1<?xml version="1.0" encoding="ISO-8859-1"?> 2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 3<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 This file is generated from xml source: DO NOT EDIT 6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7 --> 8<title>mod_ldap - Apache HTTP Server</title> 9<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> 10<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> 11<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" /> 12<script src="/style/scripts/prettify.min.js" type="text/javascript"> 13</script> 14 15<link href="/images/favicon.ico" rel="shortcut icon" /></head> 16<body> 17<div id="page-header"> 18<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p> 19<p class="apache">Apache HTTP Server Version 2.4</p> 20<img alt="" src="/images/feather.gif" /></div> 21<div class="up"><a href="./"><img title="<-" alt="<-" src="/images/left.gif" /></a></div> 22<div id="path"> 23<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.4</a> > <a href="./">Modules</a></div> 24<div id="page-content"> 25<div id="preamble"><h1>Apache Module mod_ldap</h1> 26<div class="toplang"> 27<p><span>Available Languages: </span><a href="/en/mod/mod_ldap.html" title="English"> en </a> | 28<a href="/fr/mod/mod_ldap.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a></p> 29</div> 30<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>LDAP connection pooling and result caching services for use 31by other LDAP modules</td></tr> 32<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Extension</td></tr> 33<tr><th><a href="module-dict.html#ModuleIdentifier">Module�Identifier:</a></th><td>ldap_module</td></tr> 34<tr><th><a href="module-dict.html#SourceFile">Source�File:</a></th><td>util_ldap.c</td></tr></table> 35<h3>Summary</h3> 36 37 <p>This module was created to improve the performance of 38 websites relying on backend connections to LDAP servers. In 39 addition to the functions provided by the standard LDAP 40 libraries, this module adds an LDAP connection pool and an LDAP 41 shared memory cache.</p> 42 43 <p>To enable this module, LDAP support must be compiled into 44 apr-util. This is achieved by adding the <code>--with-ldap</code> 45 flag to the <code class="program"><a href="/programs/configure.html">configure</a></code> script when building 46 Apache.</p> 47 48 <p>SSL/TLS support is dependent on which LDAP toolkit has been 49 linked to <a class="glossarylink" href="/glossary.html#apr" title="see glossary">APR</a>. As of this writing, APR-util supports: 50 <a href="http://www.openldap.org/">OpenLDAP SDK</a> (2.x or later), 51 <a href="http://developer.novell.com/ndk/cldap.htm">Novell LDAP 52 SDK</a>, <a href="https://wiki.mozilla.org/LDAP_C_SDK"> 53 Mozilla LDAP SDK</a>, native Solaris LDAP SDK (Mozilla based) or the 54 native Microsoft LDAP SDK. See the <a href="http://apr.apache.org">APR</a> 55 website for details.</p> 56 57</div> 58<div id="quickview"><h3 class="directives">Directives</h3> 59<ul id="toc"> 60<li><img alt="" src="/images/down.gif" /> <a href="#ldapcacheentries">LDAPCacheEntries</a></li> 61<li><img alt="" src="/images/down.gif" /> <a href="#ldapcachettl">LDAPCacheTTL</a></li> 62<li><img alt="" src="/images/down.gif" /> <a href="#ldapconnectionpoolttl">LDAPConnectionPoolTTL</a></li> 63<li><img alt="" src="/images/down.gif" /> <a href="#ldapconnectiontimeout">LDAPConnectionTimeout</a></li> 64<li><img alt="" src="/images/down.gif" /> <a href="#ldaplibrarydebug">LDAPLibraryDebug</a></li> 65<li><img alt="" src="/images/down.gif" /> <a href="#ldapopcacheentries">LDAPOpCacheEntries</a></li> 66<li><img alt="" src="/images/down.gif" /> <a href="#ldapopcachettl">LDAPOpCacheTTL</a></li> 67<li><img alt="" src="/images/down.gif" /> <a href="#ldapreferralhoplimit">LDAPReferralHopLimit</a></li> 68<li><img alt="" src="/images/down.gif" /> <a href="#ldapreferrals">LDAPReferrals</a></li> 69<li><img alt="" src="/images/down.gif" /> <a href="#ldapretries">LDAPRetries</a></li> 70<li><img alt="" src="/images/down.gif" /> <a href="#ldapretrydelay">LDAPRetryDelay</a></li> 71<li><img alt="" src="/images/down.gif" /> <a href="#ldapsharedcachefile">LDAPSharedCacheFile</a></li> 72<li><img alt="" src="/images/down.gif" /> <a href="#ldapsharedcachesize">LDAPSharedCacheSize</a></li> 73<li><img alt="" src="/images/down.gif" /> <a href="#ldaptimeout">LDAPTimeout</a></li> 74<li><img alt="" src="/images/down.gif" /> <a href="#ldaptrustedclientcert">LDAPTrustedClientCert</a></li> 75<li><img alt="" src="/images/down.gif" /> <a href="#ldaptrustedglobalcert">LDAPTrustedGlobalCert</a></li> 76<li><img alt="" src="/images/down.gif" /> <a href="#ldaptrustedmode">LDAPTrustedMode</a></li> 77<li><img alt="" src="/images/down.gif" /> <a href="#ldapverifyservercert">LDAPVerifyServerCert</a></li> 78</ul> 79<h3>Topics</h3> 80<ul id="topics"> 81<li><img alt="" src="/images/down.gif" /> <a href="#exampleconfig">Example Configuration</a></li> 82<li><img alt="" src="/images/down.gif" /> <a href="#pool">LDAP Connection Pool</a></li> 83<li><img alt="" src="/images/down.gif" /> <a href="#cache">LDAP Cache</a></li> 84<li><img alt="" src="/images/down.gif" /> <a href="#usingssltls">Using SSL/TLS</a></li> 85<li><img alt="" src="/images/down.gif" /> <a href="#settingcerts">SSL/TLS Certificates</a></li> 86</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div> 87<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 88<div class="section"> 89<h2><a name="exampleconfig" id="exampleconfig">Example Configuration</a></h2> 90 <p>The following is an example configuration that uses 91 <code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> to increase the performance of HTTP Basic 92 authentication provided by <code class="module"><a href="/mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code>.