libapache2-mod-webauthldap 4.7.0-4 / usr / share / doc / libapache2-mod-webauthldap / mod_webauthldap.html.en

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
              This file is generated from xml source: DO NOT EDIT
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      -->
<title>mod_webauthldap - Apache HTTP Server Version 2.5</title>
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
<script src="../style/scripts/prettify.min.js" type="text/javascript">
</script>

<link href="../images/favicon.ico" rel="shortcut icon" /></head>
<body>
<div id="page-header">
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
<p class="apache">Apache HTTP Server Version 2.5</p>
<img alt="" src="../images/feather.gif" /></div>
<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
<div id="path">
<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="../">Version 2.5</a> &gt; <a href="./">Modules</a></div>
<div id="page-content">
<div id="preamble"><h1>Apache Module mod_webauthldap</h1>
<div class="toplang">
<p><span>Available Languages: </span><a href="../en/mod/mod_webauthldap.html" title="English">&nbsp;en&nbsp;</a></p>
</div>
<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>LDAP authorization and lookup for WebAuth</td></tr>
<tr><th><a href="module-dict.html#Status">Status:</a></th><td>External</td></tr>
<tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>webauthldap_module</td></tr>
<tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_webauthldap.c</td></tr>
<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Apache 2.0 and higher</td></tr></table>
<h3>Summary</h3>


<p>This module provides authorization based on configurable LDAP privilege
groups.  It also allows retrieving adhoc LDAP attributes and places them
in environment variables.  The module was designed for use with an LDAP
server that supports LDAP version 3 and allows binds authenticated using
GSS-API Kerberos via SASL.</p>

<p>For other WebAuth documentation see the
<a href="http://webauth.stanford.edu/">WebAuth documentation</a>.</p>
</div>
<div id="quickview"><h3 class="directives">Directives</h3>
<ul id="toc">
<li><img alt="" src="../images/down.gif" /> <a href="#webauthldapattribute">WebAuthLdapAttribute</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#webauthldapauthorizationattribute">WebAuthLdapAuthorizationAttribute</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#webauthldapauthrule">WebAuthLdapAuthrule</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#webauthldapbase">WebAuthLdapBase</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#webauthldapbinddn">WebAuthLdapBindDN</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#webauthldapdebug">WebAuthLdapDebug</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#webauthldapfilter">WebAuthLdapFilter</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#webauthldaphost">WebAuthLdapHost</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#webauthldapkeytab">WebAuthLdapKeytab</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#webauthldapoperationalattribute">WebAuthLdapOperationalAttribute</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#webauthldapport">WebAuthLdapPort</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#webauthldapprivgroup">WebAuthLdapPrivgroup</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#webauthldapseparator">WebAuthLdapSeparator</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#webauthldapssl">WebAuthLdapSSL</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#webauthldaptktcache">WebAuthLdapTktCache</a></li>
</ul>
<h3>Topics</h3>
<ul id="topics">
<li><img alt="" src="../images/down.gif" /> <a href="#config">Generic Minimal Config File</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#basics">Using WebAuthLdap Authorization</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#attributes">Ad hoc attributes lookup</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#compat">WebAuth 2.x backward compatibility</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#license">Manual License</a></li>
</ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="config" id="config">Generic Minimal Config File</a></h2>

<p>The following example shows the minimum config file required to
configure this module.</p>

<div class="example"><h3>Example</h3><pre>LoadModule webauthldap_module modules/mod_webauthldap.so

WebAuthLdapHost ldap.acme.com
WebAuthLdapBase dc=acme,dc=com
WebAuthLdapAuthorizationAttribute privilegeAttribute
WebAuthLdapKeytab conf/webauth/ldapkeytab webauth/myservername
WebAuthLdapTktCache /tmp/webauthldap.tkt</pre></div>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="basics" id="basics">Using WebAuthLdap Authorization</a></h2>

