1<?xml version="1.0" encoding="ISO-8859-1"?> 2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 3<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 This file is generated from xml source: DO NOT EDIT 6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7 --> 8<title>mod_ldap - Apache HTTP Server</title> 9<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> 10<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> 11<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" /> 12<script src="/style/scripts/prettify.js" type="text/javascript"> 13</script> 14 15<link href="/images/favicon.ico" rel="shortcut icon" /></head> 16<body> 17<div id="page-header"> 18<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p> 19<p class="apache">Apache HTTP Server Version 2.2</p> 20<img alt="" src="/images/feather.gif" /></div> 21<div class="up"><a href="./"><img title="<-" alt="<-" src="/images/left.gif" /></a></div> 22<div id="path"> 23<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.2</a> > <a href="./">Modules</a></div> 24<div id="page-content"> 25<div id="preamble"><h1>Apache Module mod_ldap</h1> 26<div class="toplang"> 27<p><span>Available Languages: </span><a href="/en/mod/mod_ldap.html" title="English"> en </a></p> 28</div> 29<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>LDAP connection pooling and result caching services for use 30by other LDAP modules</td></tr> 31<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Extension</td></tr> 32<tr><th><a href="module-dict.html#ModuleIdentifier">Module�Identifier:</a></th><td>ldap_module</td></tr> 33<tr><th><a href="module-dict.html#SourceFile">Source�File:</a></th><td>util_ldap.c</td></tr> 34<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in version 2.0.41 and later</td></tr></table> 35<h3>Summary</h3> 36 37 <p>This module was created to improve the performance of 38 websites relying on backend connections to LDAP servers. In 39 addition to the functions provided by the standard LDAP 40 libraries, this module adds an LDAP connection pool and an LDAP 41 shared memory cache.</p> 42 43 <p>To enable this module, LDAP support must be compiled into 44 apr-util. This is achieved by adding the <code>--with-ldap</code> 45 flag to the <code class="program"><a href="/programs/configure.html">configure</a></code> script when building 46 Apache.</p> 47 48 <p>SSL/TLS support is dependent on which LDAP toolkit has been 49 linked to <a class="glossarylink" href="/glossary.html#apr" title="see glossary">APR</a>. As of this writing, APR-util supports: 50 <a href="http://www.openldap.org/">OpenLDAP SDK</a> (2.x or later), 51 <a href="http://developer.novell.com/ndk/cldap.htm">Novell LDAP 52 SDK</a>, <a href="http://www.mozilla.org/directory/csdk.html"> 53 Mozilla LDAP SDK</a>, native Solaris LDAP SDK (Mozilla based), 54 native Microsoft LDAP SDK, or the 55 <a href="http://www.iplanet.com/downloads/developer/">iPlanet 56 (Netscape)</a> SDK. See the <a href="http://apr.apache.org">APR</a> 57 website for details.</p> 58 59</div> 60<div id="quickview"><h3 class="directives">Directives</h3> 61<ul id="toc"> 62<li><img alt="" src="/images/down.gif" /> <a href="#ldapcacheentries">LDAPCacheEntries</a></li> 63<li><img alt="" src="/images/down.gif" /> <a href="#ldapcachettl">LDAPCacheTTL</a></li> 64<li><img alt="" src="/images/down.gif" /> <a href="#ldapconnectiontimeout">LDAPConnectionTimeout</a></li> 65<li><img alt="" src="/images/down.gif" /> <a href="#ldapopcacheentries">LDAPOpCacheEntries</a></li> 66<li><img alt="" src="/images/down.gif" /> <a href="#ldapopcachettl">LDAPOpCacheTTL</a></li> 67<li><img alt="" src="/images/down.gif" /> <a href="#ldapsharedcachefile">LDAPSharedCacheFile</a></li> 68<li><img alt="" src="/images/down.gif" /> <a href="#ldapsharedcachesize">LDAPSharedCacheSize</a></li> 69<li><img alt="" src="/images/down.gif" /> <a href="#ldaptrustedclientcert">LDAPTrustedClientCert</a></li> 70<li><img alt="" src="/images/down.gif" /> <a href="#ldaptrustedglobalcert">LDAPTrustedGlobalCert</a></li> 71<li><img alt="" src="/images/down.gif" /> <a href="#ldaptrustedmode">LDAPTrustedMode</a></li> 72<li><img alt="" src="/images/down.gif" /> <a href="#ldapverifyservercert">LDAPVerifyServerCert</a></li> 73</ul> 74<h3>Topics</h3> 75<ul id="topics"> 76<li><img alt="" src="/images/down.gif" /> <a href="#exampleconfig">Example