</p> 93 94 <pre class="prettyprint lang-config"># Enable the LDAP connection pool and shared 95# memory cache. Enable the LDAP cache status 96# handler. Requires that mod_ldap and mod_authnz_ldap 97# be loaded. Change the "yourdomain.example.com" to 98# match your domain. 99 100LDAPSharedCacheSize 500000 101LDAPCacheEntries 1024 102LDAPCacheTTL 600 103LDAPOpCacheEntries 1024 104LDAPOpCacheTTL 600 105 106<Location /ldap-status> 107 SetHandler ldap-status 108 109 Require host yourdomain.example.com 110 111 Satisfy any 112 AuthType Basic 113 AuthName "LDAP Protected" 114 AuthBasicProvider ldap 115 AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one 116 Require valid-user 117</Location></pre> 118 119</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 120<div class="section"> 121<h2><a name="pool" id="pool">LDAP Connection Pool</a></h2> 122 123 <p>LDAP connections are pooled from request to request. This 124 allows the LDAP server to remain connected and bound ready for 125 the next request, without the need to unbind/connect/rebind. 126 The performance advantages are similar to the effect of HTTP 127 keepalives.</p> 128 129 <p>On a busy server it is possible that many requests will try 130 and access the same LDAP server connection simultaneously. 131 Where an LDAP connection is in use, Apache will create a new 132 connection alongside the original one. This ensures that the 133 connection pool does not become a bottleneck.</p> 134 135 <p>There is no need to manually enable connection pooling in 136 the Apache configuration. Any module using this module for 137 access to LDAP services will share the connection pool.</p> 138 139 <p>LDAP connections can keep track of the ldap client 140 credentials used when binding to an LDAP server. These 141 credentials can be provided to LDAP servers that do not 142 allow anonymous binds during referral chasing. To control 143 this feature, see the 144 <code class="directive"><a href="#ldapreferrals">LDAPReferrals</a></code> and 145 <code class="directive"><a href="#ldapreferralhoplimit">LDAPReferralHopLimit</a></code> 146 directives. By default, this feature is enabled.</p> 147</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 148<div class="section"> 149<h2><a name="cache" id="cache">LDAP Cache</a></h2> 150 151 <p>For improved performance, <code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> uses an aggressive 152 caching strategy to minimize the number of times that the LDAP 153 server must be contacted. Caching can easily double or triple 154 the throughput of Apache when it is serving pages protected 155 with mod_authnz_ldap. In addition, the load on the LDAP server 156 will be significantly decreased.</p> 157 158 <p><code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> supports two types of LDAP caching during 159 the search/bind phase with a <em>search/bind cache</em> and 160 during the compare phase with two <em>operation 161 caches</em>. Each LDAP URL that is used by the server has 162 its own set of these three caches.</p> 163 164 <h3><a name="search-bind" id="search-bind">The Search/Bind Cache</a></h3> 165 <p>The process of doing a search and then a bind is the 166 most time-consuming aspect of LDAP operation, especially if 167 the directory is large. The search/bind cache is used to 168 cache all searches that resulted in successful binds. 169 Negative results (<em>i.e.</em>, unsuccessful searches, or searches 170 that did not result in a successful bind) are not cached. 171 The rationale behind this decision is that connections with 172 invalid credentials are only a tiny percentage of the total 173 number of connections, so by not caching invalid 174 credentials, the size of the cache is reduced.</p> 175 176 <p><code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> stores the username, the DN 177 retrieved, the password used to bind, and the time of the bind 178 in the cache. Whenever a new connection is initiated with the 179 same username, <code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> compares the password 180 of the new connection with the password in the cache. If the 181 passwords match, and if the cached entry is not too old, 182 <code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> bypasses the search/bind phase.</p> 183 184 <p>The search and bind cache is controlled with the <code class="directive"><a href="#ldapcacheentries">LDAPCacheEntries</a></code> and <code class="directive"><a href="#ldapcachettl">LDAPCacheTTL</a></code> directives.</p> 185 186 187 <h3><a name="opcaches" id="opcaches">Operation Caches</a></h3> 188 <p>During attribute and distinguished name comparison 189 functions, <code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> uses two operation caches 190 to cache the compare operations. The first compare cache is 191 used to cache the results of compares done to test for LDAP 192 group membership. The second compare cache is used to cache 193 the results of comparisons done between distinguished 194 names.</p> 195 196 <p>Note that, when group membership is being checked, any sub-group 197 comparison results are cached to speed future sub-group comparisons.</p> 198 199 <p>The behavior of both of these caches is controlled with 200 the <code class="directive"><a href="#ldapopcacheentries">LDAPOpCacheEntries</a></code> 201 and <code class="directive"><a href="#ldapopcachettl">LDAPOpCacheTTL</a></code> 202 directives.