From: Piotr Wadas Date: Wed, 19 Jul 2006 14:12:14 +0000 (+0000) Subject: git-svn-id: svn://svn.debian.org/svn/modvhostldap/branches/ext-config/mod-vhost-ldap... X-Git-Url: http://andersk.mit.edu/gitweb/mod-vhost-ldap.git/commitdiff_plain/ccf5403d7065ea419ce3e718599ca1ed90126f24 git-svn-id: svn://svn.debian.org/svn/modvhostldap/branches/ext-config/mod-vhost-ldap@53 4dd36cbf-e3fd-0310-983d-db0e06859cf4 --- diff --git a/examples/README.apacheExtConfigRequireValidUser-details b/examples/README.apacheExtConfigRequireValidUser-details deleted file mode 100644 index d57037b..0000000 --- a/examples/README.apacheExtConfigRequireValidUser-details +++ /dev/null @@ -1,258 +0,0 @@ -##################################################################### -##################################################################### -##################################################################### -######## mod_vhost_ldap version 2.0.3 or later ###################### -##################################################################### - - This file contains further considerations and usage examples -of single-value access control entry attribute named -"apacheExtConfigRequireValidUser". Handling of user "validity" is -quite complicated and a little bit different than you could expect, -so even I make sometimes misunderstanding if its current implemen- -tation if this feature. - -I'm going to explain here, how user validity is related to -TWO types of resources, to which access control may be defined: - -I. Location access control (sometimes referred as uri access control, -or virtual host access control) -II. Directory access control (sometimes referred as physical location -access control, or virtualhost-independent access control). - -Resource, depending on case, may mean "location" or "directory", -or "both/no matter which kind of goods" :-). - -"Access control" usually means authentication + authorization (for -polish readers - "uwierzytelnianie" and "autoryzacja"). - -Authentication concerns about various ways of checking validity -of username/password pair. It includes checking whether user -exists in user-information source, and whether supplied password -is valid for supplied user. There are hundreds of methods to -perform such tasks and apache supports many of them. However, -mod_vhost_ldap currently support ONLY "basic" authentication, -which conforms to checking whether user exists and whether applied -password is correct for applied username. Some authentication -methods may be used for authentication and authorization, some -of them cannot (in some situation some information e.g. "realm" -provided by clients with authentication are used to authorize -them, sometimes not), however with modvhostldap authentication -and authorization are two different things. - -Authorization concerns about checking whether particular user is -authorized to connect/use particular resource or particular -kind of resource.Depending on authorization configuration, -a resource may be available only to authenticated users, or -for authenticated and not-authenticated users. Here we -take care only about resources which are available only for -authenticated users, so every not-authenticated user is not -authorized to access particular resources. We don't discuss -resources that don't need users to be authenticated to determine -whether they're authorized or not, and vice versa - we assume, -that every resource which has authentication defined, has -user authorization status determined in some way, which will -be explained below. - -Authentication is most simple of all of this - authenticated -user is a user which provided username and password, and -the pair was verified in some way. Http authentication status -information is then kept in http headers (usually until -browser or browser-window is not reopened, depending on browser. - -First we define what's actually defined by access control entry, -and what is NOT defined by access control entry. - -In both cases, (location and directory) access control entry -defines whether particular resource is protected, however -with directory, existing access entry means that directory -has access control, and for location, existing access entry -means,that location is protected if and only if virtual host -has access control enabled. you can enable/disable location access -control for virtualhost, no matter whether access control -entry for this location exists - on virtual host configuration -level, by setting apacheExtConfigHasRequireLine attribute to -TRUE or FALSE. if this attribute for vhost is FALSE, location -access control won't be checked at all. -Directory access control is always checked, no matter, whether -virtualhost has access control enabled, or not. LAC is configured -against particular address on (with) particular virtual server, DAC -is configured against physical location of the resource, no matter -whether it is accessed by some alias address, or some uri -directly available