Configuration</a></li> 77<li><img alt="" src="/images/down.gif" /> <a href="#pool">LDAP Connection Pool</a></li> 78<li><img alt="" src="/images/down.gif" /> <a href="#cache">LDAP Cache</a></li> 79<li><img alt="" src="/images/down.gif" /> <a href="#usingssltls">Using SSL/TLS</a></li> 80<li><img alt="" src="/images/down.gif" /> <a href="#settingcerts">SSL/TLS Certificates</a></li> 81</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div> 82<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 83<div class="section"> 84<h2><a name="exampleconfig" id="exampleconfig">Example Configuration</a></h2> 85 <p>The following is an example configuration that uses 86 <code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> to increase the performance of HTTP Basic 87 authentication provided by <code class="module"><a href="/mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code>.</p> 88 89 <div class="example"><p><code> 90 # Enable the LDAP connection pool and shared<br /> 91 # memory cache. Enable the LDAP cache status<br /> 92 # handler. Requires that mod_ldap and mod_authnz_ldap<br /> 93 # be loaded. Change the "yourdomain.example.com" to<br /> 94 # match your domain.<br /> 95 <br /> 96 LDAPSharedCacheSize 500000<br /> 97 LDAPCacheEntries 1024<br /> 98 LDAPCacheTTL 600<br /> 99 LDAPOpCacheEntries 1024<br /> 100 LDAPOpCacheTTL 600<br /> 101 <br /> 102 <Location /ldap-status><br /> 103 <span class="indent"> 104 SetHandler ldap-status<br /> 105 Order deny,allow<br /> 106 Deny from all<br /> 107 Allow from yourdomain.example.com<br /> 108 AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one<br /> 109 AuthzLDAPAuthoritative off<br /> 110 Require valid-user<br /> 111 </span> 112 </Location> 113 </code></p></div> 114</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 115<div class="section"> 116<h2><a name="pool" id="pool">LDAP Connection Pool</a></h2> 117 118 <p>LDAP connections are pooled from request to request. This 119 allows the LDAP server to remain connected and bound ready for 120 the next request, without the need to unbind/connect/rebind. 121 The performance advantages are similar to the effect of HTTP 122 keepalives.</p> 123 124 <p>On a busy server it is possible that many requests will try 125 and access the same LDAP server connection simultaneously. 126 Where an LDAP connection is in use, Apache will create a new 127 connection alongside the original one. This ensures that the 128 connection pool does not become a bottleneck.</p> 129 130 <p>There is no need to manually enable connection pooling in 131 the Apache configuration. Any module using this module for 132 access to LDAP services will share the connection pool.</p> 133</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 134<div class="section"> 135<h2><a name="cache" id="cache">LDAP Cache</a></h2> 136 137 <p>For improved performance, <code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> uses an aggressive 138 caching strategy to minimize the number of times that the LDAP 139 server must be contacted. Caching can easily double or triple 140 the throughput of Apache when it is serving pages protected 141 with mod_authnz_ldap. In addition, the load on the LDAP server 142 will be significantly decreased.</p> 143 144 <p><code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> supports two types of LDAP caching during 145 the search/bind phase with a <em>search/bind cache</em> and 146 during the compare phase with two <em>operation 147 caches</em>. Each LDAP URL that is used by the server has 148 its own set of these three caches.</p> 149 150 <h3><a name="search-bind" id="search-bind">The Search/Bind Cache</a></h3> 151 <p>The process of doing a search and then a bind is the 152 most time-consuming aspect of LDAP operation, especially if 153 the directory is large. The search/bind cache is used to 154 cache all searches that resulted in successful binds. 155 Negative results (<em>i.e.</em>, unsuccessful searches, or searches 156 that did not result in a successful bind) are not cached. 157 The rationale behind this decision is that connections with 158 invalid credentials are only a tiny percentage of the total 159 number of connections, so by not caching invalid 160 credentials, the size of the cache is reduced.