</p> 203 204 205 <h3><a name="monitoring" id="monitoring">Monitoring the Cache</a></h3> 206 <p><code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> has a content handler that allows 207 administrators to monitor the cache performance. The name of 208 the content handler is <code>ldap-status</code>, so the 209 following directives could be used to access the 210 <code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> cache information:</p> 211 212 <pre class="prettyprint lang-config"><Location /server/cache-info> 213 SetHandler ldap-status 214</Location></pre> 215 216 217 <p>By fetching the URL <code>http://servername/cache-info</code>, 218 the administrator can get a status report of every cache that is used 219 by <code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> cache. Note that if Apache does not 220 support shared memory, then each <code class="program"><a href="/programs/httpd.html">httpd</a></code> instance has its 221 own cache, so reloading the URL will result in different 222 information each time, depending on which <code class="program"><a href="/programs/httpd.html">httpd</a></code> 223 instance processes the request.</p> 224 225</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 226<div class="section"> 227<h2><a name="usingssltls" id="usingssltls">Using SSL/TLS</a></h2> 228 229 <p>The ability to create an SSL and TLS connections to an LDAP server 230 is defined by the directives 231 <code class="directive"><a href="#ldaptrustedglobalcert">LDAPTrustedGlobalCert</a></code>, 232 <code class="directive"><a href="#ldaptrustedclientcert">LDAPTrustedClientCert</a></code> 233 and <code class="directive"><a href="#ldaptrustedmode">LDAPTrustedMode</a></code>. 234 These directives specify the CA and optional client certificates to be used, 235 as well as the type of encryption to be used on the connection (none, SSL or 236 TLS/STARTTLS).</p> 237 238 <pre class="prettyprint lang-config"># Establish an SSL LDAP connection on port 636. Requires that 239# mod_ldap and mod_authnz_ldap be loaded. Change the 240# "yourdomain.example.com" to match your domain. 241 242LDAPTrustedGlobalCert CA_DER /certs/certfile.der 243 244<Location /ldap-status> 245 SetHandler ldap-status 246 247 Require host yourdomain.example.com 248 249 Satisfy any 250 AuthType Basic 251 AuthName "LDAP Protected" 252 AuthBasicProvider ldap 253 AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one 254 Require valid-user 255</Location></pre> 256 257 258 <pre class="prettyprint lang-config"># Establish a TLS LDAP connection on port 389. Requires that 259# mod_ldap and mod_authnz_ldap be loaded. Change the 260# "yourdomain.example.com" to match your domain. 261 262LDAPTrustedGlobalCert CA_DER /certs/certfile.der 263 264<Location /ldap-status> 265 SetHandler ldap-status 266 267 Require host yourdomain.example.com 268 269 Satisfy any 270 AuthType Basic 271 AuthName "LDAP Protected" 272 AuthBasicProvider ldap 273 AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one TLS 274 Require valid-user 275</Location></pre> 276 277 278</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 279<div class="section"> 280<h2><a name="settingcerts" id="settingcerts">SSL/TLS Certificates</a></h2> 281 282 <p>The different LDAP SDKs have widely different methods of setting 283 and handling both CA and client side certificates.</p> 284 285 <p>If you intend to use SSL or TLS, read this section CAREFULLY so as to 286 understand the differences between configurations on the different LDAP 287 toolkits supported.</p> 288 289 <h3><a name="settingcerts-netscape" id="settingcerts-netscape">Netscape/Mozilla/iPlanet SDK</a></h3> 290 <p>CA certificates are specified within a file called cert7.db. 291 The SDK will not talk to any LDAP server whose certificate was 292 not signed by a CA specified in this file. If 293 client certificates are required, an optional key3.db file may 294 be specified with an optional password. The secmod file can be 295 specified if required. These files are in the same format as 296 used by the Netscape Communicator or Mozilla web browsers. The easiest 297 way to obtain these files is to grab them from your browser 298 installation.</p> 299 300 <p>Client certificates are specified per connection using the 301 LDAPTrustedClientCert directive by referring 302 to the certificate "nickname". An optional password may be 303 specified to unlock the certificate's private key.</p> 304 305 <p>The SDK supports SSL only. An attempt to use STARTTLS will cause 306 an error when an attempt is made to contact the LDAP server at 307 runtime.</p> 308 309 <pre class="prettyprint lang-config"># Specify a Netscape CA certificate file 310LDAPTrustedGlobalCert CA_CERT7_DB /certs/cert7.db 311# Specify an optional key3.db file for client certificate support 312LDAPTrustedGlobalCert CERT_KEY3_DB /certs/key3.db 313# Specify the secmod file if required 314LDAPTrustedGlobalCert CA_SECMOD /certs/secmod 315<Location /ldap-status> 316 SetHandler ldap-status 317 318 Require host yourdomain.example.com 319 320 Satisfy any 321 AuthType Basic 322 AuthName "LDAP Protected" 323 AuthBasicProvider ldap 324 LDAPTrustedClientCert CERT_NICKNAME <nickname> [password] 325 AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one 326 Require valid-user 327</Location></pre> 328 329 330 331 332 <h3><a name="settingcerts-novell" id="settingcerts-novell">Novell SDK</a></h3> 333 334 <p>One or more CA certificates must be specified for the Novell 335 SDK to work correctly. These certificates can be specified as 336 binary DER or Base64 (PEM) encoded files.</p> 337 338 <p>Note: Client certificates are specified globally rather than per 339 connection, and so must be specified with the LDAPTrustedGlobalCert 340 directive as below. Trying to set client certificates via the 341 LDAPTrustedClientCert directive will cause an error to be logged 342 when an attempt is made to connect to the LDAP server..</p> 343 344 <p>The SDK supports both SSL and STARTTLS, set using the 345 LDAPTrustedMode parameter. If an ldaps:// URL is specified, 346 SSL mode is forced, override this directive.