap authentication @@ -86,34 +81,30 @@ hosts:

Checking multiple LDAP servers - <AuthnProviderAlias ldap ldap-alias1>
- - AuthLDAPBindDN cn=youruser,o=ctx
- AuthLDAPBindPassword yourpassword
- AuthLDAPURL ldap://ldap.host/o=ctx
- - </AuthnProviderAlias>

- <AuthnProviderAlias ldap ldap-other-alias>
- - AuthLDAPBindDN cn=yourotheruser,o=dev
- AuthLDAPBindPassword yourotherpassword
- AuthLDAPURL ldap://other.ldap.host/o=dev?cn
- - </AuthnProviderAlias>

- - Alias /secure /webpages/secure
- <Directory /webpages/secure>
- - Order deny,allow
- Allow from all

- - AuthBasicProvider ldap-other-alias ldap-alias1

- - AuthType Basic
- AuthName LDAP_Protected_Place
- Require valid-user
- - </Directory>
+ +<AuthnProviderAlias ldap ldap-alias1> + AuthLDAPBindDN cn=youruser,o=ctx + AuthLDAPBindPassword yourpassword + AuthLDAPURL ldap://ldap.host/o=ctx + </AuthnProviderAlias> + <AuthnProviderAlias ldap ldap-other-alias> + AuthLDAPBindDN cn=yourotheruser,o=dev + AuthLDAPBindPassword yourotherpassword + AuthLDAPURL ldap://other.ldap.host/o=dev?cn +</AuthnProviderAlias> + +Alias /secure /webpages/secure +<Directory /webpages/secure> + Order deny,allow + Allow from all + + AuthBasicProvider ldap-other-alias ldap-alias1 + + AuthType Basic + AuthName LDAP_Protected_Place + Require valid-user +</Directory> + @@ -144,9 +135,9 @@ authentication

For example:

- + AuthName "Top Secret" - +

The string provided for the AuthName is what will appear in the password dialog provided by most browsers.

@@ -189,24 +180,20 @@ authentication in the following example, clients may access the /www/docs/public directory without authenticating:

- - <Directory /www/docs> - - AuthType Basic
- AuthName Documents
- AuthBasicProvider file
- AuthUserFile /usr/local/apache/passwd/passwords
- Require valid-user - - </Directory>
-
- <Directory /www/docs/public> - - AuthType None
- Require all granted - - </Directory> - + +<Directory /www/docs> + AuthType Basic + AuthName Documents + AuthBasicProvider file + AuthUserFile /usr/local/apache/passwd/passwords + Require valid-user +</Directory> + +<Directory /www/docs/public> + AuthType None + Require all granted +</Directory> + When disabling authentication, note that clients which have already authenticated against another portion of the server's document Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_dbd.xml URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_dbd.xml?rev=1334008&r1=1334007&r2=1334008&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_dbd.xml (original) +++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_dbd.xml Fri May 4 14:59:59 2012 @@ -72,7 +72,7 @@ to cache credentials and take most of th Configuration Example

This simple example shows use of this module in the context of the Authentication and DBD frameworks.

-
+
 # mod_dbd configuration
 # UPDATED to include authentication cacheing
 DBDriver pgsql
@@ -100,10 +100,9 @@ DBDExptime 300
   Require valid-user
 
   # mod_authn_dbd SQL query to authenticate a user
-  AuthDBDUserPWQuery \
-    "SELECT password FROM authn WHERE user = %s"
+  AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
 </Directory>
-
 +
@@ -136,10 +135,9 @@ configuration required in some web appli will be passed as a single string parameter when the SQL query is executed. It may be referenced within the query statement using a %s format specifier.

- Example
-AuthDBDUserPWQuery \
-  "SELECT password FROM authn WHERE user = %s"
-
 + +AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s" +

The first column value of the first row returned by the query statement should be a string containing the encrypted password. Subsequent rows will be ignored. If no rows are returned, the user @@ -171,10 +169,9 @@ AuthDBDUserPWQuery \ The user's ID and the realm, in that order, will be passed as string parameters when the SQL query is executed. They may be referenced within the query statement using %s format specifiers.