under virtual server directory tree. (www.internal.com/ and below). -Sometimes you may want particular file or directory -on the disk to be protected, no matter which way user tries -to access it, and sometimes you may want that some particular -URL to be protected, if its accessed via www.domain.com, but -opened e.g. from internal network (when it's accessed via www.inernal.com -virtualhost, which is available for internally-conected clients. - -Directory access control has higher level of importance than -location access control. Secured directory is secured no matter -under which location it's accessed. If you secure directory -as directory, and you secure location, location authentication -and authorization will be checked first, and if allowed, directory -authentication and authorization will be checked, and if -denied - user will be denied access. Authentication information -are stored somewhere in http headers, so once authenticated -user data will be passed to directory authentication. -if the same user is authorized to access directory, access -will be granted, if perlocation-authenticated user is not -authorized to access directory, a prompt for another -authentication data will be displayed. This may cause -to annoying results, as authentication information in http -headers would be probably replaced (?), and new values won't -match location requirements. However i'm not sure how this -works, I didn't tested it, it's possible that headers may contain -information for location and directory, anyway it's recommended to -avoiding such situation, to always have clearance which set of access -control settings are applied to the resource client wants access. -In doubt I suggest you to configure per-directory access control, -in almost all cases this is what you want. - - - -Now, for apache there are three ways in which user can be -authorized for resource: user may be valid-user, user may -be one of exactly defined authorized users, or user may -be member of authorized group. for details refer to apache documentation -of "Require" directives, anyway, modvhostldap currently -supports valid-user and userlist, and this is difference, -which is determined by apacheExtConfigRequireValidUser attribute. - -Location "Require" directive is created for -each request for each vhost which have has LAC enabled -(hasRequireLines = TRUE), and for which there's found -access control object, which has the same or higher -uri as its apacheExtConfigUri value. - -Directory Require directive is created -if there's found access control object, which has -the same or higher directory as its apacheExtConfigPath value. - -Let's assume that if we're processing per-location config -then servername of the http request is "internal", and uri of the -request is "/abcd/xyz/protected/" (so we have -http://internal/abcd/protected/xyz/" -First is checked whether "internal" HasRequireLines is TRUE. -If yes, then there's made a lookup for access control -entry, which has apacheExtConfigServerName value = internal -and apacheExtConfigUri value set to a value, -which is contained in '/abcd/protected/xyz' starting -from left. so access control objects which have -apacheExtConfigUri like: "/", "/abc", -"/abcd/xyz/protected" and "/abcd/xyz/protected/" -will match. Finally, if the full string is reached, -and access control object is not found, error is -reported - (access control configured but no -access control objects found), and access control -is not applied. - -And - other case - if we're processing per-directory config, -then match is made exactly the same way, except that -servername is not checked. If higher (shorter) or equal -directory value has acl object with this value - object -is matched. If full string is reached and object is not found, -access control is not applied, and no error is reported. - -Now ACL object, if found, is examined. -If apacheExtConfigRequireValidUser attribute for it -has value set to "TRUE", then -configuration is processed as "Require valid-user" -(access shoud be granted to any valid user). -analog directive, -If it's "FALSE", then configuration -is processed as "Require user ..." directive, userlist -is created, and access is granted to any valid user, -which username is on the list. -List, if needed, is created depending on values -of attribute apacheExtConfigUserDn which must in this -case contain full distinguished names of the users, -which should have access granted. Username "nobody" -is always appended first, before appending attribute -values (loginnames), to avoid situation, when -apacheExtConfigRequireValidUser = FALSE, and no apacheExtConfigUserDn -values exist in entry ("Require user" if defined, must contain at least one username). - -So access gets configured, and then it comes to authentication. -Further processing depends whether it's case I or II. -In case I - valid user, is user which matches the following filter: -(& - (_D_) - (objectClass=apacheExtendedConfigUserObject) - (apacheExtConfigUserServerName=_A_) - (apacheExtConfigUserLocationUri=_G_) -) - -and in case II -(& - (_D_) - (objectClass=apacheExtendedConfigUserObject) - (apacheExtConfigUserDirectoryName=_E_) -) - -where _D_ is global user-defined filter, and other attributes -have values the same as access control object. -More details about used filters and global -user-defined filter you'll find in vhost_ldap.conf - -Finally, in both cases, if access control object -has apacheExtConfigRequireValidUser = FALSE, user is authenticated, -loginname is found on the list, access is granted, or -of the apacheExtConfigRequireValidUser = TRUE,and user is authenticated, -access is granted, otherwise access is denied. -This final stage, in comparison to analog configuration files, -is the same as checking context in which particular user has been -defined - or . -Simply - with .htaccess context is determined based on -the location of the .htaccess file, in common configuration -context is determined by the context :-), and with ldap -context is determined by attributes of the particular webuser. - -For each user object, supplied password is checked against -as clear text, htpasswd format, or unix crypt format, and with -debug all of them are logged, and additionaly. information -which one matched (or none) is logged too. - -So, to be short at last - access control has particular precendence, -there are some differences between location and directory access -processing. You always need to specify inside userobject -for which resource it is valid, and, additionaly, if you set -apacheExtConfigRequireValidUser=FALSE, then you need to -put webuser object DN into apacheExtConfigUserDn attribute -of the access entry related to this resource. Applied -password is checked against mostly used formats. -And, you can have multiple locations, directories and servernames -for access config entries, and user entries, and (ugh), -you can have multiple access control entries for virtualhost(s). - -If you get into mess, and things doesn't work, you can disable -some part(s) of authentication process. any trouble with -authentication won't impact rest of virtualhost filesystem. -Aliased directiories are substituted first, so directory -access control entries will apply only to final real-directory -or file name. - -Aliasing match works similar way as Directory and Location -match - there's a try to find object which define targed physical -location for current URI, and this target (existing or not), -has precedence over (existing or not) URL part(s). -And you can have multiple aliases for virtualhost, and -multiple virtual URI's for one target. - -If you create entries, which coincidents, like two -alias object which specify the same url and vhost, but -different targets, or two uses with the same -logins and the same permissions but e.g. different passwords, -only first found will be used (each matching is done only once), -and it's hard to predict which one this would actually be. -Creating users without passwords at all, is avoided by -schema. - -Note, that all this stuff is of course checked before actual -resource is returned to browser, so any of alias targets, or -users defined as valid, doesn't need to be existing - if -they don't exist, finally some HTTP error will be returned, but -existence of objects doesn't affect processing itself. - -Have fun, feedback welcomed :) -PW. \ No newline at end of file diff --git a/examples/howto-faq-example-config.ldif b/examples/howto-faq-example-config.ldif deleted file mode 100644 index de51894..0000000 --- a/examples/howto-faq-example-config.ldif +++ /dev/null @@ -1,192 +0,0 @@ -########################################################################################## -########################################################################################## -############# SKIP COMMENTED LINES TO SEE PURE LDIF FILE ################################# -########################################################################################## -############# If particular access combination of pattern ####################### -############# [([location+servername]|[directoryname])+username]) ####################### -############# does not work, first consult actually used filters ####################### -############# presented in example vhost_ldap.conf, and then turn ####################### -############# debugging logging with apache. there's very much log ####################### -############# output, including configuration and uri parsing ####################### -############# and each search filter and retrieved variables ####################### -############# processing. ####################### -########################################################################################## -########################################################################################## - -##### webserver definition -dn: apacheServerName=internal,ou=virtualHosts,dc=foo,dc=bar -objectClass: top -objectClass: apacheConfig -objectClass: organization -##### object classess - for aliases and per-location auth -##### you must include these -objectClass: apacheExtendedConfigLocation -objectClass: apacheAliasesConfigLocation -o: apache -apacheServerName: internal -##### single-value -apacheDocumentRoot: /var/www/internal -##### multi-value (optional) -apacheServerAlias: www.somedomain.com -apacheServerAlias: www.internal -##### whether aliases objects search should be performed -##### for requests to this host (aliases are assigned -##### to webserver and its uri name (virtual location) -##### with this you can keep pointers to config objects assigned, -##### but turn them off for vhost - if you set next two attrs -##### to FALSE, location and aliases won't be searched for it, -##### althoug *OptionsDn exists -apacheAliasesConfigEnabled: TRUE -apacheExtConfigHasRequireLine: TRUE -##### next two are multi values, which mean you can define -##### many aliases and many protected location for vhost -apacheAliasConfigOptionsDn: apacheAliasConfigObjectName=internal vhost alias one,ou=webAliases,dc=foo,dc=bar -apacheLocationOptionsDn: apacheExtConfigObjectName=internal vhost access control,ou=webAccess,dc=foo,dc=bar - -##### heads up - access control configuration object -dn: apacheExtConfigObjectName=internal vhost access control,ou=webAccess,dc=foo,dc=bar -objectClass: organization -objectClass: top -##### required to work -objectClass: apacheExtendedConfigObject -o: apache -##### next attribute determines whether this -##### configuration objects is of type "require valid-user" (TRUE) -##### or "Require user1 user2 user3". This is actually related -##### for user object search. if you set to true, lookup will -##### search for userobjects which are under WucBaseDn -##### and have userobjectservername set to alias or servername -##### of current vhost, if you set to false, apacheExtConfigUserDn -##### will be processed to get userlist ("Require user1,user2,user3...") -##### Require group usergroup not implemented yet -apacheExtConfigRequireValidUser: TRUE -##### this is usually naming attribute in the tree, anyway -##### this is the value which appears in http auth prompt dialog -apacheExtConfigObjectName: internal vhost access control -##### now - in this example, this access object keep access config -##### of two kinds, per-location and per-directory. Next two -##### attributes specified per-location assignment - perlocation -##### access control will search for object which has current req servername -##### and current req Uri. It is planned to be able to specify regexp -##### as configUri and configPath, however it's not implemented yet. -apacheExtConfigServerName: internal -apacheExtConfigUri: /locationprotected -apacheExtConfigPath: /var/www/internal/protected -##### and one above is searched for every request, compared to request r->filename, -##### no matter what's current vhost servername is. -##### You can have any combination of these three lines including none of them. -##### this object in general actually determines authorized users for resource, -##### so you can have some userlist specification for many servernames and aliases, -##### many uris (locations), and for many directories in the same object. -##### you should only remember, that for perlocation access config -##### servername/serveralias AND extConfigUri is matched, and for perdirectory -##### only extConfigPath is searched. -##### and the last piece of the puzzle - if requirevaliduser is set to TRUE -##### (meaning access control entry of type "Require valid-user" and any -##### userobject which have servername and uri assigned is accepted -##### if requirevaliduser is set to FALSE, (the meaning is: -##### ", which actually equals to: -##### ) -##### list of attribute values for the following directive is processed. -apacheExtConfigUserDn: apacheExtConfigUserName=pwadas,ou=People,dc=foo,dc=bar -apacheExtConfigUserDn: apacheExtConfigUserName=otherUser,ou=People,dc=foo,dc=bar -##### and, of course, you can have multiple values for this attribute -##### (final list contains multiple usernames). Remember - username "nobody" is -##### a special username, which is always appended to the result list, to avoid -##### case, when you specify extConfigRequireValidUser to FALSE and do not specify -##### any usernames (valid list <"require user" '[username] ...'