目录搜索
首页版本说明从1.3升级到2.0编译时配置的改变运行时配置的改变杂项变化第三方模块从 2.0 升级到 2.2编译时配置的改变运行时配置的改变杂项变化第三方模块Apache 2.1/2.2 版本的新特性核心增强模块增强程序增强针对模块开发者的变化Apache 2.0 版本的新特性核心的增强模块的增强Apache许可证参考手册编译与安装针对心急者的概述要求下载解压配置源代码树编译安装配置测试升级启动Apache是怎样启动的启动时发生错误随系统启动时启动额外信息停止与重新启动简介立即停止优雅重启立即重启优雅停止附录:信号和竞争条件运行时配置指令主配置文件配置文件的语法模块指令的作用域.htaccess文件配置段配置段(容器)的类型文件系统和网络空间虚拟主机代理允许使用哪些指令?配置段的合并内容缓冲简介缓冲概述安全方面的考虑文件句柄缓冲内存缓冲磁盘缓冲服务器全局配置服务器标识文件定位限制资源的使用日志文件安全警告错误日志访问日志日志滚动管道日志虚拟主机其他日志文件从URL到文件系统的映射相关模块和指令DocumentRootDocumentRoot以外的文件用户目录URL重定向反向代理重写引擎File Not Found安全方面的提示保持不断更新和升级ServerRoot目录的权限服务器端包含关于CGI未指定为脚本的CGI指定为脚本的CGI其他动态内容的来源系统设置的保护默认配置下服务器文件的保护观察日志文件动态共享对象(DSO)实现用法概要背景知识优点和缺点内容协商关于内容协商Apache中的内容协商协商的方法打乱品质值透明内容协商的扩展超链和名称转换说明缓冲说明更多信息自定义错误响应行为配置自定义错误响应与重定向地址和端口绑定概述针对IPv6的特殊考虑怎样与虚拟主机协同工作多路处理模块(MPM)简介选择一个MPM默认的MPM环境变量设置环境变量使用环境变量用于特殊目的的环境变量示例处理器的使用什么是处理器?例子程序员注意事项过滤器Apache2中的过滤器智能过虑使用过滤器CGI脚本的Suexec执行开始之前suEXEC的安全模型配置和安装suEXEC启用和禁用suEXEC使用suEXEC调试suEXEC谨防Jabberwock:警告和举例性能调整硬件和操作系统运行时的配置编译时的配置附录:踪迹的详细分析URL重写指南mod_rewrite简介实践方案URL的规划内容的处理对访问的限制其他虚拟主机文档总述虚拟主机支持配置指令基于主机名的虚拟主机基于域名的虚拟主机和基于IP的虚拟主机比较使用基于域名的虚拟主机与旧版浏览器的兼容性基于IP地址的虚拟主机系统需求如何配置Apache设置多个守护进程配置拥有多个虚拟主机的单一守护进程动态配置大量虚拟主机动机概述简单的动态虚拟主机一个实际的个人主页系统在同一个服务器上架设多个主机的虚拟系统更为有效的基于IP地址的虚拟主机使用老版本的Apache使用mod_rewrite实现简单的动态虚拟主机使用mod_rewrite的个人主页系统使用独立的虚拟主机配置文件虚拟主机的普通配置示例在一个IP地址上运行多个基于域名的web站点在多于一个IP的情况下使用基于域名的虚拟主机在不同的IP的地址(比如一个内部和一个外部地址)上提供相同的内容在不同的端口上运行不同的站点建立基于IP的虚拟主机混用基于端口和基于IP的虚拟主机混用基于域名和基于IP的虚拟主机将虚拟主机和代理模块一起使用使用默认虚拟主机将一个基于域名的虚拟主机移植为一个基于IP的虚拟主机使用ServerPath指令深入讨论虚拟主机的匹配解析配置文件虚拟主机匹配小技巧文件描述符限制关于DNS和Apache一个简单示例拒绝服务"主服务器"地址避免这些问题的小技巧附录:进一步的提示常见问题概述SSL/TLS 加密概述文档mod_ssl绪论密码技术证书安全套接字层(SSL)参考兼容性配置指令环境变量自定义日志功能如何...加密方案和强制性高等级安全客户认证和访问控制常见问题解答About The ModuleInstallationConfigurationCertificatesThe SSL Protocolmod_ssl Support如何.../指南概述认证相关模块和指令简介先决条件启用认证允许多人访问可能存在的问题其他认证方法更多信息CGI动态页面简介配置Apache以允许CGI编写CGI程序程序还是不能运行!幕后是怎样操作的?CGI模块/库更多信息服务器端包含简介什么是SSI?配置服务器以允许SSI基本SSI指令附加的例子我还能设置其它什么?执行命令高级SSI技术总结.htaccess文件.htaccess文件工作原理和使用方法(不)使用.htaccess文件的场合指令的生效认证举例服务器端包含(SSI)举例CGI举例疑难解答用户网站目录用户网站目录用UserDir设置文件路径限定哪些用户可以使用此功能启用对每个用户都有效的cgi目录允许用户改变配置对特定平台的说明概述Microsoft Windows其他平台在Microsoft Windows中使用Apache对操作系统的要求下载 Apache for Windows安装 Apache for Windows配置 Apache for Windows以服务方式运行 Apache for Windows作为控制台程序运行Apache测试安装编译Windows下的Apache系统要求命令行编译Developer Studio集成开发环境的工作区编译项目组件在Novell NetWare平台上使用ApacheRequirementsDownloading Apache for NetWareInstalling Apache for NetWareRunning Apache for NetWareConfiguring Apache for NetWareCompiling Apache for NetWare在HP-UX中运行ApacheThe Apache EBCDIC PortOverview of the Apache EBCDIC PortDesign GoalsTechnical SolutionPorting NotesDocument Storage NotesApache Modules' StatusThird Party Modules' Status服务器与支持程序概述httpd语法选项ab语法选项Bugsapachectl语法选项apxs语法选项举例configure语法选项环境变量dbmmanage语法选项Bugshtcacheclean语法选项返回值htdbm语法选项Bugs返回值举例安全方面的考虑限制htdigest语法选项htpasswd语法选项返回值举例安全方面的考虑限制logresolve语法选项rotatelogs语法选项Portabilitysuexec语法选项其他程序log_server_statussplit-logfile杂项文档概述相关标准HTTP推荐标准HTML推荐标准认证语言/国家代码Apache 模块描述模块的术语说明状态源代码文件模块标识符兼容性描述指令的术语说明语法默认值(Default)作用域(Context)覆盖项(Override)状态模块(Module)兼容性(Compatibility)Apache核心(Core)特性AcceptFilterAcceptPathInfoAccessFileNameAddDefaultCharsetAddOutputFilterByTypeAllowEncodedSlashesAllowOverrideAuthNameAuthTypeCGIMapExtensionContentDigestDefaultType<Directory><DirectoryMatch>DocumentRootEnableMMAPEnableSendfileErrorDocumentErrorLogFileETag<Files><FilesMatch>ForceTypeHostnameLookups<IfDefine><IfModule>IncludeKeepAliveKeepAliveTimeout<Limit><LimitExcept>LimitInternalRecursionLimitRequestBodyLimitRequestFieldsLimitRequestFieldSizeLimitRequestLineLimitXMLRequestBody<Location><LocationMatch>LogLevelMaxKeepAliveRequestsNameVirtualHostOptionsRequireRLimitCPURLimitMEMRLimitNPROCSatisfyScriptInterpreterSourceServerAdminServerAliasServerNameServerPathServerRootServerSignatureServerTokensSetHandlerSetInputFilterSetOutputFilterTimeOutTraceEnableUseCanonicalNameUseCanonicalPhysicalPort<VirtualHost>Apache