Apache模塊 mod_ldap · Apache 2.2 中文官方文檔

# Apache模塊 mod_ldap | [說明](#calibre_link-11) | 為其它LDAP模塊提供LDAP連接池和結果緩沖服務 | | --- | --- | | [狀態](#calibre_link-12) | 擴展(E) | | [模塊名](#calibre_link-13) | ldap_module | | [源文件](#calibre_link-14) | util_ldap.c | | [兼容性](#calibre_link-58) | 僅在 Apache 2.0.41 及以后的版本中可用 | ### 概述本模塊通過后端連接LDAP服務來改善網站性能。除了標準LDAP庫提供的功能外，本模塊增加了一個LDAP連接池和一個LDAP共享內存緩沖區。為了使用本模塊的功能，LDAP支持必須編譯進APU。這是通過在編譯Apache時，在`configure`腳本命令行上增加 `--with-ldap` 開關來實現的。為了支持SSL/TLS ，需要[APR](#calibre_link-318 "see glossary")連接以下一個LDAP SDK ：[OpenLDAP SDK](http://www.openldap.org/)(2.x或更新), [Novell LDAP SDK](http://developer.novell.com/ndk/cldap.htm), [Mozilla LDAP SDK](http://www.mozilla.org/directory/csdk.html), 本地 Solaris LDAP SDK (基于Mozilla), 本地 Microsoft LDAP SDK, [iPlanet (Netscape)](http://www.iplanet.com/downloads/developer/) SDK 。參見[APR](http://apr.apache.org)網站以獲取更多信息。 ## 示例配置下面的配置是一個使用`mod_ldap`模塊來提升`mod_authnz_ldap`提供的HTTP基本認證性能的例子。 ``` # 開啟LDAP連接池及共享內存緩沖。 # 開啟LDAP緩沖狀態處理器。需要載入mod_ldap和mod_authnz_ldap模塊。 # 把"yourdomain.example.com"改為你真實的域名。 LDAPSharedCacheSize 200000 LDAPCacheEntries 1024 LDAPCacheTTL 600 LDAPOpCacheEntries 1024 LDAPOpCacheTTL 600 <Location /ldap-status> SetHandler ldap-status Order deny,allow Deny from all Allow from yourdomain.example.com AuthLDAPEnabled on AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one AuthLDAPAuthoritative on require valid-user </Location> ``` ## LDAP連接池 LDAP連接是在請求之間共享的。這就允許LDAP服務器在跳過unbind->connect->rebind這樣一個工作周期的情況下，保留連接以減少為下一次請求準備連接的時間。這種性能優化有點象HTTP服務的Keep-Alives功能。在一個比較繁忙的服務器上，很有可能許多請求同時嘗試與同一個LDAP服務進行連接并得到它的服務。如果一個LDAP連接正在使用，Apache會在原來連接的基礎上，生成一個新的連接。這將確保連接池不會成為瓶頸。不需要在Apache配置中手動開啟連接池功能。任何使用本模塊來訪問LDAP服務的模塊會自動共享連接池。 ## LDAP緩沖為了改善性能，`mod_ldap`模塊使用一種積極的緩沖策略以盡量減少與LDAP服務器的聯系。通過緩沖，可以方便地使Apache在提供受mod_authnz_ldap保護的頁面時，得到二倍或三倍的吞吐量。同時，LDAP服務器的負載也會明顯地減小。 `mod_ldap`支持兩種類型的LDAP緩沖。在search/bind階段，使用一個_search/bind緩沖_，在compare階段，使用兩個_operation緩沖_。服務器引用的每個LDAP URL都有一組它自己的上述三個緩沖。 ### Search/Bind緩沖處理一個查詢和綁定操作對LDAP實施來講，是非常耗時，尤其當目錄很大時，這一點更加明顯。Search/bind緩沖用來緩沖所有的最終能成功綁定的查詢。失敗的結果(比如：不成功的查詢或查詢結果無法成功綁定)不會被緩沖。這樣做是因為信任關系失敗的連接在所有連接中只占了很小的一個百分比，因此，通過不緩沖這些連接，可以減少緩沖區的大小。 `mod_ldap`在緩沖區里儲存了用戶名、得到的DN 、用來綁定的口令、綁定的時間。當一個新的連接用同一個用戶名來初始化的時候，`mod_ldap`將新的連接的口令與保存在緩沖區里的口令進行比較。如果口令匹配，并且那個緩沖項目尚未失效的話，`mod_ldap`就跳過search/bind階段。查詢與綁定緩沖由`LDAPCacheEntries`和`LDAPCacheTTL`指令來控制。 ### Operation緩沖在區分與辨別過程中，`mod_ldap`使用兩個操作緩沖區來緩沖比較的操作。第一個緩沖區用來緩沖是否LDAP組成員的測試結果，第二個用來緩沖不同名字間鑒別的比較結果。這兩個緩沖區都是由`LDAPOpCacheEntries`和`LDAPOpCacheTTL`指令來控制的。 ### 緩沖區的監控 `mod_ldap`包含了一個完整的處理器，通過它可以使管理員監控緩沖區的性能。這個處理器的名字是`ldap-status` ，因此可以用下列指令來得到`mod_ldap`緩沖區的相關信息： ``` <Location /server/cache-info> SetHandler ldap-status </Location> ``` 通過URL `http://servername/cache-info` ，管理員可以得到`mod_ldap`使用的每個緩沖的狀態報告。注意，如果Apache不支持共享內存，那么每個`httpd`實例都有它自己的緩沖區，因此，每次使用上述URL都可能會得到不同的結果，這取決于具體哪個`httpd`實例處理了這個請求。 ## 使用SSL/TSL 通過`LDAPTrustedGlobalCert`, `LDAPTrustedClientCert`, `LDAPTrustedMode`指令可以定義與LDAP服務器建立SSL/TSL聯接。這些指令指定了使用的CA和可選的客戶端證書，以及連接使用的加密類型(none, SSL, TLS/STARTTLS)。 ``` # 在636端口建立一個SSL LDAP聯接。需要模塊mod_ldap和mod_authnz_ldap的支持。 # 將"yourdomain.example.com"修改為您自己的域名。 