<p>To restrict access to particular privilege group(s) place the
<code>require privgroup &lt;group name&gt;</code> directives in a
.htaccess file, a Location block or a Directory block where <code>AuthType
WebAuth</code> has already been applied.  Multiple directives mean "user
must belong to at least one of these groups."  There is currently no way
to require that a user be in multiple groups.</p>

<p>When combining with other require directives, the order of checking is
top to bottom, so e.g. by placing <code>require valid-user</code> at the
top, all authenticated users will be authorized no matter what group
restrictions are below it.  By default, if a user is authorized, the
WEBAUTH_LDAPAUTHRULE variable will be set to indicate what rule succeded
in authorizing a user.</p>

<p>It is possible to combine <code>Require privgroup</code> with Apache's
regular <code>Require group</code>.  In this case if no LDAP group
matches, the regular auth groups can be checked by apache in the usual
manner, and access granted if the user is in them.  However when using
WebAuthLdap the AuthAuthoritative directive must be set to off, otherwise
mod_access will logs messages complaining that it doesn't recognize the
<code>Require privgroup</code> directives.</p>

<div class="example"><h3>Example</h3><pre>&lt;Location /private/&gt;
  AuthType WebAuth
  Require privgroup stanford:staff
  Require privgroup stanford:faculty
&lt;/Location&gt;</pre></div>

</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="attributes" id="attributes">Ad hoc attributes lookup</a></h2>

<p>By using the WebAuthLdapAttribute directive in a .htaccess file, a
Location block or a Directory block, any attributes available to the
WebAuth server can be set into environment variables for use in cgi
scripts.  In case the requested attribute is not available from the LDAP
server, there is no error and the environment variable is simply not set
for that attribute.</p>

<p>The name of the environment variable is formed by prepending
WEBAUTH_LDAP_ to the uppercased attribute name.  In the case of mulivalued
attributes, the WEBAUTH_LDAP_ATTRIBUTENAME variable will contain one value
randomly picked from the set, and all the values of this attribute will
also be set into WEBAUTH_LDAP_ATTRIBUTENAME1, WEBAUTH_LDAP_ATTRIBUTENAME2,
and so on, in no particular order.  The multivalued attribute behavior can
be changed by setting the
<a href="#webauthldapseparator">WebAuthLdapSeparator</a> directive, in which
case WEBAUTH_LDAP_ATTRIBUTENAME will be set to the concatenation of all
returned values, separated by that separator.</p>

<p>The <a href="#webauthldapprivgroup">WebAuthLdapPrivgroup</a> directive
is also available to test a user's membership in an authorization group,
while still allowing users who are not members of that group to access a
resource.  If the user is a member of the group, the group's name is set in
the environment variable WEBAUTH_LDAPPRIVGROUP.  As with attributes, if the
user is found to be a member of multiple groups, those group names are
stored in variables named WEBAUTH_LDAPPRIVGROUP1, WEBAUTH_LDAPPRIVGROUP2
and so on, with one of the groups, picked at random, in the usual
WEBAUTH_LDAPPRIVGROUP variable -- unless <a href="#webauthldapseparator">
WebAuthLdapSeparator</a> is set, in which case WEBAUTH_LDAPPRIVGROUP
contains the concatenation of all those groups, separated by that
separator.</p>

<div class="example"><h3>Example</h3><pre>&lt;Location /private/&gt;
  AuthType WebAuth
  Require valid-user
  WebAuthLdapAttribute displayName
  WebAuthLdapAttribute description
  WebAuthLdapAttribute telephoneNumber
  WebAuthLdapPrivgroup stanford:faculty
  WebAuthLdapPrivgroup stanford:student
&lt;/Location&gt;</pre></div>

</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="compat" id="compat">WebAuth 2.x backward compatibility</a></h2>

<p>StanfordAuth as an AuthType is supported as a form of backward
compatibility, to ease the transition from WebAuth v2.  When it is used,
require group directives are interpreted as checks on LDAP privgroups if
they contain a colon.</p>