- Example
-AuthDBDUserRealmQuery \
-  "SELECT password FROM authn WHERE user = %s AND realm = %s"
-
 + +AuthDBDUserRealmQuery "SELECT password FROM authn WHERE user = %s AND realm = %s" +

The first column value of the first row returned by the query statement should be a string containing the encrypted password. Subsequent rows will be ignored. If no rows are returned, the user Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_socache.xml URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_socache.xml?rev=1334008&r1=1334007&r2=1334008&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_socache.xml (original) +++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authn_socache.xml Fri May 4 14:59:59 2012 @@ -69,18 +69,18 @@ the load on backends

A simple usage example to accelerate mod_authn_dbd using dbm as a cache engine:

- 
-    <Directory /usr/www/myhost/private>
-        AuthType Basic
-        AuthName "Cached Authentication Example"
-        AuthBasicProvider socache dbd
-        AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
-        AuthnCacheProvideFor dbd
-        AuthnCacheContext dbd-authn-example
-        AuthnCacheSOCache dbm
-        Require valid-user
-    </Directory>
-
+ +<Directory /usr/www/myhost/private> + AuthType Basic + AuthName "Cached Authentication Example" + AuthBasicProvider socache dbd + AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s" + AuthnCacheProvideFor dbd + AuthnCacheContext dbd-authn-example + AuthnCacheSOCache dbm + Require valid-user +</Directory> +
Cacheing with custom modules @@ -142,9 +142,9 @@ the load on backends

For example, to cache credentials found by mod_authn_dbd or by a custom provider myprovider, but leave those looked up by lightweight providers like file or dbm lookup alone:

- - AuthnCacheProvideFor dbd myprovider - + +AuthnCacheProvideFor dbd myprovider + Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authnz_ldap.xml URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authnz_ldap.xml?rev=1334008&r1=1334007&r2=1334008&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authnz_ldap.xml (original) +++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authnz_ldap.xml Fri May 4 14:59:59 2012 @@ -340,11 +340,11 @@ for HTTP Basic authentication.ldap://ldap/o=Example?cn (i.e., cn is used for searches), the following Require directives could be used to restrict access:

- -Require ldap-user "Barbara Jenson"
-Require ldap-user "Fred User"
-Require ldap-user "Joe Manager"
- + +Require ldap-user "Barbara Jenson" +Require ldap-user "Fred User" +Require ldap-user "Joe Manager" +

Because of the way that mod_authnz_ldap handles this directive, Barbara Jenson could sign on as Barbara @@ -356,7 +356,7 @@ Require ldap-user "Joe Manager"

If the uid attribute was used instead of the cn attribute in the URL above, the above three lines could be condensed to

-Require ldap-user bjenson fuser jmanager +Require ldap-user bjenson fuser jmanager
Require ldap-group @@ -366,58 +366,58 @@ Require ldap-user "Joe Manager"
group. Note: Do not surround the group name with quotes. For example, assume that the following entry existed in the LDAP directory:

- -dn: cn=Administrators, o=Example
-objectClass: groupOfUniqueNames
-uniqueMember: cn=Barbara Jenson, o=Example
-uniqueMember: cn=Fred User, o=Example
- +
+dn: cn=Administrators, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Barbara Jenson, o=Example
+uniqueMember: cn=Fred User, o=Example
+

The following directive would grant access to both Fred and Barbara:

-Require ldap-group cn=Administrators, o=Example +Require ldap-group cn=Administrators, o=Example

Members can also be found within sub-groups of a specified LDAP group if AuthLDAPMaxSubGroupDepth is set to a value greater than 0. For example, assume the following entries exist in the LDAP directory:

- -dn: cn=Employees, o=Example
-objectClass: groupOfUniqueNames
-uniqueMember: cn=Managers, o=Example
-uniqueMember: cn=Administrators, o=Example
-uniqueMember: cn=Users, o=Example
-
-dn: cn=Managers, o=Example
-objectClass: groupOfUniqueNames
-uniqueMember: cn=Bob Ellis, o=Example
-uniqueMember: cn=Tom Jackson, o=Example
-
-dn: cn=Administrators, o=Example
-objectClass: groupOfUniqueNames
-uniqueMember: cn=Barbara Jenson, o=Example
-uniqueMember: cn=Fred User, o=Example
-
-dn: cn=Users, o=Example
-objectClass: groupOfUniqueNames
-uniqueMember: cn=Allan Jefferson, o=Example
-uniqueMember: cn=Paul Tilley, o=Example
-uniqueMember: cn=Temporary Employees, o=Example
-
-dn: cn=Temporary Employees, o=Example
-objectClass: groupOfUniqueNames
-uniqueMember: cn=Jim Swenson, o=Example
-uniqueMember: cn=Elliot Rhodes, o=Example
- +
+dn: cn=Employees, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Managers, o=Example
+uniqueMember: cn=Administrators, o=Example
+uniqueMember: cn=Users, o=Example
+
+dn: cn=Managers, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Bob Ellis, o=Example
+uniqueMember: cn=Tom Jackson, o=Example
+
+dn: cn=Administrators, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Barbara Jenson, o=Example
+uniqueMember: cn=Fred User, o=Example
+
+dn: cn=Users, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Allan Jefferson, o=Example
+uniqueMember: cn=Paul Tilley, o=Example
+uniqueMember: cn=Temporary Employees, o=Example
+
+dn: cn=Temporary Employees, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Jim Swenson, o=Example
+uniqueMember: cn=Elliot Rhodes, o=Example
+