LDAPTrustedGlobalCert CA_DER /certs/certfile.der <Location /ldap-status> SetHandler ldap-status Order deny,allow Deny from all Allow from yourdomain.example.com AuthLDAPEnabled on AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one AuthLDAPAuthoritative on require valid-user </Location> ``` ``` # 在389端口建立一個TLS LDAP聯接。需要模塊mod_ldap和mod_authnz_ldap的支持。 # 將"yourdomain.example.com"修改為您自己的域名。 LDAPTrustedGlobalCert CA_DER /certs/certfile.der <Location /ldap-status> SetHandler ldap-status Order deny,allow Deny from all Allow from yourdomain.example.com AuthLDAPEnabled on LDAPTrustedMode TLS AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one AuthLDAPAuthoritative on require valid-user </Location> ``` ## SSL/TLS Certificates The different LDAP SDKs have widely different methods of setting and handling both CA and client side certificates. If you intend to use SSL or TLS, read this section CAREFULLY so as to understand the differences between configurations on the different LDAP toolkits supported. ### Netscape/Mozilla/iPlanet SDK CA certificates are specified within a file called cert7.db. The SDK will not talk to any LDAP server whose certificate was not signed by a CA specified in this file. If client certificates are required, an optional key3.db file may be specified with an optional password. The secmod file can be specified if required. These files are in the same format as used by the Netscape Communicator or Mozilla web browsers. The easiest way to obtain these files is to grab them from your browser installation. Client certificates are specified per connection using the LDAPTrustedClientCert directive by referring to the certificate "nickname". An optional password may be specified to unlock the certificate's private key. The SDK supports SSL only. An attempt to use STARTTLS will cause an error when an attempt is made to contact the LDAP server at runtime. ``` # Specify a Netscape CA certificate file LDAPTrustedGlobalCert CA_CERT7_DB /certs/cert7.db # Specify an optional key3.db file for client certificate support LDAPTrustedGlobalCert CERT_KEY3_DB /certs/key3.db # Specify the secmod file if required LDAPTrustedGlobalCert CA_SECMOD /certs/secmod <Location /ldap-status> SetHandler ldap-status Order deny,allow Deny from all Allow from yourdomain.example.com AuthLDAPEnabled on LDAPTrustedClientCert CERT_NICKNAME <nickname> [password] AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one AuthLDAPAuthoritative on require valid-user </Location> ``` ### Novell SDK One or more CA certificates must be specified for the Novell SDK to work correctly. These certificates can be specified as binary DER or Base64 (PEM) encoded files. Note: Client certificates are specified globally rather than per connection, and so must be specified with the LDAPTrustedGlobalCert directive as below. Trying to set client certificates via the LDAPTrustedClientCert directive will cause an error to be logged when an attempt is made to connect to the LDAP server.. The SDK supports both SSL and STARTTLS, set using the LDAPTrustedMode parameter. If an ldaps:// URL is specified, SSL mode