> passed to apache -##### must include at list one username. so creating user object entry -##### with extConfigUserName "nobody" is not recommended as it's always appended -##### to the list. - -##### username object -dn: apacheExtConfigUserName=pwadas,ou=People,dc=foo,dc=bar -##### these object must contain one or more values for UserName attribute. -##### keeping one value which should be naming attribute is recommended, -##### however you can specify many loginnames for one user. -##### If you create two userobject entries, and both of them will have -##### attribute apacheExtConfigUserName with the value "johnny" -##### (this may be hidden if UserName is not naming attribute) -##### password will be matched ONLY against first entry found. -##### which one will be found first when lookup is done with -##### "(username=XXX)(servername=YYY)(uri=ZZZ)" is hard to predict, -##### consult with openldap documentation, and watch the filter used. -##### on the other hand - you can still have to userobjects with -##### the same names for per-location access control, and if -##### these object have different servernames - appropriate one -##### will be found. -apacheExtConfigUserName: pwadas -apacheExtConfigUserName: someotherusername -o: apache -objectClass: organization -objectClass: top -##### this is required of course -objectClass: apacheExtendedConfigUserObject -##### now - you can have multiple passwords for one userobject -##### no matter how many usernames it contains. -##### recognized password format is cleartext, -##### standard htpasswd-encrypted string (stored as cleartext) -##### and linux-shadowlike value stored as {CRYPT}. This means, -##### that you can combine posixAccount with webuser object, -##### if you create object with appropriate classes, and -##### userPassword attribute is the same for both classes. -##### however in such situation extendedconfigUserName is -##### still required and multi-value :-), so you'll probably want -##### keep posixAccount's "uid" and this have at least one the same value. -##### of course this applies to any attribute which you map -##### as "uid" in libnss-ldap configuration. with mod-vhost-ldap -##### ONLY extConfigUserName is searched. -userPassword: www -userPassword: p00nQ0ftSC5cU -userPassword: {CRYPT}$1$RG.pRvZh$Q0WZ8clsqtMUBRLFckoQg1 -##### one username object may contain multiple values -##### for URI's and directories. which mean you can apply -##### the same userobject to many resources. however -##### with LocationUri, appropriate configUserServername must be -##### defined to have this userobject matched with search lookup. -apacheExtConfigUserDirectoryName: /var/www/internal/protected -apacheExtConfigUserServerName: www.internal -apacheExtConfigUserLocationUri: /protecteduri/ - -##### and the most simple thing - aliasing object -##### ObjectName has only naming usage, if any, as aliases -##### doesn't have "prompts". however object must have some logical -##### name, and uri or target is not a good choice - first because -##### it always contain at least one "/", and second - it can -##### have many values for sourceUri, so specifying it as naming -##### attribute will always mask other values. -dn: apacheAliasConfigObjectName=internal vhost alias one,ou=webAliases,dc=foo,dc=bar -objectClass: organization -objectClass: top -objectClass: apacheAliasConfigObject -o: apache -apacheAliasConfigObjectName: internal vhost alias one -##### you can alias multiple uri's to one physical directory -apacheAliasConfigSourceUri: /abcd/x -apacheAliasConfigSourceUri: /some/url/anywhere -##### remember - for aliases to work, you must specify at least -##### one servername, as aliases (virtual uri's) are always -##### related to virtualhost. anyway, if you specify multiple -##### servername, the result will be the same uri for many -##### virtualhosts, assigned to the same physical directory. -##### with multiple servername, the same issues applied -##### as with multiple loginnames - if it's not naming attribute -##### you may get messed with many objects describing the same -##### uri for the same vhost (multiple pairs for uri+servername). -##### in this case first one found will be returned applied. -##### (lookup is done in the way which returns ONE entry only). -##### original mod_alias supports regular expression to specify -##### this, in modvhostldap regexp is not supported yet. -##### it's planned to be able to define regexp for servername and uri, -##### and this will be even more flexible than original, as -##### with original you can have regexp for uri only, and vhost -##### is determined by context to which directive AliasMatch apply. -apacheAliasConfigServerName: internal -apacheAliasConfigServerName: www.someotherhost.com -##### target dir is single-value. It could be multiple-value, -##### to be able to store different pairs with one object, however -##### on the other hand specifiying two or more physical directories -##### for one URI doesn't make much sense, so to avoid mess -##### it's single value. -apacheAliasConfigTargetDir: /var/www/internal/protected -##### and that's all folks :) diff --git a/examples/indexes b/examples/indexes deleted file mode 100644 index 420c07f..0000000 --- a/examples/indexes +++ /dev/null @@ -1,17 +0,0 @@ -index apacheExtConfigServerName pres,eq,sub -index apacheExtConfigUri pres,eq,sub -index apacheExtConfigPath pres,eq,sub -index apacheAliasConfigSourceUri pres,eq,sub -index apacheAliasConfigTargetDir pres,eq,sub -index apacheAliasConfigServerName pres,eq,sub -index apacheDocumentRoot pres,eq -index apacheExtConfigObjectName