<div class="example"><h3>StanfordAuth Example</h3><pre>&lt;Location /private/&gt;
  AuthType StanfordAuth
  require group stanford:stanford
&lt;/Location&gt;</pre></div>

<p>If you wish to have the legacy SU_AUTH_DIRNAME, SU_AUTH_DIRMAIL, or
SU_AUTH_UNIVID variables set, you need to use the new WebAuthLdapAttribute
directives explicitly.  If you don't want to go through and change
numerous .htaccess files, you can set the WebAuthLdapAttribute directive
on some top location above all the .htaccess files, and they wil be
inherited.</p>

<div class="example"><h3>With name, mail, and univid variables:</h3><pre>&lt;Location /top/&gt;
  WebAuthLdapAttribute mail
  WebAuthLdapAttribute displayName
  WebAuthLdapAttribute suUnivid
&lt;/Location&gt;

# .htaccess file in /top/mydir can remain like this:
AuthType StanfordAuth
require group stanford:stanford</pre></div>

<p>This backward compatibility support is probably of interest only to
Stanford users, since WebAuth v2 was never publically released.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="license" id="license">Manual License</a></h2>

<p>Copyright 2003, 2004, 2005, 2006, 2009, 2010, 2011, 2012, 2014 The
Board of Trustees of the Leland Stanford Junior University</p>

<p>Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright notice
and this notice are preserved.  This file is offered as-is, without any
warranty.</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="WebAuthLdapAttribute" id="WebAuthLdapAttribute">WebAuthLdapAttribute</a> <a name="webauthldapattribute" id="webauthldapattribute">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>LDAP attribute to place in the environment</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>WebAuthLdapAttribute <em>attribute</em> [<em>attribute</em>] ...</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>"displayName", "mail"</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>External</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_webauthldap</td></tr>
</table>
<p>All attributes indicated by this directive will be looked up in LDAP
and their values, if found, will be placed into the environment.  This
directive can be used multiple times.</p>

<p>The name of the environment variable is formed by prepending
WEBAUTH_LDAP_ to the uppercased attribute name.  By default, in the case
of mulivalued attributes, the WEBAUTH_LDAP_ATTRIBUTENAME variable will
contain one value randomly picked from the set, and all the values of this
attribute will also be set into WEBAUTH_LDAP_ATTRIBUTENAME1,
WEBAUTH_LDAP_ATTRIBUTENAME2, and so on, in no particular order.  To
override this behavior, see
<a href="#webauthldapseparator">WebAuthLdapSeparator</a>.</p>

<p>The attributes can be any attribute found in your LDAP server that
the server using this module has access to read, except for operational
attributes, like entryUUID.</p>

<div class="example"><h3>Example</h3><p><code>
&lt;Location /private/&gt;<br />
AuthType WebAuth<br />
Require privgroup stanford:staff<br />
WebAuthLdapAttribute suAffiliation<br />
WebAuthLdapAttribute displayName<br />
WebAuthLdapAttribute suUnivid<br />
&lt;/Location&gt;<br />
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="WebAuthLdapAuthorizationAttribute" id="WebAuthLdapAuthorizationAttribute">WebAuthLdapAuthorizationAttribute</a> <a name="webauthldapauthorizationattribute" id="webauthldapauthorizationattribute">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>LDAP attribute for authorization group membership</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>WebAuthLdapAuthorizationAttribute <em>ldap_attribute_name</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>External</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_webauthldap</td></tr>
</table>
<p>Specifies the attribute in the LDAP directory in a user's entry that
contains the authorization groups that user is a member of.  This should
be a multi-valued attribute against with LDAP compare operations are
performed.  Each privgroup granted access to the URL being accessed will
be compared in turn against the values of this attribute and the user will
be granted access only if one of those privgroups match.</p>

<p>Note that this module does not use LDAP groups for authorization and
instead uses this multivalued attribute method.  Proper use of LDAP groups
may be added later.</p>

