+++ /dev/null
-##########################################################################################
-##########################################################################################
-############# SKIP COMMENTED LINES TO SEE PURE LDIF FILE #################################
-##########################################################################################
-############# If particular access combination of pattern #######################
-############# [([location+servername]|[directoryname])+username]) #######################
-############# does not work, first consult actually used filters #######################
-############# presented in example vhost_ldap.conf, and then turn #######################
-############# debugging logging with apache. there's very much log #######################
-############# output, including configuration and uri parsing #######################
-############# and each search filter and retrieved variables #######################
-############# processing. #######################
-##########################################################################################
-##########################################################################################
-
-##### webserver definition
-dn: apacheServerName=internal,ou=virtualHosts,dc=foo,dc=bar
-objectClass: top
-objectClass: apacheConfig
-objectClass: organization
-##### object classess - for aliases and per-location auth
-##### you must include these
-objectClass: apacheExtendedConfigLocation
-objectClass: apacheAliasesConfigLocation
-o: apache
-apacheServerName: internal
-##### single-value
-apacheDocumentRoot: /var/www/internal
-##### multi-value (optional)
-apacheServerAlias: www.somedomain.com
-apacheServerAlias: www.internal
-##### whether aliases objects search should be performed
-##### for requests to this host (aliases are assigned
-##### to webserver and its uri name (virtual location)
-##### with this you can keep pointers to config objects assigned,
-##### but turn them off for vhost - if you set next two attrs
-##### to FALSE, location and aliases won't be searched for it,
-##### althoug *OptionsDn exists
-apacheAliasesConfigEnabled: TRUE
-apacheExtConfigHasRequireLine: TRUE
-##### next two are multi values, which mean you can define
-##### many aliases and many protected location for vhost
-apacheAliasConfigOptionsDn: apacheAliasConfigObjectName=internal vhost alias one,ou=webAliases,dc=foo,dc=bar
-apacheLocationOptionsDn: apacheExtConfigObjectName=internal vhost access control,ou=webAccess,dc=foo,dc=bar
-
-##### heads up - access control configuration object
-dn: apacheExtConfigObjectName=internal vhost access control,ou=webAccess,dc=foo,dc=bar
-objectClass: organization
-objectClass: top
-##### required to work
-objectClass: apacheExtendedConfigObject
-o: apache
-##### next attribute determines whether this
-##### configuration objects is of type "require valid-user" (TRUE)
-##### or "Require user1 user2 user3". This is actually related
-##### for user object search. if you set to true, lookup will
-##### search for userobjects which are under WucBaseDn
-##### and have userobjectservername set to alias or servername
-##### of current vhost, if you set to false, apacheExtConfigUserDn
-##### will be processed to get userlist ("Require user1,user2,user3...")
-##### Require group usergroup not implemented yet
-apacheExtConfigRequireValidUser: TRUE
-##### this is usually naming attribute in the tree, anyway
-##### this is the value which appears in http auth prompt dialog
-apacheExtConfigObjectName: internal vhost access control
-##### now - in this example, this access object keep access config
-##### of two kinds, per-location and per-directory. Next two
-##### attributes specified per-location assignment - perlocation
-##### access control will search for object which has current req servername
-##### and current req Uri. It is planned to be able to specify regexp
-##### as configUri and configPath, however it's not implemented yet.
-apacheExtConfigServerName: internal
-apacheExtConfigUri: /locationprotected
-apacheExtConfigPath: /var/www/internal/protected
-##### and one above is searched for every request, compared to request r->filename,
-##### no matter what's current vhost servername is.
-##### You can have any combination of these three lines including none of them.
-##### this object in general actually determines authorized users for resource,
-##### so you can have some userlist specification for many servernames and aliases,
-##### many uris (locations), and for many directories in the same object.
-##### you should only remember, that for perlocation access config
-##### servername/serveralias AND extConfigUri is matched, and for perdirectory
-##### only extConfigPath is searched.
-##### and the last piece of the puzzle - if requirevaliduser is set to TRUE
-##### (meaning access control entry of type "Require valid-user" and any
-##### userobject which have servername and uri assigned is accepted
-##### if requirevaliduser is set to FALSE, (the meaning is:
-##### "<this acl objectis NOT "Require valid-user">, which actually equals to:
-##### <this acl object is "Require user1 user2 user3">)
-##### list of attribute values for the following directive is processed.
-apacheExtConfigUserDn: apacheExtConfigUserName=pwadas,ou=People,dc=foo,dc=bar
-apacheExtConfigUserDn: apacheExtConfigUserName=otherUser,ou=People,dc=foo,dc=bar
-##### and, of course, you can have multiple values for this attribute
-##### (final list contains multiple usernames). Remember - username "nobody" is
-##### a special username, which is always appended to the result list, to avoid
-##### case, when you specify extConfigRequireValidUser to FALSE and do not specify
-##### any usernames (valid list <"require user" '[username] ...'> passed to apache
-##### must include at list one username. so creating user object entry
-##### with extConfigUserName "nobody" is not recommended as it's always appended
-##### to the list.