</p> 347 348 <pre class="prettyprint lang-config"># Specify two CA certificate files 349LDAPTrustedGlobalCert CA_DER /certs/cacert1.der 350LDAPTrustedGlobalCert CA_BASE64 /certs/cacert2.pem 351# Specify a client certificate file and key 352LDAPTrustedGlobalCert CERT_BASE64 /certs/cert1.pem 353LDAPTrustedGlobalCert KEY_BASE64 /certs/key1.pem [password] 354# Do not use this directive, as it will throw an error 355#LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem</pre> 356 357 358 359 360 <h3><a name="settingcerts-openldap" id="settingcerts-openldap">OpenLDAP SDK</a></h3> 361 362 <p>One or more CA certificates must be specified for the OpenLDAP 363 SDK to work correctly. These certificates can be specified as 364 binary DER or Base64 (PEM) encoded files.</p> 365 366 <p>Both CA and client certificates may be specified globally 367 (LDAPTrustedGlobalCert) or per-connection (LDAPTrustedClientCert). 368 When any settings are specified per-connection, the global 369 settings are superceded.</p> 370 371 <p>The documentation for the SDK claims to support both SSL and 372 STARTTLS, however STARTTLS does not seem to work on all versions 373 of the SDK. The SSL/TLS mode can be set using the 374 LDAPTrustedMode parameter. If an ldaps:// URL is specified, 375 SSL mode is forced. The OpenLDAP documentation notes that SSL 376 (ldaps://) support has been deprecated to be replaced with TLS, 377 although the SSL functionality still works.</p> 378 379 <pre class="prettyprint lang-config"># Specify two CA certificate files 380LDAPTrustedGlobalCert CA_DER /certs/cacert1.der 381LDAPTrustedGlobalCert CA_BASE64 /certs/cacert2.pem 382<Location /ldap-status> 383 SetHandler ldap-status 384 385 Require host yourdomain.example.com 386 387 LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem 388 LDAPTrustedClientCert KEY_BASE64 /certs/key1.pem 389 # CA certs respecified due to per-directory client certs 390 LDAPTrustedClientCert CA_DER /certs/cacert1.der 391 LDAPTrustedClientCert CA_BASE64 /certs/cacert2.pem 392 Satisfy any 393 AuthType Basic 394 AuthName "LDAP Protected" 395 AuthBasicProvider ldap 396 AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one 397 Require valid-user 398</Location></pre> 399 400 401 402 403 <h3><a name="settingcerts-solaris" id="settingcerts-solaris">Solaris SDK</a></h3> 404 405 <p>SSL/TLS for the native Solaris LDAP libraries is not yet 406 supported. If required, install and use the OpenLDAP libraries 407 instead.</p> 408 409 410 411 <h3><a name="settingcerts-microsoft" id="settingcerts-microsoft">Microsoft SDK</a></h3> 412 413 <p>SSL/TLS certificate configuration for the native Microsoft 414 LDAP libraries is done inside the system registry, and no 415 configuration directives are required.</p> 416 417 <p>Both SSL and TLS are supported by using the ldaps:// URL 418 format, or by using the LDAPTrustedMode directive accordingly.</p> 419 420 <p>Note: The status of support for client certificates is not yet known 421 for this toolkit.</p> 422 423 424 425</div> 426<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 427<div class="directive-section"><h2><a name="LDAPCacheEntries" id="LDAPCacheEntries">LDAPCacheEntries</a> <a name="ldapcacheentries" id="ldapcacheentries">Directive</a></h2> 428<table class="directive"> 429<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Maximum number of entries in the primary LDAP cache</td></tr> 430<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPCacheEntries <var>number</var></code></td></tr> 431<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPCacheEntries 1024</code></td></tr> 432<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 433<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 434<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 435</table> 436 <p>Specifies the maximum size of the primary LDAP cache. This 437 cache contains successful search/binds. Set it to 0 to turn off 438 search/bind caching. The default size is 1024 cached 439 searches.</p> 440 441</div> 442<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 443<div class="directive-section"><h2><a name="LDAPCacheTTL" id="LDAPCacheTTL">LDAPCacheTTL</a> <a name="ldapcachettl" id="ldapcachettl">Directive</a></h2> 444<table class="directive"> 445<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Time that cached items remain valid</td></tr> 446<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPCacheTTL <var>seconds</var></code></td></tr> 447<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPCacheTTL 600</code></td></tr> 448<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 449<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 450<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 451</table> 452 <p>Specifies the time (in seconds) that an item in the 453 search/bind cache remains valid. The default is 600 seconds (10 454 minutes).</p> 455 456</div> 457<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 458<div class="directive-section"><h2><a name="LDAPConnectionPoolTTL" id="LDAPConnectionPoolTTL">LDAPConnectionPoolTTL</a> <a name="ldapconnectionpoolttl" id="ldapconnectionpoolttl">Directive</a></h2> 459<table class="directive"> 460<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Discard backend connections that have been sitting in the connection pool too long</td></tr> 461<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPConnectionPoolTTL <var>n</var></code></td></tr> 462<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPConnectionPoolTTL -1</code></td></tr> 463<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> 464<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 465<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 466<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Apache HTTP Server 2.3.12 and later</td></tr> 467</table> 468 <p>Specifies the maximum age, in seconds, that a pooled LDAP connection can remain idle 469 and still be available for use. Connections are cleaned up when they are next needed, 470 not asynchronously.