MPM 公共指令AcceptMutexCoreDumpDirectoryEnableExceptionHookGracefulShutdownTimeoutGroupListenListenBackLogLockFileMaxClientsMaxMemFreeMaxRequestsPerChildMaxSpareThreadsMinSpareThreadsPidFileReceiveBufferSizeScoreBoardFileSendBufferSizeServerLimitStartServersStartThreadsThreadLimitThreadsPerChildThreadStackSizeUserApache MPM beosMaxRequestsPerThreadCoreDumpDirectoryGroupListenListenBacklogMaxClientsMaxMemFreeMaxSpareThreadsMinSpareThreadsPidFileReceiveBufferSizeScoreBoardFileSendBufferSizeStartThreadsUserApache MPM eventAcceptMutexCoreDumpDirectoryEnableExceptionHookGroupListenListenBacklogLockFileMaxClientsMaxMemFreeMaxRequestsPerChildMaxSpareThreadsMinSpareThreadsPidFileScoreBoardFileSendBufferSizeServerLimitStartServersThreadLimitThreadsPerChildThreadStackSizeUserApache MPM netwareMaxThreadsListenListenBacklogMaxMemFreeMaxRequestsPerChildMaxSpareThreadsMinSpareThreadsReceiveBufferSizeSendBufferSizeStartThreadsThreadStackSizeApache MPM os2GroupListenListenBacklogMaxRequestsPerChildMaxSpareThreadsMinSpareThreadsPidFileReceiveBufferSizeSendBufferSizeStartServersUserApache MPM prefork工作方式MaxSpareServersMinSpareServersAcceptMutexCoreDumpDirectoryEnableExceptionHookGroupListenListenBacklogLockFileMaxClientsMaxMemFreeMaxRequestsPerChildPidFileReceiveBufferSizeScoreBoardFileSendBufferSizeServerLimitStartServersUserApache MPM winntWin32DisableAcceptExCoreDumpDirectoryListenListenBacklogMaxMemFreeMaxRequestsPerChildPidFileReceiveBufferSizeScoreBoardFileSendBufferSizeThreadLimitThreadsPerChildThreadStackSizeApache MPM worker工作方式AcceptMutexCoreDumpDirectoryEnableExceptionHookGroupListenListenBacklogLockFileMaxClientsMaxMemFreeMaxRequestsPerChildMaxSpareThreadsMinSpareThreadsPidFileReceiveBufferSizeScoreBoardFileSendBufferSizeServerLimitStartServersThreadLimitThreadsPerChildThreadStackSizeUserApache Module mod_actionsAction指令Script指令Apache Module mod_alias处理顺序AliasAliasMatchRedirectRedirectMatchRedirectPermanentRedirectTempScriptAliasScriptAliasMatchApache Module mod_asis用法Apache Module mod_auth_basicAuthBasicAuthoritativeAuthBasicProviderApache Module mod_auth_digest使用摘要认证配合 MS Internet Explorer 6 工作AuthDigestAlgorithmAuthDigestDomainAuthDigestNcCheckAuthDigestNonceFormatAuthDigestNonceLifetimeAuthDigestProviderAuthDigestQopAuthDigestShmemSizeApache Module mod_authn_alias示例<AuthnProviderAlias>Apache Module mod_authn_anon示例AnonymousAnonymous_LogEmailAnonymous_MustGiveEmailAnonymous_NoUserIDAnonymous_VerifyEmailApache Module mod_authn_dbd配置示例AuthDBDUserPWQueryAuthDBDUserRealmQueryApache Module mod_authn_dbmAuthDBMTypeAuthDBMUserFileApache Module mod_authn_defaultAuthDefaultAuthoritativeApache Module mod_authn_fileAuthUserFileApache Module mod_authnz_ldapContentsOperationThe require Directives举例Using TLSUsing SSLUsing Microsoft FrontPage with mod_authnz_ldapAuthLDAPBindDNAuthLDAPBindPasswordAuthLDAPCharsetConfigAuthLDAPCompareDNOnServerAuthLDAPDereferenceAliasesAuthLDAPGroupAttributeAuthLDAPGroupAttributeIsDNAuthLDAPRemoteUserIsDNAuthLDAPUrlAuthzLDAPAuthoritativeApache Module mod_authz_dbmAuthDBMGroupFileAuthzDBMAuthoritativeAuthzDBMTypeApache