diff options
| author | Graham Leggett <minfrin@apache.org> | 2014-04-25 13:14:36 +0200 |
|---|---|---|
| committer | Graham Leggett <minfrin@apache.org> | 2014-04-25 13:14:36 +0200 |
| commit | 84358db95c9532c01774e1c18262aa7628114d80 (patch) | |
| tree | 802779c3cad5ff3d73460c50c7df45d6140a9918 /docs/manual/mod/mod_authnz_ldap.xml | |
| parent | Add the ldap function to the expression API, allowing LDAP filters and (diff) | |
| download | apache2-84358db95c9532c01774e1c18262aa7628114d80.tar.xz apache2-84358db95c9532c01774e1c18262aa7628114d80.zip | |
Add the ldap-search option to mod_authnz_ldap, allowing authorization
to be based on arbitrary expressions that do not include the username.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1589993 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'docs/manual/mod/mod_authnz_ldap.xml')
| -rw-r--r-- | docs/manual/mod/mod_authnz_ldap.xml | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml index 2e29e5d14e..970e35537f 100644 --- a/docs/manual/mod/mod_authnz_ldap.xml +++ b/docs/manual/mod/mod_authnz_ldap.xml @@ -88,6 +88,7 @@ for HTTP Basic authentication.</description> <li><a href="#reqdn">Require ldap-dn</a></li> <li><a href="#reqattribute">Require ldap-attribute</a></li> <li><a href="#reqfilter">Require ldap-filter</a></li> + <li><a href="#reqsearch">Require ldap-search</a></li> </ul> </li> @@ -223,6 +224,11 @@ for HTTP Basic authentication.</description> directive, and the search filter successfully finds a single user object that matches the dn of the authenticated user.</li> + <li>Grant access if there is a <a href="#reqsearch"> + <code>Require ldap-search</code></a> + directive, and the search filter successfully returns a single + matching object with any distinguished name.</li> + <li>otherwise, deny or decline access</li> </ul> @@ -508,6 +514,28 @@ AuthLDAPMaxSubGroupDepth 1 </section> +<section id="reqsearch"><title>Require ldap-search</title> + + <p>The <code>Require ldap-search</code> directive allows the + administrator to grant access based on a generic LDAP search filter using an + <a href="../expr.html">expression</a>. If there is exactly one match to the search filter, + regardless of the distinguished name, access is granted.</p> + + <p>The following directive would grant access to URLs that match the given objects in the + LDAP server:</p> + +<highlight language="config"> +<LocationMatch ^/dav/(?<SITENAME>[^/]+)/> +Require ldap-search (cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}} Website) +</LocationMatch> +</highlight> + + <p>Note: care must be taken to ensure that any expressions are properly escaped to guard + against LDAP injection. The <strong>ldap</strong> function can be used as per the example + above.</p> + +</section> + </section> <section id="examples"><title>Examples</title> |