</p> 471 472 <p>A setting of 0 causes connections to never be saved in the backend 473 connection pool. The default value of -1, and any other negative value, 474 allows connections of any age to be reused.</p> 475 476 <p>The timemout is based on when the LDAP connection is returned to the 477 pool, not based on the last time I/O has been performed over the backend 478 connection. If the information is cached, the apparent idle time can exceed 479 the <code class="directive">LDAPConnectionPoolTTL</code>. </p> 480 481 <div class="note"><p>This timeout defaults to units of seconds, but accepts 482 suffixes for milliseconds (ms), minutes (min), and hours (h). 483 </p></div> 484 485</div> 486<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 487<div class="directive-section"><h2><a name="LDAPConnectionTimeout" id="LDAPConnectionTimeout">LDAPConnectionTimeout</a> <a name="ldapconnectiontimeout" id="ldapconnectiontimeout">Directive</a></h2> 488<table class="directive"> 489<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Specifies the socket connection timeout in seconds</td></tr> 490<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPConnectionTimeout <var>seconds</var></code></td></tr> 491<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 492<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 493<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 494</table> 495 <p>This directive configures the LDAP_OPT_NETWORK_TIMEOUT (or LDAP_OPT_CONNECT_TIMEOUT) 496 option in the underlying LDAP client library, when available. This value 497 typically controls how long the LDAP client library will wait for the TCP 498 connection to the LDAP server to complete.</p> 499 500 <p> If a connection is not successful with the timeout period, either an error will be 501 returned or the LDAP client library will attempt to connect to a secondary LDAP 502 server if one is specified (via a space-separated list of hostnames in the 503 <code class="directive"><a href="/mod/mod_authnz_ldap.html#authldapurl">AuthLDAPURL</a></code>).</p> 504 505 <p>The default is 10 seconds, if the LDAP client library linked with the 506 server supports the LDAP_OPT_NETWORK_TIMEOUT option.</p> 507 508 <div class="note">LDAPConnectionTimeout is only available when the LDAP client library linked 509 with the server supports the LDAP_OPT_NETWORK_TIMEOUT 510 (or LDAP_OPT_CONNECT_TIMEOUT) option, and the ultimate behavior is 511 dictated entirely by the LDAP client library. 512 </div> 513 514</div> 515<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 516<div class="directive-section"><h2><a name="LDAPLibraryDebug" id="LDAPLibraryDebug">LDAPLibraryDebug</a> <a name="ldaplibrarydebug" id="ldaplibrarydebug">Directive</a></h2> 517<table class="directive"> 518<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enable debugging in the LDAP SDK</td></tr> 519<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPLibraryDebug <var>7</var></code></td></tr> 520<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>disabled</code></td></tr> 521<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 522<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 523<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 524</table> 525 <p>Turns on SDK-specific LDAP debug options that generally cause the LDAP 526 SDK to log verbose trace information to the main Apache error log. 527 The trace messages from the LDAP SDK provide gory details that 528 can be useful during debugging of connectivity problems with backend LDAP servers</p> 529 530 <p>This option is only configurable when Apache HTTP Server is linked with 531 an LDAP SDK that implements <code>LDAP_OPT_DEBUG</code> or 532 <code>LDAP_OPT_DEBUG_LEVEL</code>, such as OpenLDAP (a value of 7 is verbose) 533 or Tivoli Directory Server (a value of 65535 is verbose).</p> 534 535 <div class="warning"> 536 <p>The logged information will likely contain plaintext credentials being used or 537 validated by LDAP authentication, so care should be taken in protecting and purging 538 the error log when this directive is used.</p> 539 </div> 540 541 542</div> 543<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 544<div class="directive-section"><h2><a name="LDAPOpCacheEntries" id="LDAPOpCacheEntries">LDAPOpCacheEntries</a> <a name="ldapopcacheentries" id="ldapopcacheentries">Directive</a></h2> 545<table class="directive"> 546<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Number of entries used to cache LDAP compare 547operations</td></tr> 548<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPOpCacheEntries <var>number</var></code></td></tr> 549<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPOpCacheEntries 1024</code></td></tr> 550<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 551<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 552<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 553</table> 554 <p>This specifies the number of entries <code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> 555 will use to cache LDAP compare operations. The default is 1024 556 entries. Setting it to 0 disables operation caching.</p> 557 558</div> 559<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 560<div class="directive-section"><h2><a name="LDAPOpCacheTTL" id="LDAPOpCacheTTL">LDAPOpCacheTTL</a> <a name="ldapopcachettl" id="ldapopcachettl">Directive</a></h2> 561<table class="directive"> 562<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Time that entries in the operation cache remain 563valid</td></tr> 564<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPOpCacheTTL <var>seconds</var></code></td></tr> 565<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPOpCacheTTL 600</code></td></tr> 566<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 567<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 568<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 569</table> 570 <p>Specifies the time (in seconds) that entries in the 571 operation cache remain valid. The default is 600 seconds.