Return-Path:
Delivered-To: apmail-httpd-docs-archive@httpd.apache.org
Received: (qmail 24083 invoked by uid 500); 18 Feb 2003 22:24:17 -0000
Mailing-List: contact docs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
list-help:
list-unsubscribe:
list-post:
Reply-To: docs@httpd.apache.org
Delivered-To: mailing list docs@httpd.apache.org
Received: (qmail 24066 invoked from network); 18 Feb 2003 22:24:16 -0000
Message-Id:
X-Mailer: Novell GroupWise Internet Agent 6.5.0
Date: Tue, 18 Feb 2003 15:24:13 -0700
From: "Brad Nicholes"
To: ,
Subject: Re: cvs commit: httpd-2.0/docs/manual/mod mod_ldap.xml
mod_auth_ldap.xml
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Spam-Rating: daedalus.apache.org 1.6.2 500/1000/N
Could one of the doc gurus please review the changes to the XML in the
LDAP pages to make sure that it is correct. Also regenerate the HTML
pages.
Brad
Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com
>>> bnicholes@apache.org Tuesday, February 18, 2003 3:21:24 PM >>>
bnicholes 2003/02/18 14:21:24
Modified: docs/manual/mod mod_ldap.xml mod_auth_ldap.xml
Log:
Update the mod_auth_ldap and mod_ldap documentation to show the new
directives for establishing an SSL connection and the addition of the
Novell
LDAP SDK.
Revision Changes Path
1.4 +72 -9 httpd-2.0/docs/manual/mod/mod_ldap.xml
Index: mod_ldap.xml
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_ldap.xml,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- mod_ldap.xml 16 Nov 2002 20:21:38 -0000 1.3
+++ mod_ldap.xml 18 Feb 2003 22:21:24 -0000 1.4
@@ -22,6 +22,13 @@
apr-util. This is achieved by adding the
--with-ldap
flag to the ./configure
script when building
Apache.
+
+ SSL support requires that mod_ldap be
linked
+ with one of the following LDAP SDKs:
+ OpenLDAP SDK (both 1.x and 2.x),
+ Novell LDAP SDK or the
+ iPlanet(Netscape) SDK.
+
Example Configuration
@@ -156,6 +163,51 @@
+Using SSL
+
+ The ability to create an SSL connections to an LDAP server
+ is defined by the directives
+ LDAPTrustedCA and
+ LDAPTrustedCAType. These directives specify the
certificate
+ file or database and the certificate type. Whenever the LDAP
url
+ includes ldaps://, mod_ldap will
establish
+ a secure connection to the LDAP server.
+
+
+ # Establish an SSL LDAP connection. Requires that
+ # mod_ldap and mod_auth_ldap be loaded. Change the
+ # "yourdomain.example.com" to match your domain.
+
+ LDAPTrustedCA /certs/certfile.der
+ LDAPTrustedCAType DER_FILE
+
+ <Location /ldap-status>
+
+ SetHandler ldap-status
+ Order deny,allow
+ Deny from all
+ Allow from yourdomain.example.com
+ AuthLDAPEnabled on
+ AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one
+ AuthLDAPAuthoritative on
+ require valid-user
+
+ </Location>
+
+
+
If mod_ldap is linked against the
+ Netscape/iPlanet LDAP SDK, it will not talk to any SSL server
+ unless that server has a certificate signed by a known
Certificate
+ Authority. As part of the configuration
+ mod_ldap needs to be told where it can find
+ a database containing the known CAs. This database is in the
same
+ format as Netscape Communicator's cert7.db
+ database. The easiest way to get this file is to start up a
fresh
+ copy of Netscape, and grab the resulting
+ $HOME/.netscape/cert7.db
file.
+
+
+
LDAPSharedCacheSize
Size in bytes of the shared-memory cache
@@ -228,19 +280,30 @@
-LDAPCertDBPath
-Directory containing certificates for SSL
support
-LDAPCertDBPath directory-path
+LDAPTrustedCA
+Sets the file containing the trusted Certificate
Authority certificate or database
+LDAPTrustedCA directory-path/filename
server config
- This directive is only valid if Apache has been linked
- against the Netscape/iPlanet Directory SDK.
+ It specifies the directory path and file name of the trusted
CA
+ mod_ldap should use when establishing an SSL
+ connection to an LDAP server. If using the Netscape/iPlanet
Directory
+ SDK, the file name should be cert7.db
.
+
+
- It specifies in which directory mod_ldap
- should look for the certificate authorities database for SSL
- support. There should be a file named cert7.db
in
that
- directory.
+
+LDAPTrustedCAType
+Specifies the type of the Certificate Authority
file
+LDAPTrustedCAType type
+server config
+
+
+ The following types are supported:
+ DER_FILE - file in binary DER format
+ BASE64_FILE - file in Base64 format
+ CERT7_DB_PATH - Netscape certificate database file ")
1.12 +9 -33 httpd-2.0/docs/manual/mod/mod_auth_ldap.xml
Index: mod_auth_ldap.xml
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_auth_ldap.xml,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- mod_auth_ldap.xml 22 Jan 2003 07:09:12 -0000 1.11
+++ mod_auth_ldap.xml 18 Feb 2003 22:21:24 -0000 1.12
@@ -17,7 +17,8 @@
- Known to support the OpenLDAP SDK (both 1.x
- and 2.x), and the
+ Novell LDAP SDK and the iPlanet
(Netscape) SDK.
@@ -32,7 +33,7 @@
href="mod_ldap.html">mod_ldap.
- Support for LDAP over SSL (requires the Netscape SDK) or
- TLS (requires the OpenLDAP 2.x SDK).
+ TLS (requires the OpenLDAP 2.x SDK or Novell LDAP SDK).
@@ -413,24 +414,16 @@
Using TLS
- To use TLS, simply set the AuthLDAPStartTLS to on.
- Nothing else needs to be done (other than ensure that your LDAP
- server is configured for TLS).
+ To use TLS, see the mod_ldap directives
LDAPTrustedCA and LDAPTrustedCAType.
Using SSL
- If mod_auth_ldap is linked against the
- Netscape/iPlanet LDAP SDK, it will not talk to any SSL server
- unless that server has a certificate signed by a known
Certificate
- Authority. As part of the configuration
- mod_auth_ldap needs to be told where it can
find
- a database containing the known CAs. This database is in the
same
- format as Netscape Communicator's cert7.db
- database. The easiest way to get this file is to start up a
fresh
- copy of Netscape, and grab the resulting
- $HOME/.netscape/cert7.db
file.
+ To use SSL, see the mod_ldap directives
LDAPTrustedCA and LDAPTrustedCAType.
To specify a secure LDAP server, use ldaps:// in
the
AuthLDAPURL
@@ -735,23 +728,6 @@
distinguished name of the authenticated user, rather than just
the username that was passed by the client. It is turned off by
default.
-
-
-
-
-AuthLDAPStartTLS
-Use a secure TLS connection to the LDAP
server
-AuthLDAPStartTLS on|off
-AuthLDAPStartTLS off
-directory.htaccess
-
-AuthConfig
-
-
- If this directive is set to on
,
- mod_auth_ldap will start a secure TLS session
- after connecting to the LDAP server. This requires your LDAP
- server to support TLS.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org