Module mod_authz_defaultAuthzDefaultAuthoritativeApache Module mod_authz_groupfileAuthGroupFileAuthzGroupFileAuthoritativeApache Module mod_authz_hostAllowDenyOrderApache Module mod_authz_owner配置示例AuthzOwnerAuthoritativeApache Module mod_authz_userAuthzUserAuthoritativeApache Module mod_autoindexAutoindex Request Query ArgumentsAddAltAddAltByEncodingAddAltByTypeAddDescriptionAddIconAddIconByEncodingAddIconByTypeDefaultIconHeaderNameIndexIgnoreIndexOptionsIndexOrderDefaultIndexStyleSheetReadmeNameApache Module mod_cacheRelated Modules and Directives配置示例CacheDefaultExpireCacheDisableCacheEnableCacheIgnoreCacheControlCacheIgnoreHeadersCacheIgnoreNoLastModCacheLastModifiedFactorCacheMaxExpireCacheStoreNoStoreCacheStorePrivateApache Module mod_cern_metaMetaDirMetaFilesMetaSuffixApache Module mod_cgiCGI 环境变量CGI 脚本的调试ScriptLogScriptLogBufferScriptLogLengthApache Module mod_cgidScriptSockScriptLogScriptLogBufferScriptLogLengthApache Module mod_charset_liteCommon ProblemsCharsetDefaultCharsetOptionsCharsetSourceEncApache Module mod_davEnabling WebDAVSecurity IssuesComplex ConfigurationsDavDavDepthInfinityDavMinTimeoutApache Module mod_dav_fsDavLockDBApache Module mod_dav_lockDavGenericLockDBApache Module mod_dbdConnection PoolingApache DBD APISQL Prepared StatementsDBDExptimeDBDKeepDBDMaxDBDMinDBDParamsDBDPersistDBDPrepareSQLDBDriverApache Module mod_deflate配置举例启用压缩代理服务器DeflateBufferSizeDeflateCompressionLevelDeflateFilterNoteDeflateMemLevelDeflateWindowSizeApache Module mod_dirDirectoryIndexDirectorySlashApache Module mod_disk_cacheCacheDirLengthCacheDirLevelsCacheMaxFileSizeCacheMinFileSizeCacheRootApache Module mod_dumpio启用dumpio支持DumpIOInputDumpIOOutputApache Module mod_echoProtocolEchoApache Module mod_envPassEnvSetEnvUnsetEnvApache Module mod_exampleCompiling the example moduleUsing the mod_example ModuleExampleApache Module mod_expires交替间隔语法ExpiresActiveExpiresByTypeExpiresDefaultApache Module mod_ext_filter举例ExtFilterDefineExtFilterOptionsApache Module mod_file_cacheUsing mod_file_cacheCacheFileMMapFileApache Module mod_filterSmart FilteringFilter DeclarationsConfiguring the ChainExamplesProtocol HandlingFilterChainFilterDeclareFilterProtocolFilterProviderFilterTraceApache Module mod_headers处理顺序前处理和后处理举例HeaderRequestHeaderApache Module mod_identIdentityCheckIdentityCheckTimeoutApache Module mod_imagemapNew FeaturesImagemap FileExample MapfileReferencing your mapfileImapBaseImapDefaultImapMenuApache Module mod_includeEnabling Server-Side IncludesPATH_INFO with Server Side IncludesBasic ElementsInclude VariablesVariable SubstitutionFlow Control ElementsSSIEndTagSSIErrorMsgSSIStartTagSSITimeFormatSSIUndefinedEchoXBitHackApache Module mod_info安全问题选择哪些信息可以被显示已知的局限AddModuleInfoApache Module mod_isapi用法附加注释程序员注记ISAPIAppendLogToErrorsISAPIAppendLogToQueryISAPICacheFileISAPIFakeAsyncISAPILogNotSupportedISAPIReadAheadBufferApache Module mod_ldap示例配置LDAP 连接池LDAP 缓冲使用SSL/TLSSSL/TLS 证书LDAPCacheEntriesLDAPCacheTTLLDAPConnectionTimeoutLDAPOpCacheEntriesLDAPOpCacheTTLLDAPSharedCacheFileLDAPSharedCacheSizeLDAPTrustedClientCertLDAPTrustedGlobalCertLDAPTrustedModeLDAPVerifyServerCertApache Module mod_log_config定制日志文件格式安全考虑BufferedLogsCookieLogCustomLogLogFormatTransferLogApache Module mod_log_forensic定制日志文件格式安全考虑ForensicLogApache Module mod_logio定制日志文件格式Apache Module mod_mem_cacheMCacheMaxObjectCountMCacheMaxObjectSizeMCacheMaxStreamingBufferMCacheMinObjectSizeMCacheRemovalAlgorithmMCacheSizeApache Module