The following directives would allow access for Bob Ellis, Tom Jackson, Barbara Jensen, Fred User, Allan Jefferson, and Paul Tilley but would not allow access for Jim Swenson, or Elliot Rhodes (since they are at a sub-group depth of 2):

- -Require ldap-group cn=Employees, o-Example
-AuthLDAPSubGroupDepth 1
- + +Require ldap-group cn=Employees, o-Example +AuthLDAPSubGroupDepth 1 +

Behavior of this directive is modified by the AuthLDAPGroupAttribute,

The following directive would grant access to a specific DN:

-Require ldap-dn cn=Barbara Jenson, o=Example +Require ldap-dn cn=Barbara Jenson, o=Example

Behavior of this directive is modified by the AuthLDAPCompareDNOnServer @@ -457,7 +457,7 @@ AuthLDAPSubGroupDepth 1

The following directive would grant access to anyone with the attribute employeeType = active

- Require ldap-attribute employeeType=active + Require ldap-attribute employeeType=active

Multiple attribute/value pairs can be specified on the same line separated by spaces or they can be specified in multiple @@ -470,7 +470,7 @@ AuthLDAPSubGroupDepth 1

The following directive would grant access to anyone with the city attribute equal to "San Jose" or status equal to "Active"

- Require ldap-attribute city="San Jose" status=active + Require ldap-attribute city="San Jose" status=active
@@ -484,7 +484,7 @@ AuthLDAPSubGroupDepth 1

The following directive would grant access to anyone having a cell phone and is in the marketing department

- Require ldap-filter &(cell=*)(department=marketing) + Require ldap-filter &(cell=*)(department=marketing)

The difference between the Require ldap-filter directive and the Require ldap-attribute directive is that ldap-filter @@ -504,19 +504,19 @@ AuthLDAPSubGroupDepth 1

  • Grant access to anyone who exists in the LDAP directory, using their UID for searches. - -AuthLDAPURL "ldap://ldap1.example.com:389/ou=People, o=Example?uid?sub?(objectClass=*)"
    + +AuthLDAPURL "ldap://ldap1.example.com:389/ou=People, o=Example?uid?sub?(objectClass=*)" Require valid-user -     +
  • The next example is the same as above; but with the fields that have useful defaults omitted. Also, note the use of a redundant LDAP server. -AuthLDAPURL "ldap://ldap1.example.com ldap2.example.com/ou=People, o=Example"
    +AuthLDAPURL "ldap://ldap1.example.com ldap2.example.com/ou=People, o=Example" Require valid-user -     +
  • @@ -528,19 +528,19 @@ Require valid-user this approach is not recommended: it's a better idea to choose an attribute that is guaranteed unique in your directory, such as uid. - -AuthLDAPURL "ldap://ldap.example.com/ou=People, o=Example?cn"
    + +AuthLDAPURL "ldap://ldap.example.com/ou=People, o=Example?cn" Require valid-user -     +
  • Grant access to anybody in the Administrators group. The users must authenticate using their UID. - -AuthLDAPURL ldap://ldap.example.com/o=Example?uid
    + +AuthLDAPURL ldap://ldap.example.com/o=Example?uid Require ldap-group cn=Administrators, o=Example -     +
  • @@ -549,10 +549,10 @@ Require ldap-group cn=Administrators, o= of qpagePagerID. The example will grant access only to people (authenticated via their UID) who have alphanumeric pagers: - -AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(qpagePagerID=*)
    + +AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(qpagePagerID=*) Require valid-user -     +
  • @@ -565,10 +565,10 @@ Require valid-user a pager, plus grant access to Joe Manager, who doesn't have a pager, but does need to access the same resource:

    - -AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(|(qpagePagerID=*)(uid=jmanager))
    + +AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(|(qpagePagerID=*)(uid=jmanager)) Require valid-user -     +

    This last may look confusing at first, so it helps to evaluate what the search filter will look like based on who @@ -663,11 +663,11 @@ Require valid-user subtree search for the attribute userPrincipalName, with an empty search root, like so:

    - -AuthLDAPBindDN apache@example.com
    -AuthLDAPBindPassword password
    + +AuthLDAPBindDN apache@example.com +AuthLDAPBindPassword password AuthLDAPURL ldap://10.0.0.1:3268/?userPrincipalName?sub -     +

    Users will need to enter their User Principal Name as a login, in the form somebody@nz.example.com.

    @@ -690,11 +690,11 @@ AuthLDAPURL ldap://10.0.0.1:3268/?userPr authentication to it is a matter of adding the following directives to every .htaccess file that gets created in the web

    -
    +
 AuthLDAPURL            "the url"
 AuthGroupFile mygroupfile
 Require group mygroupfile
-
     +
    How It Works @@ -864,8 +864,8 @@ to perform a DN lookup AuthLDAPBindDN.

    - AuthLDAPInitialBindPattern (.+) $1@example.com - AuthLDAPInitialBindPattern (.+) cn=$1,dc=example,dc=com + AuthLDAPInitialBindPattern (.+) $1@example.com + AuthLDAPInitialBindPattern (.+) cn=$1,dc=example,dc=com Not available with authorization-only This directive can only be used if this module authenticates the user, and @@ -1215,7 +1215,7 @@ objects that are groups during sub-group to use. The syntax of the URL is

    ldap://host:port/basedn?attribute?scope?filter

    If you want to specify more than one LDAP URL that Apache should try in turn, the syntax is:

    -AuthLDAPUrl "ldap://ldap1.example.com ldap2.example.com/dc=..." +AuthLDAPUrl "ldap://ldap1.example.com ldap2.example.com/dc=..."

    Caveat: If you specify multiple servers, you need to enclose the entire URL string in quotes; otherwise you will get an error: "AuthLDAPURL takes one argument, URL to define LDAP connection.." You can of course use search parameters on each of these.

    Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.xml URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.xml?rev=1334008&r1=1334007&r2=1334008&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.xml (original) +++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.xml Fri May 4 14:59:59 2012 @@ -58,38 +58,33 @@ multiple ldap hosts:

    - Example - <AuthzProviderAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx>
    - - AuthLDAPBindDN cn=youruser,o=ctx
    - AuthLDAPBindPassword yourpassword
    - AuthLDAPURL ldap://ldap.host/o=ctx
    -     - </AuthzProviderAlias>

    - <AuthzProviderAlias ldap-group ldap-group-alias2 - cn=my-other-group,o=dev>
    - - AuthLDAPBindDN cn=yourotheruser,o=dev
    - AuthLDAPBindPassword yourotherpassword
    - AuthLDAPURL ldap://other.ldap.host/o=dev?cn
    -     - </AuthzProviderAlias>

    - - Alias /secure /webpages/secure
    - <Directory /webpages/secure>
    - - Require all granted

    - - AuthBasicProvider file

    - - AuthType Basic
    - AuthName LDAP_Protected_Place

    - - #implied OR operation
    - Require ldap-group-alias1
    - Require ldap-group-alias2
    -     </Directory>
    -     + +<AuthzProviderAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx> + AuthLDAPBindDN cn=youruser,o=ctx + AuthLDAPBindPassword yourpassword + AuthLDAPURL ldap://ldap.host/o=ctx +</AuthzProviderAlias> + +<AuthzProviderAlias ldap-group ldap-group-alias2 cn=my-other-group,o=dev> + AuthLDAPBindDN cn=yourotheruser,o=dev + AuthLDAPBindPassword yourotherpassword + AuthLDAPURL ldap://other.ldap.host/o=dev?cn +</AuthzProviderAlias> + +Alias /secure /webpages/secure +<Directory /webpages/secure> + Require all granted + + AuthBasicProvider file + + AuthType Basic + AuthName LDAP_Protected_Place + + #implied OR operation + Require ldap-group-alias1 + Require ldap-group-alias2 +</Directory> +
    @@ -115,39 +110,27 @@ not belong to either the temps group or the LDAP group Temporary Employees.