pres,eq -index apacheExtConfigRequireValidUser pres,eq -index apacheExtConfigUserDn pres,eq -index apacheExtConfigUserServerName pres,eq -index apacheLocationOptionsDn pres,eq -index apacheAliasConfigOptionsDn pres,eq -index apacheAliasConfigObjectName pres,eq -index apacheServerAdmin pres,eq -index apacheServerAlias pres,eq -index apacheServerName pres,eq \ No newline at end of file diff --git a/examples/slapd.conf b/examples/slapd.conf deleted file mode 100644 index 0ada828..0000000 --- a/examples/slapd.conf +++ /dev/null @@ -1,62 +0,0 @@ -#TLSCipherSuite HIGH:MEDIUM:+SSLv3 -#TLSCertificateFile /etc/ldap/TLS/ldapserver.crt -#TLSCertificateKeyFile /etc/ldap/TLS/ldapserver.key -#TLSCACertificateFile /etc/ldap/TLS/ca.crt - -#allow bind_v2 -disallow bind_anon tls_2_anon - -include /etc/ldap/schema/core.schema -include /etc/ldap/schema/cosine.schema -include /etc/ldap/schema/nis.schema -include /etc/ldap/schema/inetorgperson.schema -include /etc/ldap/schema/misc.schema -include /etc/ldap/schema/local.schema -include /etc/ldap/schema/mod_vhost_ldap.schema -include /etc/ldap/schema/apache_ext.schema -include /etc/ldap/schema/apache_alias.schema - -pidfile /var/run/slapd/slapd.pid -argsfile /var/run/slapd.args -modulepath /usr/lib/ldap -moduleload back_bdb -backend bdb -schemacheck on - -checkpoint 1 5 - -#sum values as ldap level -# 1 trace function calls -# 2 debug packet handling -# 4 heavy trace debugging -# 8 connection management -# 16 print out packets sent and received -# 32 search filter processing -# 64 configuration file processing -# 128 access control list processing -# 256 stats log connections/operations/results -# 512 stats log entries sent -# 1024 print communication with shell backends -# 2048 entry parsing - -#loglevel 768 -loglevel 0 - -database bdb -lastmod on -suffix "dc=ROOT" -directory "/var/lib/ldap" -sizelimit unlimited -timelimit unlimited - -include /etc/ldap/indexes - -rootdn "cn=admin,dc=foo,dc=bar" - -access to dn.base="" - by * read - -access to * - by dn="cn=admin,dc=foo,dc=bar" - by dn="cn=nobody,dc=foo,dc=bar" read - by * none diff --git a/examples/vhost_ldap.conf b/examples/vhost_ldap.conf deleted file mode 100644 index 495364d..0000000 --- a/examples/vhost_ldap.conf +++ /dev/null @@ -1,55 +0,0 @@ -### mod_vhost_ldap depends on mod_ldap ### -### you have to enable mod_ldap as well ### -### and probably set various cache options for it ### - -###scope values: base, one, sub -###deref values: never, finding, searching, always -###remember, user specified filter is checked as RFC-defined ldap filter before substitution -###user filter specified here results with following internal filters and variables: -### _A_ is the server name from the request (vhost server name to find) -### _B_ is the uri for which access control is to be determined -### _C_ is the name of the require valid-user directive (auth prompt message) -### _D_ is the the user-defined filter -### _E_ is the protected physical directory (doesn't need to be existing file or dir) -### _F_ is the alias location uri -### _G_ is the protected uri for which access control is to be determined (see _E_) -### _H_ is the alias uri which is to be aliased to specified directory -### Each use of search filter is logged with debug level - -##################################################################### -### Vhost search -### (&(_D_)(|(apacheServerName=_A_)(apacheServerAlias=_A_))) -##################################################################### -### Protected Location Search -### (&(_D_)(apacheExtConfigServerName=_A_)(apacheExtConfigUri=_B_)) -##################################################################### -### Protected Directory Search -### (&(_D_)(apacheExtConfigPath=_E_)) -##################################################################### -### Alias Object Search -### (&(_D_)(apacheAliasConfigServerName=_A_)(apacheAliasConfigSourceUri=_H_)) -##################################################################### -### Web user Location Search -### (&(_D_)(objectClass=apacheExtendedConfigUserObject)(apacheExtConfigUserServerName=_A_)(apacheExtConfigUserLocationUri=_G_)) -##################################################################### -### Web user Directory Search -### (&(_D_)(objectClass=apacheExtendedConfigUserObject)(apacheExtConfigUserDirectoryName=_E_)) -################################## - -### ldap[si]://host[:port]/basedn[?attrib[?scope[?filter]]] - - VhostLdapEnabled On - VhostLdapUrl ldap[si]://host[:port]/basedn[?attrib[?scope[?filter]]] - #VhostLdapUrl ldap://hostname:389/dc=foo,dc=bar?*?sub?objectClass=activeObject - VhostLdapBindDn "cn=read only apache admin,dc=foo,dc=bar" - VhostLdapBindPw "secretpassword" - VhostLdapWlcBaseDn "ou=webAccess,dc=foo,dc=bar" - VhostLdapWucBaseDn "ou=webAccounts,dc=foo,dc=bar" - VhostLdapAliasesBaseDn "ou=webAliases,dc=foo,dc=bar" - VhostLdapDeref "never" - VhostLdapFallback default - VhostAliasesEnabled On - VhostLocAuthEnabled On - VhostDirAuthEnabled On - -