mod_mime带多扩展名的文件内容编码字符集和语言AddCharsetAddEncodingAddHandlerAddInputFilterAddLanguageAddOutputFilterAddTypeDefaultLanguageModMimeUsePathInfoMultiviewsMatchRemoveCharsetRemoveEncodingRemoveHandlerRemoveInputFilterRemoveLanguageRemoveOutputFilterRemoveTypeTypesConfigApache Module mod_mime_magic"Magic文件"的格式性能问题注意MimeMagicFileApache Module mod_negotiation类型表MultiViewsCacheNegotiatedDocsForceLanguagePriorityLanguagePriorityApache Module mod_nw_sslNWSSLTrustedCertsNWSSLUpgradeableSecureListenApache Module mod_proxy正向和反向代理简单示例控制对代理服务器的访问缓慢启动局域网代理协议调整请求体AllowCONNECTNoProxy<Proxy>ProxyBadHeaderProxyBlockProxyDomainProxyErrorOverrideProxyIOBufferSize<ProxyMatch>ProxyMaxForwardsProxyPassProxyPassReverseProxyPassReverseCookieDomainProxyPassReverseCookiePathProxyPreserveHostProxyReceiveBufferSizeProxyRemoteProxyRemoteMatchProxyRequestsProxyTimeoutProxyViaApache Module mod_proxy_ajpOverview of the protocolBasic Packet StructureRequest Packet StructureResponse Packet StructureApache Module mod_proxy_balancerLoad balancer scheduler algorithmRequest Counting AlgorithmWeighted Traffic Counting AlgorithmEnabling Balancer Manager SupportApache Module mod_proxy_connectApache Module mod_proxy_ftp为什么xxx类型的文件不能从FTP下载?如何强制文件xxx使用FTP的ASCII形式下载?我如何使用FTP上传?我如何能访问我自己home目录以外的FTP文件?我如何才能在浏览器的URL框中隐藏FTP的明文密码?Apache Module mod_proxy_httpApache Module mod_rewrite特殊字符的引用环境变量实用方案RewriteBaseRewriteCondRewriteEngineRewriteLockRewriteLogRewriteLogLevelRewriteMapRewriteOptionsRewriteRuleApache Module mod_setenvifBrowserMatchBrowserMatchNoCaseSetEnvIfSetEnvIfNoCaseApache Module mod_so为Windows创建可加载模块LoadFileLoadModuleApache Module mod_spelingCheckSpellingApache Module mod_ssl环境变量Custom Log FormatsSSLCACertificateFileSSLCACertificatePathSSLCADNRequestFileSSLCADNRequestPathSSLCARevocationFileSSLCARevocationPathSSLCertificateChainFileSSLCertificateFileSSLCertificateKeyFileSSLCipherSuiteSSLCryptoDeviceSSLEngineSSLHonorCipherOrderSSLMutexSSLOptionsSSLPassPhraseDialogSSLProtocolSSLProxyCACertificateFileSSLProxyCACertificatePathSSLProxyCARevocationFileSSLProxyCARevocationPathSSLProxyCipherSuiteSSLProxyEngineSSLProxyMachineCertificateFileSSLProxyMachineCertificatePathSSLProxyProtocolSSLProxyVerifySSLProxyVerifyDepthSSLRandomSeedSSLRequireSSLRequireSSLSSLSessionCacheSSLSessionCacheTimeoutSSLUserNameSSLVerifyClientSSLVerifyDepthApache Module mod_statusEnabling Status Support自动更新Machine Readable Status FileExtendedStatusApache Module mod_suexecSuexecUserGroupApache Module mod_unique_idTheoryApache Module mod_userdirUserDirApache Module mod_usertrackLogging2-digit or 4-digit dates for cookies?CookieDomainCookieExpiresCookieNameCookieStyleCookieTrackingApache Module mod_version<IfVersion>Apache Module mod_vhost_alias目录名称的转换示例VirtualDocumentRootVirtualDocumentRootIPVirtualScriptAliasVirtualScriptAliasIP开发者文档OverviewTopicsExternal ResourcesApache API notesBasic conceptsHow handlers workResource allocation and resource poolsConfigurationDebugging Memory Allocation in APRAvailable debugging optionsAllowable CombinationsActivating Debugging OptionsDocumenting Apache 2.0Apache 2.0 Hook FunctionsCreating a hook functionHooking the hookConverting Modules from Apache 1.3 to Apache 2.0The easier changes ...The messier changes...Request Processing in Apache 2.0The Request Processing CycleThe Request Parsing PhaseThe Security PhaseThe Preparation PhaseThe Handler PhaseHow Filters Work in Apache 2.0Filter TypesHow are filters inserted?AsisExplanations词汇和索引词汇表模块索引指令索引指令速查译者声明
文字