    - - <Directory /www/mydocs> - + +<Directory /www/mydocs> + <RequireAll> + <RequireAny> + Require user superadmin <RequireAll> - + Require group admins + Require ldap-group cn=Administrators,o=Airius <RequireAny> - - Require user superadmin
    - <RequireAll> - - Require group admins
    - Require ldap-group cn=Administrators,o=Airius
    - <RequireAny> - - Require group sales
    - Require ldap-attribute dept="sales" -     - </RequireAny> -     - </RequireAll> -     - </RequireAny>
    - <RequireNone> - - Require group temps
    - Require ldap-group cn=Temporary Employees,o=Airius -     - </RequireNone> -     + Require group sales + Require ldap-attribute dept="sales" + </RequireAny> </RequireAll> -     - </Directory> -     + </RequireAny> + <RequireNone> + Require group temps + Require ldap-group cn=Temporary Employees,o=Airius + </RequireNone> + </RequireAll> +</Directory> +
    The Require Directives @@ -171,14 +154,12 @@ User-Agent (browser type), Referer, or other HTTP request header fields.

    - Example: - SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
    - <Directory /docroot>
    - - Require env let_me_in
    -     - </Directory> -     + +SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in +<Directory /docroot> + Require env let_me_in +</Directory> +

    In this case, browsers with a user-agent string beginning with KnockKnock/2.0 will be allowed access, and all @@ -194,13 +175,13 @@ 'granted' or 'denied'. The following examples will grant or deny access to all requests.

    - - Require all granted
    -     - - - Require all denied
    -     + + Require all granted + + + + Require all denied +
    @@ -214,20 +195,20 @@

    The following example will only allow GET, HEAD, POST, and OPTIONS requests:

    - - Require method GET POST OPTIONS
    -     + + Require method GET POST OPTIONS +

    The following example will allow GET, HEAD, POST, and OPTIONS requests without authentication, and require a valid user for all other methods:

    - - <RequireAny>
    -  Require method GET POST OPTIONS
    -  Require valid-user
    - </RequireAny>
    -     + +<RequireAny> +  Require method GET POST OPTIONS +  Require valid-user +</RequireAny> + @@ -236,9 +217,9 @@

    The expr provider allows to base authorization decisions on arbitrary expressions.

    - - Require expr %{TIME_HOUR} >= 9 && %{TIME_HOUR} <= 17
    -     + + Require expr %{TIME_HOUR} >= 9 && %{TIME_HOUR} <= 17 +

    The syntax is described in the ap_expr documentation.

    @@ -321,14 +302,14 @@ an authorization provider. and AuthGroupFile (to define users and groups) in order to work correctly. Example:

    - - AuthType Basic
    - AuthName "Restricted Resource"
    - AuthBasicProvider file
    - AuthUserFile /web/users
    - AuthGroupFile /web/groups
    - Require group admin -     + +AuthType Basic +AuthName "Restricted Resource" +AuthBasicProvider file +AuthUserFile /web/users +AuthGroupFile /web/groups +Require group admin +

    Access controls which are applied in this way are effective for all methods. This is what is normally @@ -350,18 +331,14 @@ an authorization provider. and beta groups are authorized, except for those who are also in the reject group.

    - - <Directory /www/docs> - - <RequireAll> - - Require group alpha beta
    - Require not group reject -     - </RequireAll> -     - </Directory> -     + +<Directory /www/docs> + <RequireAll> + Require group alpha beta + Require not group reject + </RequireAll> +</Directory> +

    When multiple Require directives are used in a single @@ -540,30 +517,24 @@ sections. preceding sections. Thus only users belong to the group gamma may access /www/docs/ab/gamma. - - <Directory /www/docs> - - AuthType Basic
    - AuthName Documents
    - AuthBasicProvider file
    - AuthUserFile /usr/local/apache/passwd/passwords
    - Require group alpha -     - </Directory>
    -
    - <Directory /www/docs/ab> - - AuthMerging Or
    - Require group beta -     - </Directory>
    -
    - <Directory /www/docs/ab/gamma> - - Require group gamma - - </Directory> -     + +<Directory /www/docs> + AuthType Basic + AuthName Documents + AuthBasicProvider file + AuthUserFile /usr/local/apache/passwd/passwords + Require group alpha +</Directory> + +<Directory /www/docs/ab> + AuthMerging Or + Require group beta +</Directory> + +<Directory /www/docs/ab/gamma> + Require group gamma +</Directory> + Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_dbd.xml URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_dbd.xml?rev=1334008&r1=1334007&r2=1334008&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_dbd.xml (original) +++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_dbd.xml Fri May 4 14:59:59 2012 @@ -80,8 +80,8 @@ to implement functions that start and en