</p> 572 573</div> 574<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 575<div class="directive-section"><h2><a name="LDAPReferralHopLimit" id="LDAPReferralHopLimit">LDAPReferralHopLimit</a> <a name="ldapreferralhoplimit" id="ldapreferralhoplimit">Directive</a></h2> 576<table class="directive"> 577<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>The maximum number of referral hops to chase before terminating an LDAP query.</td></tr> 578<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPReferralHopLimit <var>number</var></code></td></tr> 579<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SDK dependent, typically between 5 and 10</code></td></tr> 580<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 581<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> 582<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 583<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 584</table> 585 <p>This directive, if enabled by the <code>LDAPReferrals</code> directive, 586 limits the number of referral hops that are followed before terminating an 587 LDAP query.</p> 588 589<div class="warning"> 590<p> Support for this tunable is uncommon in LDAP SDKs.</p> 591</div> 592 593</div> 594<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 595<div class="directive-section"><h2><a name="LDAPReferrals" id="LDAPReferrals">LDAPReferrals</a> <a name="ldapreferrals" id="ldapreferrals">Directive</a></h2> 596<table class="directive"> 597<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enable referral chasing during queries to the LDAP server.</td></tr> 598<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPReferrals <var>On|Off|default</var></code></td></tr> 599<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPReferrals On</code></td></tr> 600<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 601<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> 602<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 603<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 604</table> 605 <p>Some LDAP servers divide their directory among multiple domains and use referrals 606 to direct a client when a domain boundary is crossed. This is similar to a HTTP redirect. 607 LDAP client libraries may or may not chase referrals by default. This directive 608 explicitly configures the referral chasing in the underlying SDK.</p> 609 610 611 <p><code class="directive">LDAPReferrals</code> takes the takes the following values: 612 </p> 613 <dl> 614 <dt>"on"</dt> 615 <dd> <p> When set to "on", the underlying SDK's referral chasing state 616 is enabled, <code class="directive">LDAPReferralHopLimit</code> is used to 617 override the SDK's hop limit, and an LDAP rebind callback is 618 registered.</p></dd> 619 <dt>"off"</dt> 620 <dd> <p> When set to "off", the underlying SDK's referral chasing state 621 is disabled completely.</p></dd> 622 <dt>"default"</dt> 623 <dd> <p> When set to "default", the underlying SDK's referral chasing state 624 is not changed, <code class="directive">LDAPReferralHopLimit</code> is not 625 used to overide the SDK's hop limit, and no LDAP rebind callback is 626 registered.</p></dd> 627 </dl> 628 629 <p> The directive <code>LDAPReferralHopLimit</code> works in conjunction with 630 this directive to limit the number of referral hops to follow before terminating the LDAP query. 631 When referral processing is enabled by a value of "On", client credentials will be provided, 632 via a rebind callback, for any LDAP server requiring them. </p> 633 634</div> 635<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 636<div class="directive-section"><h2><a name="LDAPRetries" id="LDAPRetries">LDAPRetries</a> <a name="ldapretries" id="ldapretries">Directive</a></h2> 637<table class="directive"> 638<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Configures the number of LDAP server retries.</td></tr> 639<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPRetries <var>number-of-retries</var></code></td></tr> 640<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPRetries 3</code></td></tr> 641<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 642<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 643<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 644</table> 645 <p>The server will retry failed LDAP requests up to 646 <code class="directive">LDAPRetries</code> times. Setting this 647 directive to 0 disables retries.</p> 648 <p>LDAP errors such as timeouts and refused connections are retryable.</p> 649 650</div> 651<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 652<div class="directive-section"><h2><a name="LDAPRetryDelay" id="LDAPRetryDelay">LDAPRetryDelay</a> <a name="ldapretrydelay" id="ldapretrydelay">Directive</a></h2> 653<table class="directive"> 654<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Configures the delay between LDAP server retries.</td></tr> 655<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPRetryDelay <var>seconds</var></code></td></tr> 656<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPRetryDelay 0</code></td></tr> 657<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 658<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 659<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 660</table> 661 <p>If <code class="directive">LDAPRetryDelay</code> is set to a non-zero 662 value, the server will delay retrying an LDAP request for the 663 specified amount of time. Setting this directive to 0 will 664 result in any retry to occur without delay.