is forced, override this directive. ``` # Specify two CA certificate files LDAPTrustedGlobalCert CA_DER /certs/cacert1.der LDAPTrustedGlobalCert CA_BASE64 /certs/cacert2.pem # Specify a client certificate file and key LDAPTrustedGlobalCert CERT_BASE64 /certs/cert1.pem LDAPTrustedGlobalCert KEY_BASE64 /certs/key1.pem [password] # Do not use this directive, as it will throw an error #LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem ``` ### OpenLDAP SDK One or more CA certificates must be specified for the OpenLDAP SDK to work correctly. These certificates can be specified as binary DER or Base64 (PEM) encoded files. Client certificates are specified per connection using the LDAPTrustedClientCert directive. The documentation for the SDK claims to support both SSL and STARTTLS, however STARTTLS does not seem to work on all versions of the SDK. The SSL/TLS mode can be set using the LDAPTrustedMode parameter. If an ldaps:// URL is specified, SSL mode is forced. The OpenLDAP documentation notes that SSL (ldaps://) support has been deprecated to be replaced with TLS, although the SSL functionality still works. ``` # Specify two CA certificate files LDAPTrustedGlobalCert CA_DER /certs/cacert1.der LDAPTrustedGlobalCert CA_BASE64 /certs/cacert2.pem <Location /ldap-status> SetHandler ldap-status Order deny,allow Deny from all Allow from yourdomain.example.com AuthLDAPEnabled on LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem LDAPTrustedClientCert KEY_BASE64 /certs/key1.pem AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one AuthLDAPAuthoritative on require valid-user </Location> ``` ### Solaris SDK SSL/TLS for the native Solaris LDAP libraries is not yet supported. If required, install and use the OpenLDAP libraries instead. ### Microsoft SDK SSL/TLS certificate configuration for the native Microsoft LDAP libraries is done inside the system registry, and no configuration directives are required. Both SSL and TLS are supported by using the ldaps:// URL format, or by using the LDAPTrustedMode directive accordingly. Note: The status of support for client certificates is not yet known for this toolkit. ## LDAPCacheEntries 指令 | [說明](#calibre_link-18) | 主LDAP緩沖的最大條目數 | | --- | --- | | [語法](#calibre_link-19) | `LDAPCacheEntries number` | | [默認值](#calibre_link-24) | `LDAPCacheEntries 1024` | | [作用域](#calibre_link-20) | server config | | [狀態](#calibre_link-21) | 擴展(E) | | [模塊](#calibre_link-22) | mod_ldap | 指定主LDAP緩沖的最大條目數。這個緩沖區包含了成功的search/bind對。把它設為0可以關閉search/bind緩沖。默認值是1024 。 ## LDAPCacheTTL 指令 | [說明](#calibre_link-18) | search/bind緩沖項目有效時限 | | --- | --- | | [語法](#calibre_link-19) | `LDAPCacheTTL seconds` | | [默認值](#calibre_link-24) | `LDAPCacheTTL 600` | | [作用域](#calibre_link-20) | server config | | [狀態](#calibre_link-21) | 擴展(E) | | [模塊](#calibre_link-22) | mod_ldap | 指定search/bind緩沖項目有效的時間，以秒為單位。默認為600秒(10分鐘)。 ## LDAPConnectionTimeout 指令 | [說明](#calibre_link-18) | 指定套接字連接超時秒數 | | --- | --- | | [語法](#calibre_link-19) | `LDAPConnectionTimeout seconds` | | [作用域](#calibre_link-20) | server config | | [狀態](#calibre_link-21) | 擴展(E) | | [模塊](#calibre_link-22) | mod_ldap | Specifies the timeout value (in seconds) in which the module will attempt to connect to the LDAP server. If a connection is not successful with the timeout period, either an error will be returned or the module will attempt to connect to a secondary LDAP server if one is specified. The default is 10 seconds. ## LDAPOpCacheEntries 指令 | [說明](#calibre_link-18) | LDAP compare緩沖區的大小 | | --- | --- | | [語法](#calibre_link-19) | `LDAPOpCacheEntries number` | | [默認值](#calibre_link-24) | `LDAPOpCacheEntries 1024` | | [作用域](#calibre_link-20) | server config | | [狀態](#calibre_link-21) | 擴展(E) | | [模塊](#calibre_link-22) | mod_ldap | 指定`mod_ldap`使用的LDAP compare緩沖區大小。默認值是1024條。把它設為0可以關閉操作緩沖。 ## LDAPOpCacheTTL 指令 | [說明](#calibre_link-18) | 操作緩沖有效時限 | | --- | --- | | [語法](#calibre_link-19) | `LDAPOpCacheTTL seconds` | | [默認值](#calibre_link-24) | `LDAPOpCacheTTL 600` | | [作用域](#calibre_link-20) | server config | | [狀態](#calibre_link-21) | 擴展(E) | | [模塊](#calibre_link-22) | mod_ldap | 指定操作緩沖項目的有效時長，以秒為單位。默認為600秒。 ## LDAPSharedCacheFile 指令 | [說明](#calibre_link-18) | 設置共享內存緩沖區文件 | | --- | --- | | [語法](#calibre_link-19) | `LDAPSharedCacheFile directory-path/filename` | | [作用域](#calibre_link-20) | server config | | [狀態](#calibre_link-21) | 擴展(E) | | [模塊](#calibre_link-22) | mod_ldap | 設置共享內存緩沖區文件。若未設置，將使用匿名共享內存(若平臺支持)。 ## LDAPSharedCacheSize 指令 | [說明](#calibre_link-18) | 共享內存緩沖區的字節大小 | | --- | --- | | [語法](#calibre_link-19) | `LDAPSharedCacheSize bytes` | | [默認值](#calibre_link-24) | `LDAPSharedCacheSize 102400` | | [作用域](#calibre_link-20) | server config | | [狀態](#calibre_link-21) | 擴展(E) | | [模塊](#calibre_link-22) | mod_ldap | 指定共享內存緩沖區的大小，以Byte為單位。默認為100KB。 ## LDAPTrustedClientCert 指令 | [說明](#calibre_link-18) | Sets the file containing or nickname referring to a per connection client certificate. Not all LDAP toolkits support per connection client certificates. | | --- | --- | | [語法](#calibre_link-19) | `LDAPTrustedClientCert type directory-path/filename/nickname [password]` | | [作用域](#calibre_link-20) | server config, virtual host, directory, .htaccess | | [狀態](#calibre_link-21) | 擴展(E) | | [模塊](#calibre_link-22) | mod_ldap | It specifies the directory path, file name or nickname of a per connection client certificate used when establishing an SSL or TLS connection to an LDAP server. Different locations or directories may have their own independant client certificate settings. Some LDAP toolkits (notably Novell) do not support per connection client certificates, and will throw an error on LDAP server connection if you try to use this directive (Use the LDAPTrustedGlobalCert directive instead for Novell client certificates - See the SSL/TLS certificate guide above for details). The type specifies the kind of certificate parameter being set, depending on the LDAP toolkit being used. Supported types are: * CERT_DER - binary DER encoded client certificate * CERT_BASE64 - PEM encoded client certificate * CERT_NICKNAME - Client certificate "nickname" (Netscape SDK) * KEY_DER - binary DER encoded private key * KEY_BASE64 - PEM encoded private key ## LDAPTrustedGlobalCert 指令 | [說明](#calibre_link-18) | Sets the file or database containing global trusted Certificate Authority or global client certificates | | --- | --- | | [語法](#calibre_link-19) | `LDAPTrustedGlobalCert type directory-path/filename [password]` | | [作用域](#calibre_link-20) | server config | | [狀態](#calibre_link-21) | 擴展(E) | | [模塊](#calibre_link-22) | mod_ldap | It specifies the directory path and file name of the trusted CA certificates and/or system wide client certificates `mod_ldap` should use when establishing an SSL or TLS connection to an LDAP server. Note that all certificate information specified using this directive is applied globally to the entire server installation. Some LDAP toolkits (notably Novell) require all client certificates to be set globally using this directive. Most other toolkits require clients certificates to be set per Directory or per Location using LDAPTrustedClientCert. If you get this wrong, an error may be logged when an attempt is made to contact the LDAP server, or the connection may silently fail (See the SSL/TLS certificate guide above for details). The type specifies the kind of certificate parameter being set, depending on the LDAP toolkit being used. Supported types are: * CA_DER - binary DER encoded CA certificate * CA_BASE64 - PEM encoded CA certificate * CA_CERT7_DB - Netscape cert7.db CA certificate database file * CA_SECMOD - Netscape secmod database file * CERT_DER - binary DER encoded client certificate * CERT_BASE64 - PEM encoded client certificate * CERT_KEY3_DB - Netscape key3.db client certificate database file * CERT_NICKNAME - Client certificate "nickname" (Netscape SDK) * CERT_PFX - PKCS#12 encoded client certificate (Novell SDK) * KEY_DER - binary DER encoded private key * KEY_BASE64 - PEM encoded private key * KEY_PFX - PKCS#12 encoded private key (Novell SDK) ## LDAPTrustedMode 指令 | [說明](#calibre_link-18) | Specifies the SSL/TLS mode to be used when connecting to an LDAP server. | | --- | --- | | [語法](#calibre_link-19) | `LDAPTrustedMode type` | | [作用域](#calibre_link-20) | server config, virtual host, directory, .htaccess | | [狀態](#calibre_link-21) | 擴展(E) | | [模塊](#calibre_link-22) | mod_ldap | The following modes are supported: * NONE - no encryption * SSL - ldaps:// encryption on default port 636 * TLS - STARTTLS encryption on default port 389 Not all LDAP toolkits support all the above modes. An error message will be logged at runtime if a mode is not supported, and the connection to the LDAP server will fail. If an ldaps:// URL is specified, the mode becomes SSL and the setting of LDAPTrustedMode is ignored. ## LDAPVerifyServerCert 指令 | [說明](#calibre_link-18) | Force server certificate verification | | --- | --- | | [語法](#calibre_link-19) | `LDAPVerifyServerCert On|Off` | | [默認值](#calibre_link-24) | `LDAPVerifyServerCert On` | | [作用域](#calibre_link-20) | server config | | [狀態](#calibre_link-21) | 擴展(E) | | [模塊](#calibre_link-22) | mod_ldap | Specifies whether to force the verification of a server certificate when establishing an SSL connection to the LDAP server.