diff options
author | Eric Covener <covener@apache.org> | 2010-05-29 20:19:10 +0000 |
---|---|---|
committer | Eric Covener <covener@apache.org> | 2010-05-29 20:19:10 +0000 |
commit | d15983f1d14b675226bbd8bca61c5db24314ebf0 (patch) | |
tree | 4e2a0520f94a17366fa1054fca957c8701955e9e /docs/manual/mod/mod_authnz_ldap.html.en | |
parent | 27c654fc67365e1b6ef9f8a66029d67968edc1ce (diff) | |
download | httpd-d15983f1d14b675226bbd8bca61c5db24314ebf0.tar.gz |
mod_authnz_ldap: Allow the initial DN lookup to bind with a
transformation of the basic auth username.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@949436 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'docs/manual/mod/mod_authnz_ldap.html.en')
-rw-r--r-- | docs/manual/mod/mod_authnz_ldap.html.en | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/docs/manual/mod/mod_authnz_ldap.html.en b/docs/manual/mod/mod_authnz_ldap.html.en index 0a0f4df0a4..e4d8fe88bc 100644 --- a/docs/manual/mod/mod_authnz_ldap.html.en +++ b/docs/manual/mod/mod_authnz_ldap.html.en @@ -68,6 +68,8 @@ for HTTP Basic authentication.</td></tr> <li><img alt="" src="../images/down.gif" /> <a href="#authldapdereferencealiases">AuthLDAPDereferenceAliases</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#authldapgroupattribute">AuthLDAPGroupAttribute</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#authldapgroupattributeisdn">AuthLDAPGroupAttributeIsDN</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#authldapinitialbindasuser">AuthLDAPInitialBindAsUser</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#authldapinitialbindpattern">AuthLDAPInitialBindPattern</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#authldapmaxsubgroupdepth">AuthLDAPMaxSubGroupDepth</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#authldapremoteuserattribute">AuthLDAPRemoteUserAttribute</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#authldapremoteuserisdn">AuthLDAPRemoteUserIsDN</a></li> @@ -952,6 +954,79 @@ group membership</td></tr> </div> <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="directive-section"><h2><a name="AuthLDAPInitialBindAsUser" id="AuthLDAPInitialBindAsUser">AuthLDAPInitialBindAsUser</a> <a name="authldapinitialbindasuser" id="authldapinitialbindasuser">Directive</a></h2> +<table class="directive"> +<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Determines if the server does the initial DN lookup using the basic authentication users' +own username, instead of anonymously or with hard-coded credentials for the server</td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthLDAPInitialBindAsUser <em>off|on</em></code></td></tr> +<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthLDAPInitialBindAsUser off</code></td></tr> +<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> +<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> +<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> +<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in version 2.3.7 and later</td></tr> +</table> + <p>By default, the server either anonymously, or with a dedicated user and + password, converts the basic authentication username into an LDAP + distinguished name (DN). This directive forces the server to use the verbatim username + and password provided by the incoming user to perform the initial DN + search.</p> + + <p> If the verbatim username can't directly bind, but needs some + cosmetic transformation, see <code class="directive"><a href="# authldapinitialbindpattern"> + AuthLDAPInitialBindPattern</a></code>.</p> + + <div class="note"><h3>Not available with authorization-only</h3> + This directive can only be used if this module authenticates the user, and + has no effect when this module is used exclusively for authorization. + </div> + +<h3>See also</h3> +<ul> +<li><code class="directive"><a href="../mod/mod_authnnz_ldap.html#authldapinitialbindpattern">AuthLDAPInitialBindPattern</a></code></li> +<li><code class="directive"><a href="../mod/mod_authnnz_ldap.html#authldapbinddn">AuthLDAPBindDN</a></code></li> +</ul> +</div> +<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="directive-section"><h2><a name="AuthLDAPInitialBindPattern" id="AuthLDAPInitialBindPattern">AuthLDAPInitialBindPattern</a> <a name="authldapinitialbindpattern" id="authldapinitialbindpattern">Directive</a></h2> +<table class="directive"> +<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Specifies the transformation of the basic authentication username to be used when binding to the LDAP server +to perform a DN lookup</td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthLDAPInitialBindPattern<em><var>regex</var> <var>substitution</var></em></code></td></tr> +<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthLDAPInitialBindPattern (.*) $1 (remote username used verbatim)</code></td></tr> +<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> +<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> +<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> +<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_ldap</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in version 2.3.7 and later</td></tr> +</table> + <p>If <code class="directive"><a href="#authldapinitialbindasuser">AuthLDAPInitialBindAsUser</a></code> is set to + <em>ON</em>, the basic authentication username will be transformed according to the + regular expression and substituion arguments.</p> + + <p> The regular expression argument is compared against the current basic authentication username. + The substitution argument may contain backreferences, but has no other variable interpolation.</p> + + <div class="example"><p><code> AuthLDAPInitialBindPattern (.+) $1@example.com </code></p></div> + <div class="example"><p><code> AuthLDAPInitialBindPattern (.+) cn=$1,dc=example,dc=com</code></p></div> + + <div class="note"><h3>Not available with authorization-only</h3> + This directive can only be used if this module authenticates the user, and + has no effect when this module is used exclusively for authorization. + </div> + <div class="note"><h3>debugging</h3> + The substituted DN is recorded in the environment variable + <em>LDAP_BINDASUSER</em>. If the regular expression does not match the input, + the verbatim username is used. + </div> + +<h3>See also</h3> +<ul> +<li><code class="directive"><a href="../mod/mod_authnnz_ldap.html#authldapinitialbindasuser">AuthLDAPInitialBindAsUser</a></code></li> +<li><code class="directive"><a href="../mod/mod_authnnz_ldap.html#authldapbinddn">AuthLDAPBindDN</a></code></li> +</ul> +</div> +<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> <div class="directive-section"><h2><a name="AuthLDAPMaxSubGroupDepth" id="AuthLDAPMaxSubGroupDepth">AuthLDAPMaxSubGroupDepth</a> <a name="authldapmaxsubgroupdepth" id="authldapmaxsubgroupdepth">Directive</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Specifies the maximum sub-group nesting depth that will be |