    -Configuration Example -
    +Configuration example
+
 # mod_dbd configuration
 DBDriver pgsql
 DBDParams "dbname=apacheauth user=apache pass=xxxxxx"
@@ -115,13 +115,11 @@ DBDExptime 300
 
   <Files login.html>
     # don't require user to already be logged in!
-    AuthDBDUserPWQuery \
-      "SELECT password FROM authn WHERE user = %s"
+    AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
 
     # dbd-login action executes a statement to log user in
     Require dbd-login
-    AuthzDBDQuery \
-      "UPDATE authn SET login = 'true' WHERE user = %s"
+    AuthzDBDQuery "UPDATE authn SET login = 'true' WHERE user = %s"
 
     # return user to referring page (if any) after
     # successful login
@@ -131,11 +129,10 @@ DBDExptime 300
   <Files logout.html>
     # dbd-logout action executes a statement to log user out
     Require dbd-logout
-    AuthzDBDQuery \
-      "UPDATE authn SET login = 'false' WHERE user = %s"
+    AuthzDBDQuery "UPDATE authn SET login = 'false' WHERE user = %s"
   </Files>
 </Directory>
-
     +
    @@ -157,22 +154,20 @@ DBDExptime 300 The first column value of each row returned by the query statement should be a string containing a group name. Zero, one, or more rows may be returned. - Example
    +    
 Require dbd-group
-AuthzDBDQuery \
-  "SELECT group FROM groups WHERE user = %s"
-
     +AuthzDBDQuery "SELECT group FROM groups WHERE user = %s" +
  • When used with a Require dbd-login or Require dbd-logout directive, it will never deny access, but will instead execute a SQL statement designed to log the user in or out. The user must already be authenticated with mod_authn_dbd. - Example
    +    
 Require dbd-login
-AuthzDBDQuery \
-  "UPDATE authn SET login = 'true' WHERE user = %s"
-
     +AuthzDBDQuery "UPDATE authn SET login = 'true' WHERE user = %s" +

    • In all cases, the user's ID will be passed as a single string @@ -193,10 +188,9 @@ AuthzDBDQuery \ specific to the user. The user's ID will be passed as a single string parameter when the SQL query is executed. It may be referenced within the query statement using a %s format specifier.

    - Example
    -AuthzDBDRedirectQuery \
-  "SELECT userpage FROM userpages WHERE user = %s"
-
     + +AuthzDBDRedirectQuery "SELECT userpage FROM userpages WHERE user = %s" +

    The first column value of the first row returned by the query statement should be a string containing a URL to which to redirect the client. Subsequent rows will be ignored. If no rows are returned, Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_dbm.xml URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_dbm.xml?rev=1334008&r1=1334007&r2=1334008&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_dbm.xml (original) +++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_dbm.xml Fri May 4 14:59:59 2012 @@ -75,10 +75,10 @@ of user groups for authorization - - AuthDBMGroupFile /www/userbase
    - AuthDBMUserFile /www/userbase -     + +AuthDBMGroupFile /www/userbase +AuthDBMUserFile /www/userbase +

    The key for the single DBM is the username. The value consists of

    Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_host.xml URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_host.xml?rev=1334008&r1=1334007&r2=1334008&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_host.xml (original) +++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_host.xml Fri May 4 14:59:59 2012 @@ -75,35 +75,35 @@ address)

    A full IP address:

    - - Require ip 10.1.2.3
    - Require ip 192.168.1.104 192.168.1.205 -     + +Require ip 10.1.2.3 +Require ip 192.168.1.104 192.168.1.205 +

    An IP address of a host allowed access

    A partial IP address:

    - - Require ip 10.1
    - Require ip 10 172.20 192.168.2 -     + +Require ip 10.1 +Require ip 10 172.20 192.168.2 +

    The first 1 to 3 bytes of an IP address, for subnet restriction.

    A network/netmask pair:

    - + Require ip 10.1.0.0/255.255.0.0 - +

    A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet restriction.

    A network/nnn CIDR specification:

    - + Require ip 10.1.0.0/16 - +

    Similar to the previous case, except the netmask consists of nnn high-order 1 bits.

