Update the mod_auth_ldap and mod_ldap documentation to show the new

directives for establishing an SSL connection and the addition of the Novell
LDAP SDK.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@98714 13f79535-47bb-0310-9956-ffa450edef68

2 files changed, 81 insertions, 42 deletions

diff --git a/docs/manual/mod/mod_auth_ldap.xml b/docs/manual/mod/mod_auth_ldap.xml
index 9cf3a64bc2..263001c734 100644
--- a/docs/manual/mod/mod_auth_ldap.xml
+++ b/docs/manual/mod/mod_auth_ldap.xml
@@ -17,7 +17,8 @@ for HTTP Basic authentication.</description>
     <ul>
       <li>Known to support the <a
       href="http://www.openldap.org/">OpenLDAP SDK</a> (both 1.x
-      and 2.x), and the <a
+      and 2.x), <a href="http://developer.novell.com/ndk/cldap.htm">
+      Novell LDAP SDK</a> and the <a
       href="http://www.iplanet.com/downloads/developer/">iPlanet
       (Netscape)</a> SDK.</li>
 
@@ -32,7 +33,7 @@ for HTTP Basic authentication.</description>
       href="mod_ldap.html">mod_ldap</a>.</li>
 
       <li>Support for LDAP over SSL (requires the Netscape SDK) or
-      TLS (requires the OpenLDAP 2.x SDK).</li>
+      TLS (requires the OpenLDAP 2.x SDK or Novell LDAP SDK).</li>
     </ul>
 </summary>
 
@@ -413,24 +414,16 @@ require valid-user
 
 <section id="usingtls"><title>Using TLS</title>
 
-    <p>To use TLS, simply set the <directive
-    module="mod_auth_ldap">AuthLDAPStartTLS</directive> to on.
-    Nothing else needs to be done (other than ensure that your LDAP
-    server is configured for TLS).</p>
+    <p>To use TLS, see the <module>mod_ldap</module> directives <directive
+    module="mod_ldap">LDAPTrustedCA</directive> and <directive
+    module="mod_ldap">LDAPTrustedCAType</directive>.</p>
 </section>
 
 <section id="usingssl"><title>Using SSL</title>
 
-    <p>If <module>mod_auth_ldap</module> is linked against the
-    Netscape/iPlanet LDAP SDK, it will not talk to any SSL server
-    unless that server has a certificate signed by a known Certificate
-    Authority. As part of the configuration
-    <module>mod_auth_ldap</module> needs to be told where it can find
-    a database containing the known CAs. This database is in the same
-    format as Netscape Communicator's <code>cert7.db</code>
-    database. The easiest way to get this file is to start up a fresh
-    copy of Netscape, and grab the resulting
-    <code>$HOME/.netscape/cert7.db</code> file.</p>
+    <p>To use SSL, see the <module>mod_ldap</module> directives <directive
+    module="mod_ldap">LDAPTrustedCA</directive> and <directive
+    module="mod_ldap">LDAPTrustedCAType</directive>.</p>
 
     <p>To specify a secure LDAP server, use <em>ldaps://</em> in the
     <directive module="mod_auth_ldap">AuthLDAPURL</directive>
@@ -739,23 +732,6 @@ environment variable</description>
 </directivesynopsis>
 
 <directivesynopsis>
-<name>AuthLDAPStartTLS</name>
-<description>Use a secure TLS connection to the LDAP server</description>
-<syntax>AuthLDAPStartTLS on|off</syntax>
-<default>AuthLDAPStartTLS off</default>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>AuthConfig</override>
-
-<usage>
-    <p>If this directive is set to <code>on</code>,
-    <module>mod_auth_ldap</module> will start a secure TLS session
-    after connecting to the LDAP server. This requires your LDAP
-    server to support TLS.</p>
-</usage>
-</directivesynopsis>
-
-<directivesynopsis>
 <name>AuthLDAPUrl</name>
 <description>URL specifying the LDAP search parameters</description>
 <syntax>AuthLDAPUrl <em>url</em></syntax>
diff --git a/docs/manual/mod/mod_ldap.xml b/docs/manual/mod/mod_ldap.xml
index 3418617f5f..acb1853b2f 100644
--- a/docs/manual/mod/mod_ldap.xml
+++ b/docs/manual/mod/mod_ldap.xml
@@ -22,6 +22,13 @@ by other LDAP modules</description>
     apr-util. This is achieved by adding the <code>--with-ldap</code>
     flag to the <code>./configure</code> script when building
     Apache.</p>
+
+    <p>SSL support requires that <module>mod_ldap</module> be linked
+    with one of the following LDAP SDKs: <a href="http://www.openldap.org/">
+    OpenLDAP SDK</a> (both 1.x and 2.x), <a href="http://developer.novell.com/ndk/cldap.htm">
+    Novell LDAP SDK</a> or the <a href="http://www.iplanet.com/downloads/developer/">
+    iPlanet(Netscape)</a> SDK.</p>
+
 </summary>
 