Apache模块 mod_ldap

说明 为其它LDAP模块提供LDAP连接池和结果缓冲服务
状态 扩展(E)
模块名 ldap_module
源文件 util_ldap.c
兼容性 仅在 Apache 2.0.41 及以后的版本中可用

概述

本模块通过后端连接LDAP服务来改善网站性能。除了标准LDAP库提供的功能外,本模块增加了一个LDAP连接池和一个LDAP共享内存缓冲区。

为了使用本模块的功能,LDAP支持必须编译进APU。这是通过在编译Apache时,在configure脚本命令行上增加 --with-ldap 开关来实现的。

为了支持SSL/TLS ,需要APR连接以下一个LDAP SDK :OpenLDAP SDK(2.x或更新), Novell LDAP SDK, Mozilla LDAP SDK, 本地 Solaris LDAP SDK (基于Mozilla), 本地 Microsoft LDAP SDK, iPlanet (Netscape) SDK 。参见APR网站以获取更多信息。

示例配置

下面的配置是一个使用mod_ldap模块来提升mod_authnz_ldap提供的HTTP基本认证性能的例子。

# 开启LDAP连接池及共享内存缓冲。
# 开启LDAP缓冲状态处理器。需要载入mod_ldap和mod_authnz_ldap模块。
# 把"yourdomain.example.com"改为你真实的域名。

LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600

<Location /ldap-status>
SetHandler ldap-status
Order deny,allow
Deny from all
Allow from yourdomain.example.com
AuthLDAPEnabled on
AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one
AuthLDAPAuthoritative on
require valid-user
</Location>

LDAP连接池

LDAP连接是在请求之间共享的。这就允许LDAP服务器在跳过unbind->connect->rebind这样一个工作周期的情况下,保留连接以减少为下一次请求准备连接的时间。这种性能优化有点象HTTP服务的Keep-Alives功能。

在一个比较繁忙的服务器上,很有可能许多请求同时尝试与同一个LDAP服务进行连接并得到它的服务。如果一个LDAP连接正在使用,Apache会在原来连接的基础上,生成一个新的连接。这将确保连接池不会成为瓶颈。