    @@ -113,10 +113,10 @@ address)

    IPv6 addresses and IPv6 subnets can be specified as shown below:

    - - Require ip 2001:db8::a00:20ff:fea7:ccea
    - Require ip 2001:db8::a00:20ff:fea7:ccea/10 -     + +Require ip 2001:db8::a00:20ff:fea7:ccea +Require ip 2001:db8::a00:20ff:fea7:ccea/10 + @@ -130,10 +130,10 @@ address)

    A (partial) domain-name

    - - Require host example.org
    - Require host .net example.edu -     + +Require host example.org +Require host .net example.edu +

    Hosts whose names match, or end in, this string are allowed access. Only complete components are matched, so the above @@ -164,9 +164,9 @@ address)

    This allows a convenient way to match connections that originate from the local host:

    - + Require local - + Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_owner.xml URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_owner.xml?rev=1334008&r1=1334007&r2=1334008&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_owner.xml (original) +++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_owner.xml Fri May 4 14:59:59 2012 @@ -85,17 +85,15 @@ files in /home/smith/public_html/private unless they were owned by jones instead of smith.

    - - <Directory /home/*/public_html/private>
    - - AuthType Basic
    - AuthName MyPrivateFiles
    - AuthBasicProvider dbm
    - AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all
    - Require file-owner
    -     - </Directory> -     + +<Directory /home/*/public_html/private> + AuthType Basic + AuthName MyPrivateFiles + AuthBasicProvider dbm + AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all + Require file-owner +</Directory> +
    Require file-group @@ -111,22 +109,20 @@ authorized to access the project-foo directories of each other.

    - - <Directory /home/*/public_html/project-foo>
    - - AuthType Basic
    - AuthName "Project Foo Files"
    - AuthBasicProvider dbm
    -
    - # combined user/group database
    - AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all
    - AuthDBMGroupFile /usr/local/apache2/etc/.htdbm-all
    -
    - Satisfy All
    - Require file-group
    -     - </Directory> -     + +<Directory /home/*/public_html/project-foo> + AuthType Basic + AuthName "Project Foo Files" + AuthBasicProvider dbm + + # combined user/group database + AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all + AuthDBMGroupFile /usr/local/apache2/etc/.htdbm-all + + Satisfy All + Require file-group +</Directory> +
    Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_autoindex.xml URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_autoindex.xml?rev=1334008&r1=1334007&r2=1334008&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_autoindex.xml (original) +++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_autoindex.xml Fri May 4 14:59:59 2012 @@ -69,7 +69,8 @@ same header repeatedly toggles between ascending and descending order. These column header links are suppressed with the IndexOptions directive's - SuppressColumnSorting option.

    + SuppressColumnSorting + option.

    Note that when the display is sorted by "Size", it's the actual size of the files that's used, not the @@ -201,10 +202,10 @@ icon selected by filename is displayed if the client is image-incapable, has image loading disabled, or fails to retrieve the icon.

    - Examples - AddAlt "PDF file" *.pdf
    - AddAlt Compressed *.gz *.zip *.Z -     + +AddAlt "PDF file" *.pdf +AddAlt Compressed *.gz *.zip *.Z + @@ -229,9 +230,9 @@ selected by MIME-encoding This alternate text is displayed if the client is image-incapable, has image loading disabled, or fails to retrieve the icon.

    - Example + AddAltByEncoding gzip x-gzip - + @@ -256,9 +257,9 @@ icon selected by MIME content-type - Example + AddAltByType 'plain text' text/plain - + @@ -279,10 +280,10 @@ icon selected by MIME content-typeString is enclosed in double quotes (").

    - Example - AddDescription "The planet Mars" mars.gif
    - AddDescription "My friend Marshall" friends/mars.gif -     + +AddDescription "The planet Mars" mars.gif +AddDescription "My friend Marshall" friends/mars.gif +

    The typical, default description field is 23 bytes wide. 6 more bytes are added by the IndexOptions HTMLTable.

    - Examples - AddIcon (IMG,/icons/image.png) .gif .jpg .png
    - AddIcon /icons/dir.png ^^DIRECTORY^^
    - AddIcon /icons/backup.png *~ -     + +#Examples +AddIcon (IMG,/icons/image.png) .gif .jpg .png +AddIcon /icons/dir.png ^^DIRECTORY^^ +AddIcon /icons/backup.png *~ +

    AddIconByType should be used in preference to AddIcon, @@ -388,9 +390,9 @@ content-encoding

    MIME-encoding is a valid content-encoding, such as x-compress.

