Return-Path: Delivered-To: apmail-httpd-docs-archive@httpd.apache.org Received: (qmail 24083 invoked by uid 500); 18 Feb 2003 22:24:17 -0000 Mailing-List: contact docs-help@httpd.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: list-post: Reply-To: docs@httpd.apache.org Delivered-To: mailing list docs@httpd.apache.org Received: (qmail 24066 invoked from network); 18 Feb 2003 22:24:16 -0000 Message-Id: X-Mailer: Novell GroupWise Internet Agent 6.5.0 Date: Tue, 18 Feb 2003 15:24:13 -0700 From: "Brad Nicholes" To: , Subject: Re: cvs commit: httpd-2.0/docs/manual/mod mod_ldap.xml mod_auth_ldap.xml Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Spam-Rating: daedalus.apache.org 1.6.2 500/1000/N Could one of the doc gurus please review the changes to the XML in the LDAP pages to make sure that it is correct. Also regenerate the HTML pages. Brad Brad Nicholes Senior Software Engineer Novell, Inc., the leading provider of Net business solutions http://www.novell.com >>> bnicholes@apache.org Tuesday, February 18, 2003 3:21:24 PM >>> bnicholes 2003/02/18 14:21:24 Modified: docs/manual/mod mod_ldap.xml mod_auth_ldap.xml Log: Update the mod_auth_ldap and mod_ldap documentation to show the new directives for establishing an SSL connection and the addition of the Novell LDAP SDK. Revision Changes Path 1.4 +72 -9 httpd-2.0/docs/manual/mod/mod_ldap.xml Index: mod_ldap.xml =================================================================== RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_ldap.xml,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- mod_ldap.xml 16 Nov 2002 20:21:38 -0000 1.3 +++ mod_ldap.xml 18 Feb 2003 22:21:24 -0000 1.4 @@ -22,6 +22,13 @@ apr-util. This is achieved by adding the --with-ldap flag to the ./configure script when building Apache.

+ +

SSL support requires that mod_ldap be linked + with one of the following LDAP SDKs: + OpenLDAP SDK (both 1.x and 2.x), + Novell LDAP SDK or the + iPlanet(Netscape) SDK.

+
Example Configuration @@ -156,6 +163,51 @@
+
Using SSL + +

The ability to create an SSL connections to an LDAP server + is defined by the directives + LDAPTrustedCA and + LDAPTrustedCAType. These directives specify the certificate + file or database and the certificate type. Whenever the LDAP url + includes ldaps://, mod_ldap will establish + a secure connection to the LDAP server. + + + # Establish an SSL LDAP connection. Requires that
+ # mod_ldap and mod_auth_ldap be loaded. Change the
+ # "yourdomain.example.com" to match your domain.
+
+ LDAPTrustedCA /certs/certfile.der
+ LDAPTrustedCAType DER_FILE
+
+ <Location /ldap-status>
+ + SetHandler ldap-status
+ Order deny,allow
+ Deny from all
+ Allow from yourdomain.example.com
+ AuthLDAPEnabled on
+ AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one
+ AuthLDAPAuthoritative on
+ require valid-user
+ + </Location> + + +

If mod_ldap is linked against the + Netscape/iPlanet LDAP SDK, it will not talk to any SSL server + unless that server has a certificate signed by a known Certificate + Authority. As part of the configuration + mod_ldap needs to be told where it can find + a database containing the known CAs. This database is in the same + format as Netscape Communicator's cert7.db + database. The easiest way to get this file is to start up a fresh + copy of Netscape, and grab the resulting + $HOME/.netscape/cert7.db file.

+ +
+ LDAPSharedCacheSize Size in bytes of the shared-memory cache @@ -228,19 +280,30 @@ -LDAPCertDBPath -Directory containing certificates for SSL support -LDAPCertDBPath directory-path +LDAPTrustedCA +Sets the file containing the trusted Certificate Authority certificate or database +LDAPTrustedCA directory-path/filename server config -

This directive is only valid if Apache has been linked - against the Netscape/iPlanet Directory SDK.

+

It specifies the directory path and file name of the trusted CA + mod_ldap should use when establishing an SSL + connection to an LDAP server. If using the Netscape/iPlanet Directory + SDK, the file name should be cert7.db.

+ + -

It specifies in which directory mod_ldap - should look for the certificate authorities database for SSL - support. There should be a file named cert7.db in that - directory.

+ +LDAPTrustedCAType +Specifies the type of the Certificate Authority file +LDAPTrustedCAType type +server config + + +

The following types are supported:
+ DER_FILE - file in binary DER format
+ BASE64_FILE - file in Base64 format
+ CERT7_DB_PATH - Netscape certificate database file ")

 1.12 +9 -33 httpd-2.0/docs/manual/mod/mod_auth_ldap.xml Index: mod_auth_ldap.xml =================================================================== RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_auth_ldap.xml,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- mod_auth_ldap.xml 22 Jan 2003 07:09:12 -0000 1.11 +++ mod_auth_ldap.xml 18 Feb 2003 22:21:24 -0000 1.12 @@ -17,7 +17,8 @@
  • Known to support the OpenLDAP SDK (both 1.x - and 2.x), and the + Novell LDAP SDK and the iPlanet (Netscape) SDK.
    • @@ -32,7 +33,7 @@ href="mod_ldap.html">mod_ldap.
  • Support for LDAP over SSL (requires the Netscape SDK) or - TLS (requires the OpenLDAP 2.x SDK).
    • + TLS (requires the OpenLDAP 2.x SDK or Novell LDAP SDK).
@@ -413,24 +414,16 @@
Using TLS -

To use TLS, simply set the AuthLDAPStartTLS to on. - Nothing else needs to be done (other than ensure that your LDAP - server is configured for TLS).

+

To use TLS, see the mod_ldap directives LDAPTrustedCA and LDAPTrustedCAType.

Using SSL -

If mod_auth_ldap is linked against the - Netscape/iPlanet LDAP SDK, it will not talk to any SSL server - unless that server has a certificate signed by a known Certificate - Authority. As part of the configuration - mod_auth_ldap needs to be told where it can find - a database containing the known CAs. This database is in the same - format as Netscape Communicator's cert7.db - database. The easiest way to get this file is to start up a fresh - copy of Netscape, and grab the resulting - $HOME/.netscape/cert7.db file.

+

To use SSL, see the mod_ldap directives LDAPTrustedCA and LDAPTrustedCAType.

To specify a secure LDAP server, use ldaps:// in the AuthLDAPURL @@ -735,23 +728,6 @@ distinguished name of the authenticated user, rather than just the username that was passed by the client. It is turned off by default.

- - - - -AuthLDAPStartTLS -Use a secure TLS connection to the LDAP server -AuthLDAPStartTLS on|off -AuthLDAPStartTLS off -directory.htaccess - -AuthConfig - - -

If this directive is set to on, - mod_auth_ldap will start a secure TLS session - after connecting to the LDAP server. This requires your LDAP - server to support TLS.

 --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org For additional commands, e-mail: docs-help@httpd.apache.org