不需要在Apache配置中手动开启连接池功能。任何使用本模块来访问LDAP服务的模块会自动共享连接池。

LDAP缓冲

为了改善性能,mod_ldap模块使用一种积极的缓冲策略以尽量减少与LDAP服务器的联系。通过缓冲,可以方便地使Apache在提供受mod_authnz_ldap保护的页面时,得到二倍或三倍的吞吐量。同时,LDAP服务器的负载也会明显地减小。

mod_ldap支持两种类型的LDAP缓冲。在search/bind阶段,使用一个search/bind缓冲,在compare阶段,使用两个operation缓冲。服务器引用的每个LDAP URL都有一组它自己的上述三个缓冲。

Search/Bind缓冲

处理一个查询和绑定操作对LDAP实施来讲,是非常耗时,尤其当目录很大时,这一点更加明显。Search/bind缓冲用来缓冲所有的最终能成功绑定的查询。失败的结果(比如:不成功的查询或查询结果无法成功绑定)不会被缓冲。这样做是因为信任关系失败的连接在所有连接中只占了很小的一个百分比,因此,通过不缓冲这些连接,可以减少缓冲区的大小。

mod_ldap在缓冲区里储存了用户名、得到的DN 、用来绑定的口令、绑定的时间。当一个新的连接用同一个用户名来初始化的时候,mod_ldap将新的连接的口令与保存在缓冲区里的口令进行比较。如果口令匹配,并且那个缓冲项目尚未失效的话,mod_ldap就跳过search/bind阶段。

查询与绑定缓冲由LDAPCacheEntriesLDAPCacheTTL指令来控制。

Operation缓冲

在区分与辨别过程中,mod_ldap使用两个操作缓冲区来缓冲比较的操作。第一个缓冲区用来缓冲是否LDAP组成员的测试结果,第二个用来缓冲不同名字间鉴别的比较结果。

这两个缓冲区都是由LDAPOpCacheEntriesLDAPOpCacheTTL指令来控制的。

缓冲区的监控

mod_ldap包含了一个完整的处理器,通过它可以使管理员监控缓冲区的性能。这个处理器的名字是ldap-status ,因此可以用下列指令来得到mod_ldap缓冲区的相关信息:

<Location /server/cache-info>
SetHandler ldap-status
</Location>

通过URL http://servername/cache-info ,管理员可以得到mod_ldap使用的每个缓冲的状态报告。注意,如果Apache不支持共享内存,那么每个httpd实例都有它自己的缓冲区,因此,每次使用上述URL都可能会得到不同的结果,这取决于具体哪个httpd实例处理了这个请求。

使用SSL/TSL

通过LDAPTrustedGlobalCert, LDAPTrustedClientCert, LDAPTrustedMode指令可以定义与LDAP服务器建立SSL/TSL联接。这些指令指定了使用的CA和可选的客户端证书,以及连接使用的加密类型(none, SSL, TLS/STARTTLS)。

# 在636端口建立一个SSL LDAP联接。需要模块mod_ldap和mod_authnz_ldap的支持。
# 将"yourdomain.example.com"修改为您自己的域名。

LDAPTrustedGlobalCert CA_DER /certs/certfile.der

<Location /ldap-status>
SetHandler ldap-status
Order deny,allow
Deny from all
Allow from yourdomain.example.com
AuthLDAPEnabled on
AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one
AuthLDAPAuthoritative on
require valid-user
</Location>

# 在389端口建立一个TLS LDAP联接。需要模块mod_ldap和mod_authnz_ldap的支持。
# 将"yourdomain.example.com"修改为您自己的域名。

LDAPTrustedGlobalCert CA_DER /certs/certfile.der

<Location /ldap-status>
SetHandler ldap-status
Order deny,allow
Deny from all
Allow from yourdomain.example.com
AuthLDAPEnabled on
LDAPTrustedMode TLS AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one
AuthLDAPAuthoritative on
require valid-user
</Location>

SSL/TLS Certificates

The different LDAP SDKs have widely different methods of setting and handling both CA and client side certificates.

If you intend to use SSL or TLS, read this section CAREFULLY so as to understand the differences between configurations on the different LDAP toolkits supported.

Netscape/Mozilla/iPlanet SDK

CA certificates are specified within a file called cert7.db. The SDK will not talk to any LDAP server whose certificate was not signed by a CA specified in this file. If client certificates are required, an optional key3.db file may be specified with an optional password. The secmod file can be specified if required. These files are in the same format as used by the Netscape Communicator or Mozilla web browsers. The easiest way to obtain these files is to grab them from your browser installation.

Client certificates are specified per connection using the LDAPTrustedClientCert directive by referring to the certificate "nickname". An optional password may be specified to unlock the certificate's private key.

The SDK supports SSL only. An attempt to use STARTTLS will cause an error when an attempt is made to contact the LDAP server at runtime.