<div class="note"><h3>Note</h3> 
  <p>This directive must be set.</p>
</div>

<div class="example"><h3>Example</h3><p><code>
WebAuthLdapAuthorizationAttribute privilegeAttribute
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="WebAuthLdapAuthrule" id="WebAuthLdapAuthrule">WebAuthLdapAuthrule</a> <a name="webauthldapauthrule" id="webauthldapauthrule">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Whether to show authorization information</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>WebAuthLdapAuthrule <em>on|off</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>on</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>External</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_webauthldap</td></tr>
</table>
<p>By default, this module will put the authorization rule under which the
user was authorized into the WEBAUTH_LDAPAUTHRULE environment variable.
The value will be one of "valid-user", "user <em>user</em>", or "privgroup
<em>privgroup</em>".  You can disable this behavior by setting this
directive to off.</p>

<div class="example"><h3>Example</h3><p><code>
WebAuthLdapAuthrule off
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="WebAuthLdapBase" id="WebAuthLdapBase">WebAuthLdapBase</a> <a name="webauthldapbase" id="webauthldapbase">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Base for the LDAP lookup</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>WebAuthLdapBase <em>valid_search_base</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>External</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_webauthldap</td></tr>
</table>
<p>The lookup of the user's entry will begin at the specified search
base.</p>

<div class="note"><h3>Note</h3> 
  <p>This directive must be set.</p>
</div>

<div class="example"><h3>Example</h3><p><code>
WebAuthLdapBase cn=people,dc=acme,dc=com
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="WebAuthLdapBindDN" id="WebAuthLdapBindDN">WebAuthLdapBindDN</a> <a name="webauthldapbinddn" id="webauthldapbinddn">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Bind DN for the LDAP lookup</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>WebAuthLdapBindDN <em>valid_bind_dn</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>External</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_webauthldap</td></tr>
</table>
<p>The bind DN specifies the LDAP identity that this module will use when
binding to the LDAP server.  Most OpenLDAP servers do not need an explicit
bind DN and determine the binding identity from the authentication
credentials, so this normally will not have to be set.</p>

<div class="example"><h3>Example</h3><p><code>
WebAuthLdapBindDN cn=myDN,dc=acme,dc=com
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="WebAuthLdapDebug" id="WebAuthLdapDebug">WebAuthLdapDebug</a> <a name="webauthldapdebug" id="webauthldapdebug">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Set the debugging level for logging</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>WebAuthLdapDebug <em>on|off</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>External</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_webauthldap</td></tr>
</table>
<p>If set to on, additional tracing and debugging output will be sent to
the server log.  This output will include the stages of processing, the
LDAP parameters used, and the returned results.  It's rather verbose, so
should probably only be enabled during debugging.</p>

<div class="example"><h3>Example</h3><p><code>
WebAuthLdapDebug on
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="WebAuthLdapFilter" id="WebAuthLdapFilter">WebAuthLdapFilter</a> <a name="webauthldapfilter" id="webauthldapfilter">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>LDAP filter to use when searching for an entry</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>WebAuthLdapFilter <em>valid_ldap_filter</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>uid=USER</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>External</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_webauthldap</td></tr>
</table>
<p>This can be any properly formed LDAP filter.  The current user's
identity (from WebAuth) will be substituted for the upper-cased string
"USER".  The "USER" string may appear in the filter multiple times.  You
will want to set this attribute if your LDAP server puts the username in
an attribute other than uid, or if you want to add additional restrictions
to the search.</p>

<div class="example"><h3>Example</h3><p><code>
WebAuthLdapFilter (&amp;(objectClass=superson)(uid=USER))
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="WebAuthLdapHost" id="WebAuthLdapHost">WebAuthLdapHost</a> <a name="webauthldaphost" id="webauthldaphost">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Hostname of the LDAP server</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>WebAuthLdapHost <em>hostname</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>External</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_webauthldap</td></tr>
</table>
<p>The LDAP server must support GSS-API Kerberos SASL binds.  No other
bind type is supported by mod_webauthldap at this time.</p>