</p> 161 162 <p><code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> stores the username, the DN 163 retrieved, the password used to bind, and the time of the bind 164 in the cache. Whenever a new connection is initiated with the 165 same username, <code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> compares the password 166 of the new connection with the password in the cache. If the 167 passwords match, and if the cached entry is not too old, 168 <code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> bypasses the search/bind phase.</p> 169 170 <p>The search and bind cache is controlled with the <code class="directive"><a href="#ldapcacheentries">LDAPCacheEntries</a></code> and <code class="directive"><a href="#ldapcachettl">LDAPCacheTTL</a></code> directives.</p> 171 172 173 <h3><a name="opcaches" id="opcaches">Operation Caches</a></h3> 174 <p>During attribute and distinguished name comparison 175 functions, <code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> uses two operation caches 176 to cache the compare operations. The first compare cache is 177 used to cache the results of compares done to test for LDAP 178 group membership. The second compare cache is used to cache 179 the results of comparisons done between distinguished 180 names.</p> 181 182 <p>The behavior of both of these caches is controlled with 183 the <code class="directive"><a href="#ldapopcacheentries">LDAPOpCacheEntries</a></code> 184 and <code class="directive"><a href="#ldapopcachettl">LDAPOpCacheTTL</a></code> 185 directives.</p> 186 187 188 <h3><a name="monitoring" id="monitoring">Monitoring the Cache</a></h3> 189 <p><code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> has a content handler that allows 190 administrators to monitor the cache performance. The name of 191 the content handler is <code>ldap-status</code>, so the 192 following directives could be used to access the 193 <code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> cache information:</p> 194 195 <div class="example"><p><code> 196 <Location /server/cache-info><br /> 197 <span class="indent"> 198 SetHandler ldap-status<br /> 199 </span> 200 </Location> 201 </code></p></div> 202 203 <p>By fetching the URL <code>http://servername/cache-info</code>, 204 the administrator can get a status report of every cache that is used 205 by <code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> cache. Note that if Apache does not 206 support shared memory, then each <code class="program"><a href="/programs/httpd.html">httpd</a></code> instance has its 207 own cache, so reloading the URL will result in different 208 information each time, depending on which <code class="program"><a href="/programs/httpd.html">httpd</a></code> 209 instance processes the request.</p> 210 211</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 212<div class="section"> 213<h2><a name="usingssltls" id="usingssltls">Using SSL/TLS</a></h2> 214 215 <p>The ability to create an SSL and TLS connections to an LDAP server 216 is defined by the directives 217 <code class="directive"><a href="#ldaptrustedglobalcert">LDAPTrustedGlobalCert</a></code>, 218 <code class="directive"><a href="#ldaptrustedclientcert">LDAPTrustedClientCert</a></code> and 219 <code class="directive"><a href="#ldaptrustedmode">LDAPTrustedMode</a></code>. 220 These directives specify the CA and 221 optional client certificates to be used, as well as the type of 222 encryption to be used on the connection (none, SSL or TLS/STARTTLS).</p> 223 224 <div class="example"><p><code> 225 # Establish an SSL LDAP connection on port 636. Requires that <br /> 226 # mod_ldap and mod_authnz_ldap be loaded. Change the <br /> 227 # "yourdomain.example.com" to match your domain.<br /> 228 <br /> 229 LDAPTrustedGlobalCert CA_DER /certs/certfile.der<br /> 230 <br /> 231 <Location /ldap-status><br /> 232 <span class="indent"> 233 SetHandler ldap-status<br /> 234 Order deny,allow<br /> 235 Deny from all<br /> 236 Allow from yourdomain.example.com<br /> 237 AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one<br /> 238 AuthzLDAPAuthoritative off<br /> 239 Require valid-user<br /> 240 </span> 241 </Location> 242 </code></p></div> 243 244 <div class="example"><p><code> 245 # Establish a TLS LDAP connection on port 389. Requires that <br /> 246 # mod_ldap and mod_authnz_ldap be loaded. Change the <br /> 247 # "yourdomain.example.com" to match your domain.<br /> 248 <br /> 249 LDAPTrustedGlobalCert CA_DER /certs/certfile.der<br /> 250 <br /> 251 <Location /ldap-status><br /> 252 <span class="indent"> 253 SetHandler ldap-status<br /> 254 Order deny,allow<br /> 255 Deny from all<br /> 256 Allow from yourdomain.example.com<br /> 257 AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one TLS<br /> 258 AuthzLDAPAuthoritative off<br /> 259 Require valid-user<br /> 260 </span> 261 </Location> 262 </code></p></div> 263 264</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 265<div class="section"> 266<h2><a name="settingcerts" id="settingcerts">SSL/TLS Certificates</a></h2> 267 268 <p>The different LDAP SDKs have widely different methods of setting 269 and handling both CA and client side certificates.</p> 270 271 <p>If you intend to use SSL or TLS, read this section CAREFULLY so as to 272 understand the differences between configurations on the different LDAP 273 toolkits supported.</p> 274 275 <h3><a name="settingcerts-netscape" id="settingcerts-netscape">Netscape/Mozilla/iPlanet SDK</a></h3> 276 <p>CA certificates are specified within a file called cert7.db. 277 The SDK will not talk to any LDAP server whose certificate was 278 not signed by a CA specified in this file. If 279 client certificates are required, an optional key3.db file may 280 be specified with an optional password. The secmod file can be 281 specified if required. These files are in the same format as 282 used by the Netscape Communicator or Mozilla web browsers. The easiest 283 way to obtain these files is to grab them from your browser 284 installation.</p> 285 286 <p>Client certificates are specified per connection using the 287 LDAPTrustedClientCert directive by referring 288 to the certificate "nickname". An optional password may be 289 specified to unlock the certificate's private key.</p> 290 291 <p>The SDK supports SSL only. An attempt to use STARTTLS will cause 292 an error when an attempt is made to contact the LDAP server at 293 runtime.</p> 294 295 <div class="example"><p><code> 296 # Specify a Netscape CA certificate file<br /> 297 LDAPTrustedGlobalCert CA_CERT7_DB /certs/cert7.db<br /> 298 # Specify an optional key3.db file for client certificate support<br /> 299 LDAPTrustedGlobalCert CERT_KEY3_DB /certs/key3.db<br /> 300 # Specify the secmod file if required<br /> 301 LDAPTrustedGlobalCert CA_SECMOD /certs/secmod<br /> 302 <Location /ldap-status><br /> 303 <span class="indent"> 304 SetHandler ldap-status<br /> 305 Order deny,allow<br /> 306 Deny from all<br /> 307 Allow from yourdomain.example.com<br /> 308 LDAPTrustedClientCert CERT_NICKNAME <nickname> [password]<br /> 309 AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one<br /> 310 AuthzLDAPAuthoritative off<br /> 311 Require valid-user<br /> 312 </span> 313 </Location> 314 </code></p></div> 315 316 317 318 <h3><a name="settingcerts-novell" id="settingcerts-novell">Novell SDK</a></h3> 319 320 <p>One or more CA certificates must be specified for the Novell 321 SDK to work correctly. These certificates can be specified as 322 binary DER or Base64 (PEM) encoded files.</p> 323 324 <p>Note: Client certificates are specified globally rather than per 325 connection, and so must be specified with the LDAPTrustedGlobalCert 326 directive as below. Trying to set client certificates via the 327 LDAPTrustedClientCert directive will cause an error to be logged 328 when an attempt is made to connect to the LDAP server..</p> 329 330 <p>The SDK supports both SSL and STARTTLS, set using the 331 LDAPTrustedMode parameter. If an ldaps:// URL is specified, 332 SSL mode is forced, override this directive.</p> 333 334 <div class="example"><p><code> 335 # Specify two CA certificate files<br /> 336 LDAPTrustedGlobalCert CA_DER /certs/cacert1.der<br /> 337 LDAPTrustedGlobalCert CA_BASE64 /certs/cacert2.pem<br /> 338 # Specify a client certificate file and key<br /> 339 LDAPTrustedGlobalCert CERT_BASE64 /certs/cert1.pem<br /> 340 LDAPTrustedGlobalCert KEY_BASE64 /certs/key1.pem [password]<br /> 341 # Do not use this directive, as it will throw an error<br /> 342 #LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem<br /> 343 </code></p></div> 344 345 346 347 <h3><a name="settingcerts-openldap" id="settingcerts-openldap">OpenLDAP SDK</a></h3> 348 349 <p>One or more CA certificates must be specified for the OpenLDAP 350 SDK to work correctly. These certificates can be specified as 351 binary DER or Base64 (PEM) encoded files.</p> 352 353 <p>Client certificates are specified per connection using the 354 LDAPTrustedClientCert directive.</p> 355 356 <p>The documentation for the SDK claims to support both SSL and 357 STARTTLS, however STARTTLS does not seem to work on all versions 358 of the SDK. The SSL/TLS mode can be set using the 359 LDAPTrustedMode parameter. If an ldaps:// URL is specified, 360 SSL mode is forced. The OpenLDAP documentation notes that SSL 361 (ldaps://) support has been deprecated to be replaced with TLS, 362 although the SSL functionality still works.</p> 363 364 <div class="example"><p><code> 365 # Specify two CA certificate files<br /> 366 LDAPTrustedGlobalCert CA_DER /certs/cacert1.der<br /> 367 LDAPTrustedGlobalCert CA_BASE64 /certs/cacert2.pem<br /> 368 <Location /ldap-status><br /> 369 <span class="indent"> 370 SetHandler ldap-status<br /> 371 Order deny,allow<br /> 372 Deny from all<br /> 373 Allow from yourdomain.example.com<br /> 374 LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem<br /> 375 LDAPTrustedClientCert KEY_BASE64 /certs/key1.pem<br /> 376 AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one<br /> 377 AuthzLDAPAuthoritative off<br /> 378 Require valid-user<br /> 379 </span> 380 </Location> 381 </code></p></div> 382 383 384 385 <h3><a name="settingcerts-solaris" id="settingcerts-solaris">Solaris SDK</a></h3> 386 387 <p>SSL/TLS for the native Solaris LDAP libraries is not yet 388 supported. If required, install and use the OpenLDAP libraries 389 instead.</p> 390 391 392 393 <h3><a name="settingcerts-microsoft" id="settingcerts-microsoft">Microsoft SDK</a></h3> 394 395 <p>SSL/TLS certificate configuration for the native Microsoft 396 LDAP libraries is done inside the system registry, and no 397 configuration directives are required.</p> 398 399 <p>Both SSL and TLS are supported by using the ldaps:// URL 400 format, or by using the LDAPTrustedMode directive accordingly.</p> 401 402 <p>Note: The status of support for client certificates is not yet known 403 for this toolkit.</p> 404 405 406 407</div> 408<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 409<div class="directive-section"><h2><a name="LDAPCacheEntries" id="LDAPCacheEntries">LDAPCacheEntries</a> <a name="ldapcacheentries" id="ldapcacheentries">Directive</a></h2> 410<table class="directive"> 411<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Maximum number of entries in the primary LDAP cache</td></tr> 412<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPCacheEntries <var>number</var></code></td></tr> 413<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPCacheEntries 1024</code></td></tr> 414<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 415<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 416<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 417</table> 418 <p>Specifies the maximum size of the primary LDAP cache. This 419 cache contains successful search/binds. Set it to 0 to turn off 420 search/bind caching. The default size is 1024 cached 421 searches.</p> 422 423</div> 424<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 425<div class="directive-section"><h2><a name="LDAPCacheTTL" id="LDAPCacheTTL">LDAPCacheTTL</a> <a name="ldapcachettl" id="ldapcachettl">Directive</a></h2> 426<table class="directive"> 427<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Time that cached items remain valid</td></tr> 428<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPCacheTTL <var>seconds</var></code></td></tr> 429<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPCacheTTL 600</code></td></tr> 430<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 431<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 432<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 433</table> 434 <p>Specifies the time (in seconds) that an item in the 435 search/bind cache remains valid. The default is 600 seconds (10 436 minutes).</p> 437 438</div> 439<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 440<div class="directive-section"><h2><a name="LDAPConnectionTimeout" id="LDAPConnectionTimeout">LDAPConnectionTimeout</a> <a name="ldapconnectiontimeout" id="ldapconnectiontimeout">Directive</a></h2> 441<table class="directive"> 442<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Specifies the socket connection timeout in seconds</td></tr> 443<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPConnectionTimeout <var>seconds</var></code></td></tr> 444<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 445<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 446<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 447</table> 448 <p>This directive configures the LDAP_OPT_NETWORK_TIMEOUT option in the 449 underlying LDAP client library, when available. This value typically 450 controls how long the LDAP client library will wait for the TCP connection 451 to the LDAP server to complete.</p> 452 453 <p> If a connection is not successful with the timeout period, either an error will be 454 returned or the LDAP client library will attempt to connect to a secondary LDAP 455 server if one is specified (via a space-separated list of hostnames in the 456 <code class="directive"><a href="/mod/mod_authnz_ldap.html#authldapurl">AuthLDAPURL</a></code>).</p> 457 458 <p>The default is 10 seconds, if the LDAP client library linked with the 459 server supports the LDAP_OPT_NETWORK_TIMEOUT option.</p> 460 461 <div class="note">LDAPConnectionTimeout is only available when the LDAP client library linked 462 with the server supports the LDAP_OPT_NETWORK_TIMEOUT option, and the 463 ultimate behavior is dictated entirely by the LDAP client library. 464 </div> 465 466</div> 467<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 468<div class="directive-section"><h2><a name="LDAPOpCacheEntries" id="LDAPOpCacheEntries">LDAPOpCacheEntries</a> <a name="ldapopcacheentries" id="ldapopcacheentries">Directive</a></h2> 469<table class="directive"> 470<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Number of entries used to cache LDAP compare 471operations</td></tr> 472<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPOpCacheEntries <var>number</var></code></td></tr> 473<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPOpCacheEntries 1024</code></td></tr> 474<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 475<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 476<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 477</table> 478 <p>This specifies the number of entries <code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> 479 will use to cache LDAP compare operations. The default is 1024 480 entries. Setting it to 0 disables operation caching.</p> 481 482</div> 483<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 484<div class="directive-section"><h2><a name="LDAPOpCacheTTL" id="LDAPOpCacheTTL">LDAPOpCacheTTL</a> <a name="ldapopcachettl" id="ldapopcachettl">Directive</a></h2> 485<table class="directive"> 486<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Time that entries in the operation cache remain 487valid</td></tr> 488<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPOpCacheTTL <var>seconds</var></code></td></tr> 489<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPOpCacheTTL 600</code></td></tr> 490<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 491<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 492<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 493</table> 494 <p>Specifies the time (in seconds) that entries in the 495 operation cache remain valid. The default is 600 seconds.</p> 496 497</div> 498<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 499<div class="directive-section"><h2><a name="LDAPSharedCacheFile" id="LDAPSharedCacheFile">LDAPSharedCacheFile</a> <a name="ldapsharedcachefile" id="ldapsharedcachefile">Directive</a></h2> 500<table class="directive"> 501<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the shared memory cache file</td></tr> 502<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPSharedCacheFile <var>directory-path/filename</var></code></td></tr> 503<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 504<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 505<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 506</table> 507 <p>Specifies the directory path and file name of the shared memory 508 cache file. If not set, anonymous shared memory will be used if the 509 platform supports it.</p> 510 511</div> 512<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 513<div class="directive-section"><h2><a name="LDAPSharedCacheSize" id="LDAPSharedCacheSize">LDAPSharedCacheSize</a> <a name="ldapsharedcachesize" id="ldapsharedcachesize">Directive</a></h2> 514<table class="directive"> 515<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Size in bytes of the shared-memory cache</td></tr> 516<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPSharedCacheSize <var>bytes</var></code></td></tr> 517<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPSharedCacheSize 500000</code></td></tr> 518<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 519<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 520<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 521</table> 522 <p>Specifies the number of bytes to allocate for the shared 523 memory cache. The default is 500kb. If set to 0, shared memory 524 caching will not be used.</p> 525 526</div> 527<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 528<div class="directive-section"><h2><a name="LDAPTrustedClientCert" id="LDAPTrustedClientCert">LDAPTrustedClientCert</a> <a name="ldaptrustedclientcert" id="ldaptrustedclientcert">Directive</a></h2> 529<table class="directive"> 530<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the file containing or nickname referring to a per 531connection client certificate. Not all LDAP toolkits support per 532connection client certificates.</td></tr> 533<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPTrustedClientCert <var>type</var> <var>directory-path/filename/nickname</var> <var>[password]</var></code></td></tr> 534<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr> 535<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 536<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 537</table> 538 <p>It specifies the directory path, file name or nickname of a 539 per connection client certificate used when establishing an SSL 540 or TLS connection to an LDAP server. Different locations or 541 directories may have their own independent client certificate 542 settings. Some LDAP toolkits (notably Novell) 543 do not support per connection client certificates, and will throw an 544 error on LDAP server connection if you try to use this directive 545 (Use the LDAPTrustedGlobalCert directive instead for Novell client 546 certificates - See the SSL/TLS certificate guide above for details). 547 The type specifies the kind of certificate parameter being 548 set, depending on the LDAP toolkit being used. Supported types are:</p> 549 <ul> 550 <li>CERT_DER - binary DER encoded client certificate</li> 551 <li>CERT_BASE64 - PEM encoded client certificate</li> 552 <li>CERT_NICKNAME - Client certificate "nickname" (Netscape SDK)</li> 553 <li>KEY_DER - binary DER encoded private key</li> 554 <li>KEY_BASE64 - PEM encoded private key</li> 555 </ul> 556 557</div> 558<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 559<div class="directive-section"><h2><a name="LDAPTrustedGlobalCert" id="LDAPTrustedGlobalCert">LDAPTrustedGlobalCert</a> <a name="ldaptrustedglobalcert" id="ldaptrustedglobalcert">Directive</a></h2> 560<table class="directive"> 561<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the file or database containing global trusted 562Certificate Authority or global client certificates</td></tr> 563<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPTrustedGlobalCert <var>type</var> <var>directory-path/filename</var> <var>[password]</var></code></td></tr> 564<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 565<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 566<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 567</table> 568 <p>It specifies the directory path and file name of the trusted CA 569 certificates and/or system wide client certificates <code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code> 570 should use when establishing an SSL or TLS connection to an LDAP 571 server. Note that all certificate information specified using this directive 572 is applied globally to the entire server installation. Some LDAP toolkits 573 (notably Novell) require all client certificates to be set globally using 574 this directive. Most other toolkits require clients certificates to be set 575 per Directory or per Location using LDAPTrustedClientCert. If you get this 576 wrong, an error may be logged when an attempt is made to contact the LDAP 577 server, or the connection may silently fail (See the SSL/TLS certificate 578 guide above for details). 579 The type specifies the kind of certificate parameter being 580 set, depending on the LDAP toolkit being used. Supported types are:</p> 581 <ul> 582 <li>CA_DER - binary DER encoded CA certificate</li> 583 <li>CA_BASE64 - PEM encoded CA certificate</li> 584 <li>CA_CERT7_DB - Netscape cert7.db CA certificate database file</li> 585 <li>CA_SECMOD - Netscape secmod database file</li> 586 <li>CERT_DER - binary DER encoded client certificate</li> 587 <li>CERT_BASE64 - PEM encoded client certificate</li> 588 <li>CERT_KEY3_DB - Netscape key3.db client certificate database file</li> 589 <li>CERT_NICKNAME - Client certificate "nickname" (Netscape SDK)</li> 590 <li>CERT_PFX - PKCS#12 encoded client certificate (Novell SDK)</li> 591 <li>KEY_DER - binary DER encoded private key</li> 592 <li>KEY_BASE64 - PEM encoded private key</li> 593 <li>KEY_PFX - PKCS#12 encoded private key (Novell SDK)</li> 594 </ul> 595 596</div> 597<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 598<div class="directive-section"><h2><a name="LDAPTrustedMode" id="LDAPTrustedMode">LDAPTrustedMode</a> <a name="ldaptrustedmode" id="ldaptrustedmode">Directive</a></h2> 599<table class="directive"> 600<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Specifies the SSL/TLS mode to be used when connecting to an LDAP server.</td></tr> 601<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPTrustedMode <var>type</var></code></td></tr> 602<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> 603<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 604<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 605</table> 606 <p>The following modes are supported:</p> 607 <ul> 608 <li>NONE - no encryption</li> 609 <li>SSL - ldaps:// encryption on default port 636</li> 610 <li>TLS - STARTTLS encryption on default port 389</li> 611 </ul> 612 613 <p>Not all LDAP toolkits support all the above modes. An error message 614 will be logged at runtime if a mode is not supported, and the 615 connection to the LDAP server will fail. 616 </p> 617 618 <p>If an ldaps:// URL is specified, the mode becomes SSL and the setting 619 of LDAPTrustedMode is ignored.</p> 620 621</div> 622<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 623<div class="directive-section"><h2><a name="LDAPVerifyServerCert" id="LDAPVerifyServerCert">LDAPVerifyServerCert</a> <a name="ldapverifyservercert" id="ldapverifyservercert">Directive</a></h2> 624<table class="directive"> 625<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Force server certificate verification</td></tr> 626<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPVerifyServerCert <var>On|Off</var></code></td></tr> 627<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LDAPVerifyServerCert On</code></td></tr> 628<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 629<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 630<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr> 631</table> 632 <p>Specifies whether to force the verification of a 633 server certificate when establishing an SSL connection to the 634 LDAP server.</p> 635 636</div> 637</div> 638<div class="bottomlang"> 639<p><span>Available Languages: </span><a href="/en/mod/mod_ldap.html" title="English"> en </a></p> 640</div><div class="top"><a href="#page-header"><img src="/images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> 641<script type="text/javascript"><!--//--><![CDATA[//><!-- 642var comments_shortname = 'httpd'; 643var comments_identifier = 'http://httpd.apache.org/docs/2.2/mod/mod_ldap.html'; 644(function(w, d) { 645 if (w.location.hostname.toLowerCase() == "httpd.apache.org") { 646 d.write('<div id="comments_thread"><\/div>'); 647 var s = d.createElement('script'); 648 s.type = 'text/javascript'; 649 s.async = true; 650 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier; 651 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s); 652 } 653 else { 654 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>'); 655 } 656})(window, document); 657//--><!]]></script></div><div id="footer"> 658<p class="apache">Copyright 2013 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> 659<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- 660if (typeof(prettyPrint) !== 'undefined') { 661 prettyPrint(); 662} 663//--><!]]></script> 664</body></html>