Break <highlight language="commit">foo</highlight> into separate lines.

Following up on BZ 53530.. putting quotation marks around arbitrary-text, complex, and/or filesystem directive arguments. More to do..

Fix typo + correctly spell this poor Barbara name, otherwise she will never be able to get access

Properly escape the < and >.

Add the ldap-search option to mod_authnz_ldap, allowing authorization to be based on arbitrary expressions that do not include the username.

Add the ldap function to the expression API, allowing LDAP filters and distinguished names based on expressions to be escaped correctly to guard against LDAP injection. Note: this requires at least APR v1.6.0 or above for the apr_escape API.

Add <compatibility> notes for changes made in version 2.4.5 (and one forgotten in 2.4.8)

Add <compatibility> notes for changes made in version 2.4.8 + synch formating with 2.4.x

mod_authnz_ldap: Support the expression parser within the require directives.

emphasize that these directives only apply to authn

fix XML validation error on r1546534

compat note for AuthLDAPBindPassword exec:

Change the default value of AuthLDAPMaxSubGroupDepth, so sub-group searching is opt-in. Not intended for 2.4 backport.

add a note about sub-group searching and large groups.

fix odd wording

possibly improve the description of <code>none</code> added in r1497371

authnzldap: support "none" as a filter to suppress using a search filter, which is required by some mainframe security products serving native registry over LDAP.

Add helper function to execute command w args and get one line of output. Allow AuthLDAPBindPassword to have exec: argument like SSLPassPhraseDialog

Drop pre-2.3 compatibility notes from trunk docs.

Fix up a badly styled example and a wrongly named directive.

fix XML validation. Revert some of the hilighting to use <example><pre>, for instance: ldiffs Make some of the lines that were artifically broken > 40char.

Syntax for mod_a*.xml and MPMs

Typos and broken links in docs. Daniel Gruno (rumble at cord dk)

More patches from Daniel Gruno (rumble at cord dot dk) for references to directives that have moved around since 2.2

add new ldap features, make ap_expr entry more verbose

Cleanup effort in prep for GA push: Trim trailing whitespace... no func change

bad links due to typo

use example.com instead of other non-standard examples

Spelling errors PR: 49983, 49967 Submitted by: Chris Matthews <chris bbd co za>, Angelo Babudro <tech support donsdirectory com>

update compatability from 2.3.7 to 2.3.6

fix xml validation and doc build issues

add defaults for two nested groups directives

mod_authnz_ldap: Search or Comparison during authorization phase can use the credentials from the authentication phase (AuthLDAPSearchAsUSer,AuthLDAPCompareAsUser). PR 48340 Submitted by: Domenico Rotiroti, Eric Covener Reviewed by: Eric Covener

emphasize that trying to use the basic auth credentials directly is a last resort.

mod_authnz_ldap: Allow the initial DN lookup to bind with a transformation of the basic auth username.

Allow mod_authnz_ldap to set environment variables when it only performs authorization. AuthLDAPAuthorizePrefix can be used to force this to overlap with the prefix used for authentication. PR 45584

add defaults for AuthLDAPGroupAttribute to the synopsis

Typo

doc for AuthLDAPBindAuthoritative

Remove text implying "Require valid-user" is handled by mod_authnz_ldap, which makes the behavior of AuthzLDAPAuthoritative more intuitive.

The DN was fetched from the entry, and the password is passed by the client. --Cette ligne, et les suivantes ci-dessous, seront ignorées-- M manual/mod/mod_authnz_ldap.xml

provide a little more context in the multiple hostnames example

no AuthzLDAPAuthoritative in trunk, because authz uses a provider API

use example.com for example domain name

Typo fix as per PR44905, submitted by Jamie Taylor <jamie.taylor@pobox.com>.

Fix quoting for AuthLDAPUrl examples. Submitted by: Per Lundberg (Per.Lundberg bredband.com)

Clarify when AUTHENTICATE_* variables are populated by mod_authnz_ldap (authn only).

Add a note about double quoting a multihost LDAP URL.

Added documentation related to the nested group support that I added a while ago.

PR #43358 - Fix links to moved auth directives (Takashi Sato)

Add docs for the AUTHENTICATE_ prefixed exposure of login attributes during AAA.

s/require/Require/g

Added examples of multiple LDAP servers, and a warning caveat.

Case sensitivity continuity, taken from PR 38035

PR 31978, submitted by Ryan Morgan, resubmitted by Tony Stevenson.

Point out that if another authorization method is used with mod_authnz_ldap, AuthzLDAPAuthoritative must be set to off. submitted by: Darren Spruell <phatbuckett gmail.com>

Document the hoops you need to jump through to get mod_authnz_ldap to support an Active Directory installation spanning multiple domains.

mod_authnz_ldap: Add an AuthLDAPRemoteUserAttribute directive. If set, REMOTE_USER will be set to this attribute, rather than the username supplied by the user. Useful for example when you want users to log in using an email address, but need to supply a userid instead to the backend.

update license header text

Update the copyright year in all .c, .h and .xml files

Authz refactoring Merge from branches/authz-dev Basically here is a list of what has been done: - Convert all of the authz modules from hook based to provider based - Remove the ap_requires field from the core_dir_config structure - Remove the function ap_requires() since its functionality is no longer supported or necessary in the refactoring - Remove the calls to ap_some_auth_required() in the core request handling to allow the hooks to be called in all cases. - Add the new module mod_authz_core which will act as the authorization provider vector and contain common authz directives such as 'Require', 'Reject' and '<RequireAlias>' - Add the new module mod_authn_core which will contain common authentication directives such as 'AuthType', 'AuthName' and '<AuthnProviderAlias>' - Move the check for METHOD_MASK out of the authz providers and into the authz_core provider vector - Define the status codes that can be returned by the authz providers as AUTHZ_DENIED, AUTHZ_GRANTED and AUTHZ_GENERAL_ERROR - Remove the 'Satisfy' directive - Implement the '<RequireAll>', '<RequireOne>' block directives to handle the 'and' and 'or' logic for authorization. - Remove the 'AuthzXXXAuthoritative' directives from all of the authz providers - Implement the 'Reject' directive that will deny authorization if the argument is true - Fold the 'Reject' directive into the '<RequireAll>', '<RequireOne>' logic - Reimplement the host based authorization functionality provided by 'allow', 'deny' and 'order' as authz providers - Remove the 'allow', 'deny' and 'order' directives - Merge mod_authn_alias into mod_authn_core - Add '<RequireAlias>' functionality which is similar to '<AuthnProviderAlias>' but specific to authorization aliasing - Remove all of the references to the 'authzxxxAuthoritative' directives from the documentation - Remove the 'Satisfy' directive from the documentation - Remove 'Allow', 'Deny', 'Order' directives from the documentation - Document '<RequireAll>', '<RequireOne>', 'Reject' directives - Reimplement the APIs ap_auth_type(), ap_auth_name() as optional functions and move the actual implementation into mod_authn_core - Reimplement the API ap_some_auth_required() as an optional function and move the actual implementation into mod_authz_core Major Changes: - Added the directives <RequireAll>, <RequireOne>, <RequireAlias>, Reject - Expanded the functionality of the directive 'Require' to handle all authorization and access control - Added the new authz providers 'env', 'ip', 'host', 'all' to handle host-based access control - Removed the directives 'Allow', 'Deny', 'Order', 'Satisfy', 'AuthzXXXAuthoritative' - Removed the ap_require() API - Moved the directives 'AuthType', 'AuthName' out of mod_core and into mod_authn_core - Moved the directive 'Require' out of mod_core and into mod_authz_core - Merged mod_authn_alias into mod_authn_core - Renamed mod_authz_dbm authz providers from 'group' and 'file-group' to 'dbm-group' and 'dbm-file-group' Benefits: - All authorization and access control is now handle through two directives, 'Require' and 'Reject' - Authorization has been expanded to allow for complex 'AND/OR' control logic through the directives '<RequireAll>' and '<RequireOne>' - Configuration is now much simpler and consistent across the board - Other modules like mod_ssl and mod_proxy should be able to plug into and take advantage of the same provider based authorization mechanism by implementing their own providers Issues: - Backwards compatibility between 2.2 and 2.3 configurations will be broken in the area of authorization and access control due to the fact that the directives 'allow', 'deny', 'order' and 'satisfy' have been removed. When moving from 2.2 to 2.3 these directives will have to be changed to 'Require all granted', 'Require all denied' or some variation of the authz host-based providers. - Existing third party authorization modules will have to adapt to the new structure.

Backing out the AuthLDAPAllowDNAuth patch from r168016. Because of LDAP filter issues this patch still can't guarantee unique results.

Add the directive AuthLDAPAllowDNAuth to allow a user to authenticate against an LDAP directory using a full user DN. This directive allows a user to authenticate against a subcontext that may contain non-unique user IDs.

Document the new optional parameter for AuthLDAPUrl

Update copyright year to 2005 and standardize on current copyright owner line.

fix copyright notice

One more typo. Also, remove false promise because example is not colored in any way.

Typo.

use <program> for programs

Typo.

$Revision$ is slightly misdocumented (only available since svn 1.1) use LastChangedRevision instead

adjust properties and revision expansion of the English docs

Added the directive "Requires ldap-filter" that allows the module to only authorize a user based on a complex LDAP search filter.

Added the directive "Requires ldap-attribute" that allows the module to only authorize a user if the attribute value specified matches the value of the user object. PR 31913 Submitted by: Ryan Morgan <rmorgan pobox.com> Reviewd by: Brad Nicholes

Fix some typos that were missed when the documentation was updated for the new version of authnz_ldap

Add the documentation for mod_authnz_ldap