<div class="note"><h3>Note</h3> 
  <p>This directive must be set.</p>
</div>

<div class="example"><h3>Example</h3><p><code>
  WebAuthLdapHost ldap.acme.com
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="WebAuthLdapKeytab" id="WebAuthLdapKeytab">WebAuthLdapKeytab</a> <a name="webauthldapkeytab" id="webauthldapkeytab">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Keytab for LDAP server authentication</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>WebAuthLdapKeytab <em>path</em>  [<em>principal</em>]</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>External</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_webauthldap</td></tr>
</table>
<p>Specifies the keytab used for GSSAPI authentication to the LDAP
server.  This keytab should contain an entry for the principal that has
access to the desired LDAP attributes.  If the keytab contains several
principals, use the optional second argument to this directive to indicate
the principal to use.</p>

<p>If the path is not absolute, it will be treated as being relative to
<code>ServerRoot</code>.</p>

<div class="note"><h3>Note</h3> 
  <p>This directive must be set.  While it is permitted in either the main
  server configuration or in a virtual host configuration, it should be
  set once and only once for the whole server.  The module currently does
  not support having separate authentication configurations in different
  virtual hosts.</p>
</div>

<div class="example"><h3>Example</h3><p><code>
WebAuthLdapKeytab conf/webauth/ldapkeytab webauth/myservername
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="WebAuthLdapOperationalAttribute" id="WebAuthLdapOperationalAttribute">WebAuthLdapOperationalAttribute</a> <a name="webauthldapoperationalattribute" id="webauthldapoperationalattribute">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>LDAP operational attribute to place in the environment</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>WebAuthLdapOperationalAttribute<em>oper_attribute</em>  [<em>oper_attribute</em>] ...</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>External</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_webauthldap</td></tr>
</table>
<p>All attributes defined by this directive will be looked up additionally
and their values will be inserted into the environment. This directive can
also be used multiple times.</p>

<p>Like<a href="#webauthldapattribute">WebAuthLdapAttribute</a>, the name
of the enviornment variable is formed by prepending WEBAUTH_LDAP_ to the
uppercased name. Multivalued attributes work exactly the same as well.</p>

<div class="example"><h3>Example</h3><p><code>
&lt;Location /private/&gt;<br />
AuthType WebAuth<br />
Require privgroup stanford:staff<br />
WebAuthLdapOperationalAttribute entryUUID<br />
&lt;/Location&gt;<br />
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="WebAuthLdapPort" id="WebAuthLdapPort">WebAuthLdapPort</a> <a name="webauthldapport" id="webauthldapport">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>LDAP server port</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>WebAuthLdapPort <em>port_num</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>389</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>External</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_webauthldap</td></tr>
</table>
<p>Normally, you will never need to change this, even if using SSL.  Some
LDAP servers may require SSL connections on port 636 (but this is a
deprecated configuration).</p>

<div class="example"><h3>Example</h3><p><code>
WebAuthLdapPort 389
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="WebAuthLdapPrivgroup" id="WebAuthLdapPrivgroup">WebAuthLdapPrivgroup</a> <a name="webauthldapprivgroup" id="webauthldapprivgroup">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Authorization group in which to test user's membership</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>WebAuthLdapPrivgroup <em>privgroup</em> [<em>privgroup</em>] ...</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>External</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_webauthldap</td></tr>
</table>
<p>The user's membership will be tested in the authorization group
specified with this directive.  If the user is a member of the group, the
name of the group is placed in the environment variable
WEBAUTH_LDAPPRIVGROUP.</p>

<p>This directive can be used multiple times.  If the user is found to be a
member of multiple groups, the WEBAUTH_LDAPPRIVGROUP variable will contain the
name of one group, selected at random, and the names of all the groups will be
stored in the variables WEBAUTH_LDAPPRIVGROUP1, WEBAUTH_LDAPPRIVGROUP2, and so
on, in no particular order.  To override this behavior, see <a href="#webauthldapseparator">WebAuthLdapSeparator</a>.</p>