</p> 665 666 <p>LDAP errors such as timeouts and refused connections are retryable.</p> 667 668</div> 669<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 670<div class="directive-section"><h2><a name="LDAPSharedCacheFile" id="LDAPSharedCacheFile">LDAPSharedCacheFile</a> <a name="ldapsharedcachefile" id="ldapsharedcachefile">Directive</a></h2> 671<table class="directive"> 672<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the shared memory cache file</td></tr> 673<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPSharedCacheFile <var>directory-path/filename</var></code></td></tr> 674<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 675<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 676<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 677</table> 678 <p>Specifies the directory path and file name of the shared memory 679 cache file. If not set, anonymous shared memory will be used if the 680 platform supports it.</p> 681 682</div> 683<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 684<div class="directive-section"><h2><a name="LDAPSharedCacheSize" id="LDAPSharedCacheSize">LDAPSharedCacheSize</a> <a name="ldapsharedcachesize" id="ldapsharedcachesize">Directive</a></h2> 685<table class="directive"> 686<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Size in bytes of the shared-memory cache</td></tr> 687<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPSharedCacheSize <var>bytes</var></code></td></tr> 688<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPSharedCacheSize 500000</code></td></tr> 689<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 690<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 691<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 692</table> 693 <p>Specifies the number of bytes to allocate for the shared 694 memory cache. The default is 500kb. If set to 0, shared memory 695 caching will not be used and every HTTPD process will create its 696 own cache.</p> 697 698</div> 699<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 700<div class="directive-section"><h2><a name="LDAPTimeout" id="LDAPTimeout">LDAPTimeout</a> <a name="ldaptimeout" id="ldaptimeout">Directive</a></h2> 701<table class="directive"> 702<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Specifies the timeout for LDAP search and bind operations, in seconds</td></tr> 703<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPTimeout <var>seconds</var></code></td></tr> 704<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPTimeout 60</code></td></tr> 705<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 706<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 707<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 708<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Apache HTTP Server 2.3.5 and later</td></tr> 709</table> 710 <p>This directive configures the timeout for bind and search operations, as well as 711 the LDAP_OPT_TIMEOUT option in the underlying LDAP client library, when available.</p> 712 713 <p> If the timeout expires, httpd will retry in case an existing connection has 714 been silently dropped by a firewall. However, performance will be much better if 715 the firewall is configured to send TCP RST packets instead of silently dropping 716 packets.</p> 717 718 <div class="note"> 719 <p>Timeouts for ldap compare operations requires an SDK with LDAP_OPT_TIMEOUT, such as OpenLDAP >= 2.4.4.</p> 720 </div> 721 722 723</div> 724<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 725<div class="directive-section"><h2><a name="LDAPTrustedClientCert" id="LDAPTrustedClientCert">LDAPTrustedClientCert</a> <a name="ldaptrustedclientcert" id="ldaptrustedclientcert">Directive</a></h2> 726<table class="directive"> 727<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the file containing or nickname referring to a per 728connection client certificate. Not all LDAP toolkits support per 729connection client certificates.</td></tr> 730<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPTrustedClientCert <var>type</var> <var>directory-path/filename/nickname</var> <var>[password]</var></code></td></tr> 731<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 732<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 733<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 734</table> 735 <p>It specifies the directory path, file name or nickname of a 736 per connection client certificate used when establishing an SSL 737 or TLS connection to an LDAP server. Different locations or 738 directories may have their own independent client certificate 739 settings. Some LDAP toolkits (notably Novell) 740 do not support per connection client certificates, and will throw an 741 error on LDAP server connection if you try to use this directive 742 (Use the LDAPTrustedGlobalCert directive instead for Novell client 743 certificates - See the SSL/TLS certificate guide above for details). 744 The type specifies the kind of certificate parameter being 745 set, depending on the LDAP toolkit being used. Supported types are:</p> 746 <ul> 747 <li>CA_DER - binary DER encoded CA certificate</li> 748 <li>CA_BASE64 - PEM encoded CA certificate</li> 749 <li>CERT_DER - binary DER encoded client certificate</li> 750 <li>CERT_BASE64 - PEM encoded client certificate</li> 751 <li>CERT_NICKNAME - Client certificate "nickname" (Netscape SDK)</li> 752 <li>KEY_DER - binary DER encoded private key</li> 753 <li>KEY_BASE64 - PEM encoded private key</li> 754 </ul> 755 756</div> 757<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 758<div class="directive-section"><h2><a name="LDAPTrustedGlobalCert" id="LDAPTrustedGlobalCert">LDAPTrustedGlobalCert</a> <a name="ldaptrustedglobalcert" id="ldaptrustedglobalcert">Directive</a></h2> 759<table class="directive"> 760<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the file or database containing global trusted 761Certificate Authority or global client certificates</td></tr> 762<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPTrustedGlobalCert <var>type</var> <var>directory-path/filename</var> <var>[password]</var></code></td></tr> 763<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 764<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 765<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 766</table> 767 <p>It specifies the directory path and file name of the trusted CA 768 certificates and/or system wide client certificates <code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> 769 should use when establishing an SSL or TLS connection to an LDAP 770 server. Note that all certificate information specified using this directive 771 is applied globally to the entire server installation. Some LDAP toolkits 772 (notably Novell) require all client certificates to be set globally using 773 this directive. Most other toolkits require clients certificates to be set 774 per Directory or per Location using LDAPTrustedClientCert. If you get this 775 wrong, an error may be logged when an attempt is made to contact the LDAP 776 server, or the connection may silently fail (See the SSL/TLS certificate 777 guide above for details). 778 The type specifies the kind of certificate parameter being 779 set, depending on the LDAP toolkit being used. Supported types are:</p> 780 <ul> 781 <li>CA_DER - binary DER encoded CA certificate</li> 782 <li>CA_BASE64 - PEM encoded CA certificate</li> 783 <li>CA_CERT7_DB - Netscape cert7.db CA certificate database file</li> 784 <li>CA_SECMOD - Netscape secmod database file</li> 785 <li>CERT_DER - binary DER encoded client certificate</li> 786 <li>CERT_BASE64 - PEM encoded client certificate</li> 787 <li>CERT_KEY3_DB - Netscape key3.db client certificate database file</li> 788 <li>CERT_NICKNAME - Client certificate "nickname" (Netscape SDK)</li> 789 <li>CERT_PFX - PKCS#12 encoded client certificate (Novell SDK)</li> 790 <li>KEY_DER - binary DER encoded private key</li> 791 <li>KEY_BASE64 - PEM encoded private key</li> 792 <li>KEY_PFX - PKCS#12 encoded private key (Novell SDK)</li> 793 </ul> 794 795</div> 796<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 797<div class="directive-section"><h2><a name="LDAPTrustedMode" id="LDAPTrustedMode">LDAPTrustedMode</a> <a name="ldaptrustedmode" id="ldaptrustedmode">Directive</a></h2> 798<table class="directive"> 799<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Specifies the SSL/TLS mode to be used when connecting to an LDAP server.</td></tr> 800<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPTrustedMode <var>type</var></code></td></tr> 801<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> 802<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 803<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 804</table> 805 <p>The following modes are supported:</p> 806 <ul> 807 <li>NONE - no encryption</li> 808 <li>SSL - ldaps:// encryption on default port 636</li> 809 <li>TLS - STARTTLS encryption on default port 389</li> 810 </ul> 811 812 <p>Not all LDAP toolkits support all the above modes. An error message 813 will be logged at runtime if a mode is not supported, and the 814 connection to the LDAP server will fail. 815 </p> 816 817 <p>If an ldaps:// URL is specified, the mode becomes SSL and the setting 818 of LDAPTrustedMode is ignored.</p> 819 820</div> 821<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 822<div class="directive-section"><h2><a name="LDAPVerifyServerCert" id="LDAPVerifyServerCert">LDAPVerifyServerCert</a> <a name="ldapverifyservercert" id="ldapverifyservercert">Directive</a></h2> 823<table class="directive"> 824<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Force server certificate verification</td></tr> 825<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPVerifyServerCert <var>On|Off</var></code></td></tr> 826<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPVerifyServerCert On</code></td></tr> 827<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 828<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 829<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 830</table> 831 <p>Specifies whether to force the verification of a 832 server certificate when establishing an SSL connection to the 833 LDAP server.</p> 834 835</div> 836</div> 837<div class="bottomlang"> 838<p><span>Available Languages: </span><a href="/en/mod/mod_ldap.html" title="English"> en </a> | 839<a href="/fr/mod/mod_ldap.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a></p> 840</div><div class="top"><a href="#page-header"><img src="/images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> 841<script type="text/javascript"><!--//--><![CDATA[//><!-- 842var comments_shortname = 'httpd'; 843var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_ldap.html'; 844(function(w, d) { 845 if (w.location.hostname.toLowerCase() == "httpd.apache.org") { 846 d.write('<div id="comments_thread"><\/div>'); 847 var s = d.createElement('script'); 848 s.type = 'text/javascript'; 849 s.async = true; 850 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier; 851 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s); 852 } 853 else { 854 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>'); 855 } 856})(window, document); 857//--><!]]></script></div><div id="footer"> 858<p class="apache">Copyright 2014 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> 859<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- 860if (typeof(prettyPrint) !== 'undefined') { 861 prettyPrint(); 862} 863//--><!]]></script> 864</body></html>