 <section id="exampleconfig"><title>Example Configuration</title>
@@ -156,6 +163,51 @@ by other LDAP modules</description>
     </section>
 </section>
 
+<section id="usingssltls"><title>Using SSL</title>
+
+    <p>The ability to create an SSL connections to an LDAP server 
+    is defined by the directives <directive module="mod_ldap">
+    LDAPTrustedCA</directive> and <directive module="mod_ldap">
+    LDAPTrustedCAType</directive>. These directives specify the certificate
+    file or database and the certificate type. Whenever the LDAP url
+    includes <em>ldaps://</em>, <module>mod_ldap</module> will establish
+    a secure connection to the LDAP server.
+
+    <example>
+      # Establish an SSL LDAP connection. Requires that <br />
+      # mod_ldap and mod_auth_ldap be loaded. Change the <br />
+      # "yourdomain.example.com" to match your domain.<br />
+      <br />
+      LDAPTrustedCA /certs/certfile.der<br />
+      LDAPTrustedCAType DER_FILE<br />
+      <br />
+      &lt;Location /ldap-status&gt;<br />
+      <indent>
+        SetHandler ldap-status<br />
+        Order deny,allow<br />
+        Deny from all<br />
+        Allow from yourdomain.example.com<br />
+        AuthLDAPEnabled on<br />
+        AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one<br />
+        AuthLDAPAuthoritative on<br />
+        require valid-user<br />
+      </indent>
+      &lt;/Location&gt;
+    </example>
+
+    <p>If <module>mod_ldap</module> is linked against the
+    Netscape/iPlanet LDAP SDK, it will not talk to any SSL server
+    unless that server has a certificate signed by a known Certificate
+    Authority. As part of the configuration
+    <module>mod_ldap</module> needs to be told where it can find
+    a database containing the known CAs. This database is in the same
+    format as Netscape Communicator's <code>cert7.db</code>
+    database. The easiest way to get this file is to start up a fresh
+    copy of Netscape, and grab the resulting
+    <code>$HOME/.netscape/cert7.db</code> file.</p>
+
+</section>
+
 <directivesynopsis>
 <name>LDAPSharedCacheSize</name>
 <description>Size in bytes of the shared-memory cache</description>
@@ -228,19 +280,30 @@ valid</description>
 </directivesynopsis>
 
 <directivesynopsis>
-<name>LDAPCertDBPath</name>
-<description>Directory containing certificates for SSL support</description>
-<syntax>LDAPCertDBPath <var>directory-path</var></syntax>
+<name>LDAPTrustedCA</name>
+<description>Sets the file containing the trusted Certificate Authority certificate or database</description>
+<syntax>LDAPTrustedCA <var>directory-path/filename</var></syntax>
 <contextlist><context>server config</context></contextlist>
 
 <usage>
-    <p>This directive is only valid if Apache has been linked
-    against the Netscape/iPlanet Directory SDK.</p>
+    <p>It specifies the directory path and file name of the trusted CA
+    <module>mod_ldap</module> should use when establishing an SSL
+    connection to an LDAP server. If using the Netscape/iPlanet Directory
+    SDK, the file name should be <code>cert7.db</code>.</p>
+</usage>
+</directivesynopsis>
 
-    <p>It specifies in which directory <module>mod_ldap</module>
-    should look for the certificate authorities database for SSL
-    support. There should be a file named <code>cert7.db</code> in that
-    directory.</p>
+<directivesynopsis>
+<name>LDAPTrustedCAType</name>
+<description>Specifies the type of the Certificate Authority file</description>
+<syntax>LDAPTrustedCAType <var>type</var></syntax>
+<contextlist><context>server config</context></contextlist>
+
+<usage>
+    <p>The following types are supported:<br />
+          DER_FILE      - file in binary DER format<br />
+          BASE64_FILE   - file in Base64 format<br />
+          CERT7_DB_PATH - Netscape certificate database file ")</p>
 </usage>
 </directivesynopsis>