    - Example + AddIconByEncoding /icons/compress.png x-compress - + @@ -418,9 +420,9 @@ content-type

    MIME-type is a wildcard expression matching required the mime types.

    - Example + AddIconByType (IMG,/icons/image.png) image/* - + @@ -441,9 +443,9 @@ configured Url-path is a (%-escaped) relative URL to the icon, or a fully qualified remote URL.

    - Example + DefaultIcon /icon/unknown.png - + @@ -462,9 +464,9 @@ of the index listing of the file that will be inserted at the top of the index listing. Filename is the name of the file to include.

    - Example + HeaderName HEADER.html - +

    Both HeaderName and with a slash, it will be taken to be relative to the DocumentRoot.

    - Example + HeaderName /include/HEADER.html - +

    Filename must resolve to a document with a major content type of text/* (e.g., @@ -485,9 +487,9 @@ of the index listing actual file type (as opposed to its output) is marked as text/html such as with a directive like:

    - + AddType text/html .cgi - +

    Content negotiation will be performed if Options @@ -530,9 +532,9 @@ a directory files. By default, the list contains . (the current directory).

    - + IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t - + Regular Expressions

    This directive does not currently work in configuration sections @@ -560,15 +562,15 @@ a directory any files ignored by IndexIgnore otherwise inherited from other configuration sections.

    - - <Directory /var/www> - IndexIgnore *.bak .??* *~ *# HEADER* README* RCS CVS *,v *,t - </Directory> - <Directory /var/www/backups> - IndexIgnoreReset ON - IndexIgnore .??* *# HEADER* README* RCS CVS *,v *,t - </Directory> - + +<Directory /var/www> + IndexIgnore *.bak .??* *~ *# HEADER* README* RCS CVS *,v *,t +</Directory> +<Directory /var/www/backups> + IndexIgnoreReset ON + IndexIgnore .??* *# HEADER* README* RCS CVS *,v *,t +</Directory> +

    Review the default configuration for a list of patterns that you might want to explicitly ignore after using this @@ -620,9 +622,9 @@ indexing (It depends on whether the underlying file system uses Unicode filenames or not.) - Example: + IndexOptions Charset=UTF-8 - +

    specify the MIME content-type of the generated page. The default is text/html. - Example: + IndexOptions Type=text/plain - +
  • Multiple IndexOptions directives for a single directory are now merged together. The result of: - - <Directory /foo> - - IndexOptions HTMLTable
    - IndexOptions SuppressColumnsorting -     - </Directory> -     + +<Directory /foo> + IndexOptions HTMLTable + IndexOptions SuppressColumnsorting +</Directory> +

    will be the equivalent of

    - + IndexOptions HTMLTable SuppressColumnsorting - +
  • The addition of the incremental syntax (i.e., prefixing @@ -945,10 +945,10 @@ indexing clears all inherited options and any incremental settings encountered so far. Consider the following example:

    - - IndexOptions +ScanHTMLTitles -IconsAreLinks FancyIndexing
    - IndexOptions +SuppressSize -     + +IndexOptions +ScanHTMLTitles -IconsAreLinks FancyIndexing
    +IndexOptions +SuppressSize +

    The net effect is equivalent to IndexOptions FancyIndexing +SuppressSize, because the unprefixed FancyIndexing @@ -1014,10 +1014,9 @@ Name|Date|Size|Description

    The IndexStyleSheet directive sets the name of the file that will be used as the CSS for the index listing.

    - - Example + IndexStyleSheet "/css/style.css" - +

    Using this directive in conjunction with IndexOptions HTMLTable adds a number of CSS classes to the resulting HTML. @@ -1053,10 +1052,9 @@ Name|Date|Size|Description

    The IndexHeadInsert directive specifies a string to insert in the <head> section of the HTML generated for the index page.

    - - Example + IndexHeadInsert "<link rel=\"sitemap\" href=\"/sitemap.html\">" - + @@ -1079,13 +1077,15 @@ of the index listing relative to the DocumentRoot.

    - Example 1 - ReadmeName FOOTER.html - - - Example 2 - ReadmeName /include/FOOTER.html - + +# Example 1 +ReadmeName FOOTER.html + + + +# Example 2 +ReadmeName /include/FOOTER.html +

    See also HeaderName, where this behavior is described in greater