# Specify a Netscape CA certificate file
LDAPTrustedGlobalCert CA_CERT7_DB /certs/cert7.db
# Specify an optional key3.db file for client certificate support
LDAPTrustedGlobalCert CERT_KEY3_DB /certs/key3.db
# Specify the secmod file if required
LDAPTrustedGlobalCert CA_SECMOD /certs/secmod
<Location /ldap-status>
SetHandler ldap-status
Order deny,allow
Deny from all
Allow from yourdomain.example.com
AuthLDAPEnabled on
LDAPTrustedClientCert CERT_NICKNAME <nickname> [password]
AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one
AuthLDAPAuthoritative on
require valid-user
</Location>

Novell SDK

One or more CA certificates must be specified for the Novell SDK to work correctly. These certificates can be specified as binary DER or Base64 (PEM) encoded files.

Note: Client certificates are specified globally rather than per connection, and so must be specified with the LDAPTrustedGlobalCert directive as below. Trying to set client certificates via the LDAPTrustedClientCert directive will cause an error to be logged when an attempt is made to connect to the LDAP server..

The SDK supports both SSL and STARTTLS, set using the LDAPTrustedMode parameter. If an ldaps:// URL is specified, SSL mode is forced, override this directive.

# Specify two CA certificate files
LDAPTrustedGlobalCert CA_DER /certs/cacert1.der
LDAPTrustedGlobalCert CA_BASE64 /certs/cacert2.pem
# Specify a client certificate file and key
LDAPTrustedGlobalCert CERT_BASE64 /certs/cert1.pem
LDAPTrustedGlobalCert KEY_BASE64 /certs/key1.pem [password]
# Do not use this directive, as it will throw an error
#LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem

OpenLDAP SDK

One or more CA certificates must be specified for the OpenLDAP SDK to work correctly. These certificates can be specified as binary DER or Base64 (PEM) encoded files.

Client certificates are specified per connection using the LDAPTrustedClientCert directive.

The documentation for the SDK claims to support both SSL and STARTTLS, however STARTTLS does not seem to work on all versions of the SDK. The SSL/TLS mode can be set using the LDAPTrustedMode parameter. If an ldaps:// URL is specified, SSL mode is forced. The OpenLDAP documentation notes that SSL (ldaps://) support has been deprecated to be replaced with TLS, although the SSL functionality still works.

# Specify two CA certificate files
LDAPTrustedGlobalCert CA_DER /certs/cacert1.der
LDAPTrustedGlobalCert CA_BASE64 /certs/cacert2.pem
<Location /ldap-status>
SetHandler ldap-status
Order deny,allow
Deny from all
Allow from yourdomain.example.com
AuthLDAPEnabled on
LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem
LDAPTrustedClientCert KEY_BASE64 /certs/key1.pem
AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one
AuthLDAPAuthoritative on
require valid-user
</Location>

Solaris SDK

SSL/TLS for the native Solaris LDAP libraries is not yet supported. If required, install and use the OpenLDAP libraries instead.

Microsoft SDK

SSL/TLS certificate configuration for the native Microsoft LDAP libraries is done inside the system registry, and no configuration directives are required.

Both SSL and TLS are supported by using the ldaps:// URL format, or by using the LDAPTrustedMode directive accordingly.

Note: The status of support for client certificates is not yet known for this toolkit.

LDAPCacheEntries 指令

说明 主LDAP缓冲的最大条目数
语法 LDAPCacheEntries number
默认值 LDAPCacheEntries 1024
作用域 server config
状态 扩展(E)
模块 mod_ldap

指定主LDAP缓冲的最大条目数。这个缓冲区包含了成功的search/bind对。把它设为0可以关闭search/bind缓冲。默认值是1024 。

LDAPCacheTTL 指令

说明 search/bind缓冲项目有效时限
语法 LDAPCacheTTL seconds
默认值 LDAPCacheTTL 600
作用域 server config
状态 扩展(E)
模块 mod_ldap

指定search/bind缓冲项目有效的时间,以秒为单位。默认为600秒(10分钟)。

LDAPConnectionTimeout 指令

说明 指定套接字连接超时秒数
语法 LDAPConnectionTimeout seconds
作用域 server config
状态 扩展(E)
模块 mod_ldap

Specifies the timeout value (in seconds) in which the module will attempt to connect to the LDAP server. If a connection is not successful with the timeout period, either an error will be returned or the module will attempt to connect to a secondary LDAP server if one is specified. The default is 10 seconds.