<p>(Also see the <a href="#webauthldapauthorizationattribute">
WebAuthLdapAuthorizationAttribute</a> directive for a caveat about how
authorization groups must be defined in LDAP.)</p>

<div class="example"><h3>Example</h3><p><code>
&lt;Location /webapp/&gt;<br />
AuthType WebAuth<br />
Require valid-user<br />
WebAuthLdapPrivgroup stanford:staff<br />
WebAuthLdapPrivgroup stanford:faculty stanford:student<br />
&lt;/Location&gt;<br />
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="WebAuthLdapSeparator" id="WebAuthLdapSeparator">WebAuthLdapSeparator</a> <a name="webauthldapseparator" id="webauthldapseparator">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Separator for multi-valued attributes and privgroups</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>WebAuthLdapSeparator <em>separator</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>External</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_webauthldap</td></tr>
</table>
<p>If set, overrides the default handling of multi-valued attributes and
privgroups. Normally, one value chosen at random will go into the base
WEBAUTH_LDAP_ATTRIBUTE environment variable and then all of the attributes
will go into separate environment variables formed by appending a number
to that basic name.  When this attribute is set, the individual numbered
variables will still be set, but the unnumbered WEBAUTH_LDAP_ATTRIBUTE
variable will be set to the concatenation of all of the values found,
separated by the given separator string.</p>

<p>Similarly, if multiple authorization groups are tested with
<a href="#webauthldapprivgroup">WebAuthLdapPrivgroup</a>, one of the
user's groups is normally chosen at random to go into the variable
WEBAUTH_LDAPPRIVGROUP.  When a separator is specified, the numbered
variables WEBAUTH_LDAPPRIVGROUP1, WEBAUTH_LDAPPRIVGROUP2, and so on are
still set, but the base variable WEBAUTH_LDAPPRIVGROUP will be set to the
concatention of all the user's verified groups, separated by the specified
string.</p>

<p>In all cases, nothing special will be done to any occurrences of the
separator string in the values, so pick a separator that doesn't occur in
the values you're working with.</p>

<div class="example"><h3>Example</h3><p><code>
WebAuthLdapSeparator |
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="WebAuthLdapSSL" id="WebAuthLdapSSL">WebAuthLdapSSL</a> <a name="webauthldapssl" id="webauthldapssl">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Whether to use SSL with LDAP connections</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>WebAuthLdapSSL <em>on|off</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>External</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_webauthldap</td></tr>
</table>
<p>If set, this module will use SSL when talking to the LDAP server.  The
LDAP server must support SSL or LDAP connections will fail.  This will
slow LDAP lookups and incur more load on the server and client, and GSSAPI
normally already encrypts the session, so setting this option is rarely
needed.</p>

<div class="example"><h3>Example</h3><p><code>
WebAuthLdapSSL on
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="WebAuthLdapTktCache" id="WebAuthLdapTktCache">WebAuthLdapTktCache</a> <a name="webauthldaptktcache" id="webauthldaptktcache">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Path to the Kerberos credentials cache file</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>WebAuthLdapTktCache <em>path</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>External</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_webauthldap</td></tr>
</table>
<p>If this cache exists and is valid and readable, it will be used until
it expires.  After expiration, or if it doesn't exist, the specified
keytab will be used to obtain a new ticket which is stored in this
cache.</p>

<p>If the path is not absolute, it will be treated as being relative to
<code>ServerRoot</code>.</p>

<div class="note"><h3>Note</h3> 
  <p>This directive must be set.</p>
</div>

<div class="example"><h3>Example</h3><p><code>
WebAuthLdapTktCache /tmp/webauthldap.tkt
</code></p></div>

</div>
</div>
<div class="bottomlang">
<p><span>Available Languages: </span><a href="../en/mod/mod_webauthldap.html" title="English">&nbsp;en&nbsp;</a></p>
</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div>
<div id="footer">
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
if (typeof(prettyPrint) !== 'undefined') {
    prettyPrint();
}
//--><!]]></script>
</body></html>