-
-##### username object
-dn: apacheExtConfigUserName=pwadas,ou=People,dc=foo,dc=bar
-##### these object must contain one or more values for UserName attribute.
-##### keeping one value which should be naming attribute is recommended,
-##### however you can specify many loginnames for one user.
-##### If you create two userobject entries, and both of them will have
-##### attribute apacheExtConfigUserName with the value "johnny"
-##### (this may be hidden if UserName is not naming attribute)
-##### password will be matched ONLY against first entry found.
-##### which one will be found first when lookup is done with
-##### "(username=XXX)(servername=YYY)(uri=ZZZ)" is hard to predict,
-##### consult with openldap documentation, and watch the filter used.
-##### on the other hand - you can still have to userobjects with
-##### the same names for per-location access control, and if
-##### these object have different servernames - appropriate one
-##### will be found.
-apacheExtConfigUserName: pwadas
-apacheExtConfigUserName: someotherusername
-o: apache
-objectClass: organization
-objectClass: top
-##### this is required of course
-objectClass: apacheExtendedConfigUserObject
-##### now - you can have multiple passwords for one userobject
-##### no matter how many usernames it contains.
-##### recognized password format is cleartext,
-##### standard htpasswd-encrypted string (stored as cleartext)
-##### and linux-shadowlike value stored as {CRYPT}. This means,
-##### that you can combine posixAccount with webuser object,
-##### if you create object with appropriate classes, and
-##### userPassword attribute is the same for both classes.
-##### however in such situation extendedconfigUserName is
-##### still required and multi-value :-), so you'll probably want
-##### keep posixAccount's "uid" and this have at least one the same value.
-##### of course this applies to any attribute which you map
-##### as "uid" in libnss-ldap configuration. with mod-vhost-ldap
-##### ONLY extConfigUserName is searched.
-userPassword: www
-userPassword: p00nQ0ftSC5cU
-userPassword: {CRYPT}$1$RG.pRvZh$Q0WZ8clsqtMUBRLFckoQg1
-##### one username object may contain multiple values
-##### for URI's and directories. which mean you can apply
-##### the same userobject to many resources. however
-##### with LocationUri, appropriate configUserServername must be
-##### defined to have this userobject matched with search lookup.
-apacheExtConfigUserDirectoryName: /var/www/internal/protected
-apacheExtConfigUserServerName: www.internal
-apacheExtConfigUserLocationUri: /protecteduri/
-
-##### and the most simple thing - aliasing object
-##### ObjectName has only naming usage, if any, as aliases
-##### doesn't have "prompts". however object must have some logical
-##### name, and uri or target is not a good choice - first because
-##### it always contain at least one "/", and second - it can
-##### have many values for sourceUri, so specifying it as naming
-##### attribute will always mask other values.
-dn: apacheAliasConfigObjectName=internal vhost alias one,ou=webAliases,dc=foo,dc=bar
-objectClass: organization
-objectClass: top
-objectClass: apacheAliasConfigObject
-o: apache
-apacheAliasConfigObjectName: internal vhost alias one
-##### you can alias multiple uri's to one physical directory
-apacheAliasConfigSourceUri: /abcd/x
-apacheAliasConfigSourceUri: /some/url/anywhere
-##### remember - for aliases to work, you must specify at least
-##### one servername, as aliases (virtual uri's) are always
-##### related to virtualhost. anyway, if you specify multiple
-##### servername, the result will be the same uri for many
-##### virtualhosts, assigned to the same physical directory.
-##### with multiple servername, the same issues applied
-##### as with multiple loginnames - if it's not naming attribute
-##### you may get messed with many objects describing the same
-##### uri for the same vhost (multiple pairs for uri+servername).
-##### in this case first one found will be returned applied.
-##### (lookup is done in the way which returns ONE entry only).
-##### original mod_alias supports regular expression to specify
-##### this, in modvhostldap regexp is not supported yet.
-##### it's planned to be able to define regexp for servername and uri,
-##### and this will be even more flexible than original, as
-##### with original you can have regexp for uri only, and vhost
-##### is determined by context to which directive AliasMatch apply.
-apacheAliasConfigServerName: internal
-apacheAliasConfigServerName: www.someotherhost.com
-##### target dir is single-value. It could be multiple-value,
-##### to be able to store different pairs with one object, however
-##### on the other hand specifiying two or more physical directories
-##### for one URI doesn't make much sense, so to avoid mess
-##### it's single value.
-apacheAliasConfigTargetDir: /var/www/internal/protected
-##### and that's all folks :)
andersk / mod-vhost-ldap.git / blobdiff