LDAPOpCacheEntries 指令

说明 LDAP compare缓冲区的大小
语法 LDAPOpCacheEntries number
默认值 LDAPOpCacheEntries 1024
作用域 server config
状态 扩展(E)
模块 mod_ldap

指定mod_ldap使用的LDAP compare缓冲区大小。默认值是1024条。把它设为0可以关闭操作缓冲。

LDAPOpCacheTTL 指令

说明 操作缓冲有效时限
语法 LDAPOpCacheTTL seconds
默认值 LDAPOpCacheTTL 600
作用域 server config
状态 扩展(E)
模块 mod_ldap

指定操作缓冲项目的有效时长,以秒为单位。默认为600秒。

LDAPSharedCacheFile 指令

说明 设置共享内存缓冲区文件
语法 LDAPSharedCacheFile directory-path/filename
作用域 server config
状态 扩展(E)
模块 mod_ldap

设置共享内存缓冲区文件。若未设置,将使用匿名共享内存(若平台支持)。

LDAPSharedCacheSize 指令

说明 共享内存缓冲区的字节大小
语法 LDAPSharedCacheSize bytes
默认值 LDAPSharedCacheSize 102400
作用域 server config
状态 扩展(E)
模块 mod_ldap

指定共享内存缓冲区的大小,以Byte为单位。默认为100KB。

LDAPTrustedClientCert 指令

说明 Sets the file containing or nickname referring to a per connection client certificate. Not all LDAP toolkits support per connection client certificates.
语法 LDAPTrustedClientCert type directory-path/filename/nickname [password]
作用域 server config, virtual host, directory, .htaccess
状态 扩展(E)
模块 mod_ldap

It specifies the directory path, file name or nickname of a per connection client certificate used when establishing an SSL or TLS connection to an LDAP server. Different locations or directories may have their own independant client certificate settings. Some LDAP toolkits (notably Novell) do not support per connection client certificates, and will throw an error on LDAP server connection if you try to use this directive (Use the LDAPTrustedGlobalCert directive instead for Novell client certificates - See the SSL/TLS certificate guide above for details). The type specifies the kind of certificate parameter being set, depending on the LDAP toolkit being used. Supported types are:

  • CERT_DER - binary DER encoded client certificate
  • CERT_BASE64 - PEM encoded client certificate
  • CERT_NICKNAME - Client certificate "nickname" (Netscape SDK)
  • KEY_DER - binary DER encoded private key
  • KEY_BASE64 - PEM encoded private key

LDAPTrustedGlobalCert 指令

说明 Sets the file or database containing global trusted Certificate Authority or global client certificates
语法 LDAPTrustedGlobalCert type directory-path/filename [password]
作用域 server config
状态 扩展(E)
模块 mod_ldap

It specifies the directory path and file name of the trusted CA certificates and/or system wide client certificates mod_ldap should use when establishing an SSL or TLS connection to an LDAP server. Note that all certificate information specified using this directive is applied globally to the entire server installation. Some LDAP toolkits (notably Novell) require all client certificates to be set globally using this directive. Most other toolkits require clients certificates to be set per Directory or per Location using LDAPTrustedClientCert. If you get this wrong, an error may be logged when an attempt is made to contact the LDAP server, or the connection may silently fail (See the SSL/TLS certificate guide above for details). The type specifies the kind of certificate parameter being set, depending on the LDAP toolkit being used. Supported types are:

  • CA_DER - binary DER encoded CA certificate
  • CA_BASE64 - PEM encoded CA certificate
  • CA_CERT7_DB - Netscape cert7.db CA certificate database file
  • CA_SECMOD - Netscape secmod database file
  • CERT_DER - binary DER encoded client certificate
  • CERT_BASE64 - PEM encoded client certificate
  • CERT_KEY3_DB - Netscape key3.db client certificate database file
  • CERT_NICKNAME - Client certificate "nickname" (Netscape SDK)
  • CERT_PFX - PKCS#12 encoded client certificate (Novell SDK)
  • KEY_DER - binary DER encoded private key
  • KEY_BASE64 - PEM encoded private key
  • KEY_PFX - PKCS#12 encoded private key (Novell SDK)

LDAPTrustedMode 指令

说明 Specifies the SSL/TLS mode to be used when connecting to an LDAP server.
语法 LDAPTrustedMode type
作用域 server config, virtual host, directory, .htaccess
状态 扩展(E)
模块 mod_ldap

The following modes are supported:

  • NONE - no encryption
  • SSL - ldaps:// encryption on default port 636
  • TLS - STARTTLS encryption on default port 389

Not all LDAP toolkits support all the above modes. An error message will be logged at runtime if a mode is not supported, and the connection to the LDAP server will fail.

If an ldaps:// URL is specified, the mode becomes SSL and the setting of LDAPTrustedMode is ignored.

LDAPVerifyServerCert 指令

说明 Force server certificate verification
语法 LDAPVerifyServerCert On|Off
默认值 LDAPVerifyServerCert On
作用域 server config
状态 扩展(E)
模块 mod_ldap

Specifies whether to force the verification of a server certificate when establishing an SSL connection to the LDAP server.

上一篇:下一篇: