簡體中文(ZH-CN) English(EN) 繁體中文(ZH-TW) 日本語(JA) ???(KO) Melayu(MS) Fran?ais(FR) Deutsch(DE)

?? ??? ??

首頁版本說明從1.3升級到2.0 編譯時配置的改變運(yùn)行時配置的改變雜項(xiàng)變化第三方模塊從 2.0 升級到 2.2 編譯時配置的改變運(yùn)行時配置的改變雜項(xiàng)變化第三方模塊 Apache 2.1/2.2 版本的新特性核心增強(qiáng) 模塊增強(qiáng) 程序增強(qiáng) 針對模塊開發(fā)者的變化 Apache 2.0 版本的新特性核心的增強(qiáng) 模塊的增強(qiáng) Apache許可證參考手冊編譯與安裝針對心急者的概述要求下載解壓配置源代碼樹編譯安裝配置測試升級啟動 Apache是怎樣啟動的啟動時發(fā)生錯誤隨系統(tǒng)啟動時啟動額外信息停止與重新啟動簡介立即停止優(yōu)雅重啟立即重啟優(yōu)雅停止附錄：信號和競爭條件運(yùn)行時配置指令主配置文件配置文件的語法模塊指令的作用域 .htaccess文件配置段配置段(容器)的類型文件系統(tǒng)和網(wǎng)絡(luò)空間虛擬主機(jī) 代理允許使用哪些指令？配置段的合并內(nèi)容緩沖簡介緩沖概述安全方面的考慮文件句柄緩沖內(nèi)存緩沖磁盤緩沖服務(wù)器全局配置服務(wù)器標(biāo)識文件定位限制資源的使用日志文件安全警告錯誤日志訪問日志日志滾動管道日志虛擬主機(jī) 其他日志文件從URL到文件系統(tǒng)的映射相關(guān)模塊和指令 DocumentRoot DocumentRoot以外的文件用戶目錄 URL重定向反向代理重寫引擎 File Not Found 安全方面的提示保持不斷更新和升級 ServerRoot目錄的權(quán)限服務(wù)器端包含關(guān)于CGI 未指定為腳本的CGI 指定為腳本的CGI 其他動態(tài)內(nèi)容的來源系統(tǒng)設(shè)置的保護(hù) 默認(rèn)配置下服務(wù)器文件的保護(hù) 觀察日志文件動態(tài)共享對象(DSO) 實(shí)現(xiàn) 用法概要背景知識優(yōu)點(diǎn)和缺點(diǎn) 內(nèi)容協(xié)商關(guān)于內(nèi)容協(xié)商 Apache中的內(nèi)容協(xié)商協(xié)商的方法打亂品質(zhì)值透明內(nèi)容協(xié)商的擴(kuò)展超鏈和名稱轉(zhuǎn)換說明緩沖說明更多信息自定義錯誤響應(yīng) 行為配置自定義錯誤響應(yīng)與重定向地址和端口綁定概述針對IPv6的特殊考慮怎樣與虛擬主機(jī)協(xié)同工作多路處理模塊(MPM) 簡介選擇一個MPM 默認(rèn)的MPM 環(huán)境變量設(shè)置環(huán)境變量使用環(huán)境變量用于特殊目的的環(huán)境變量示例處理器的使用什么是處理器？例子程序員注意事項(xiàng) 過濾器 Apache2中的過濾器智能過慮使用過濾器 CGI腳本的Suexec執(zhí)行開始之前 suEXEC的安全模型配置和安裝suEXEC 啟用和禁用suEXEC 使用suEXEC 調(diào)試suEXEC 謹(jǐn)防Jabberwock：警告和舉例性能調(diào)整硬件和操作系統(tǒng) 運(yùn)行時的配置編譯時的配置附錄：蹤跡的詳細(xì)分析 URL重寫指南 mod_rewrite簡介實(shí)踐方案 URL的規(guī)劃內(nèi)容的處理對訪問的限制其他虛擬主機(jī)文檔總述虛擬主機(jī)支持配置指令基于主機(jī)名的虛擬主機(jī) 基于域名的虛擬主機(jī)和基于IP的虛擬主機(jī)比較使用基于域名的虛擬主機(jī) 與舊版瀏覽器的兼容性基于IP地址的虛擬主機(jī) 系統(tǒng)需求如何配置Apache 設(shè)置多個守護(hù)進(jìn)程配置擁有多個虛擬主機(jī)的單一守護(hù)進(jìn)程動態(tài)配置大量虛擬主機(jī) 動機(jī) 概述簡單的動態(tài)虛擬主機(jī) 一個實(shí)際的個人主頁系統(tǒng) 在同一個服務(wù)器上架設(shè)多個主機(jī)的虛擬系統(tǒng) 更為有效的基于IP地址的虛擬主機(jī) 使用老版本的Apache 使用mod_rewrite實(shí)現(xiàn)簡單的動態(tài)虛擬主機(jī) 使用mod_rewrite的個人主頁系統(tǒng) 使用獨(dú)立的虛擬主機(jī)配置文件虛擬主機(jī)的普通配置示例在一個IP地址上運(yùn)行多個基于域名的web站點(diǎn) 在多于一個IP的情況下使用基于域名的虛擬主機(jī) 在不同的IP的地址(比如一個內(nèi)部和一個外部地址)上提供相同的內(nèi)容在不同的端口上運(yùn)行不同的站點(diǎn) 建立基于IP的虛擬主機(jī) 混用基于端口和基于IP的虛擬主機(jī) 混用基于域名和基于IP的虛擬主機(jī) 將虛擬主機(jī)和代理模塊一起使用使用默認(rèn)虛擬主機(jī) 將一個基于域名的虛擬主機(jī)移植為一個基于IP的虛擬主機(jī) 使用ServerPath指令深入討論虛擬主機(jī)的匹配解析配置文件虛擬主機(jī)匹配小技巧文件描述符限制關(guān)于DNS和Apache 一個簡單示例拒絕服務(wù) "主服務(wù)器"地址避免這些問題的小技巧附錄：進(jìn)一步的提示常見問題概述 SSL/TLS 加密概述文檔 mod_ssl 緒論密碼技術(shù) 證書安全套接字層(SSL) 參考兼容性配置指令環(huán)境變量自定義日志功能如何... 加密方案和強(qiáng)制性高等級安全客戶認(rèn)證和訪問控制常見問題解答 About The Module Installation Configuration Certificates The SSL Protocol mod_ssl Support 如何.../指南概述認(rèn)證相關(guān)模塊和指令簡介先決條件啟用認(rèn)證允許多人訪問可能存在的問題其他認(rèn)證方法更多信息 CGI動態(tài)頁面簡介配置Apache以允許CGI 編寫CGI程序程序還是不能運(yùn)行！幕后是怎樣操作的? CGI模塊/庫更多信息服務(wù)器端包含簡介什么是SSI? 配置服務(wù)器以允許SSI 基本SSI指令附加的例子我還能設(shè)置其它什么？執(zhí)行命令高級SSI技術(shù) 總結(jié) .htaccess文件 .htaccess文件工作原理和使用方法 (不)使用.htaccess文件的場合指令的生效認(rèn)證舉例服務(wù)器端包含(SSI)舉例 CGI舉例疑難解答用戶網(wǎng)站目錄用戶網(wǎng)站目錄用UserDir設(shè)置文件路徑限定哪些用戶可以使用此功能啟用對每個用戶都有效的cgi目錄允許用戶改變配置對特定平臺的說明概述 Microsoft Windows 其他平臺在Microsoft Windows中使用Apache 對操作系統(tǒng)的要求下載 Apache for Windows 安裝 Apache for Windows 配置 Apache for Windows 以服務(wù)方式運(yùn)行 Apache for Windows 作為控制臺程序運(yùn)行Apache 測試安裝編譯Windows下的Apache 系統(tǒng)要求命令行編譯 Developer Studio集成開發(fā)環(huán)境的工作區(qū)編譯項(xiàng)目組件在Novell NetWare平臺上使用Apache Requirements Downloading Apache for NetWare Installing Apache for NetWare Running Apache for NetWare Configuring Apache for NetWare Compiling Apache for NetWare 在HP-UX中運(yùn)行Apache The Apache EBCDIC Port Overview of the Apache EBCDIC Port Design Goals Technical Solution Porting Notes Document Storage Notes Apache Modules' Status Third Party Modules' Status 服務(wù)器與支持程序概述 httpd 語法選項(xiàng) ab 語法選項(xiàng) Bugs apachectl 語法選項(xiàng) apxs 語法選項(xiàng) 舉例 configure 語法選項(xiàng) 環(huán)境變量 dbmmanage 語法選項(xiàng) Bugs htcacheclean 語法選項(xiàng) 返回值 htdbm 語法選項(xiàng) Bugs 返回值舉例安全方面的考慮限制 htdigest 語法選項(xiàng) htpasswd 語法選項(xiàng) 返回值舉例安全方面的考慮限制 logresolve 語法選項(xiàng) rotatelogs 語法選項(xiàng) Portability suexec 語法選項(xiàng) 其他程序 log_server_status split-logfile 雜項(xiàng)文檔概述相關(guān)標(biāo)準(zhǔn) HTTP推薦標(biāo)準(zhǔn) HTML推薦標(biāo)準(zhǔn) 認(rèn)證語言/國家代碼 Apache 模塊描述模塊的術(shù)語說明狀態(tài) 源代碼文件模塊標(biāo)識符兼容性描述指令的術(shù)語說明語法默認(rèn)值(Default) 作用域(Context) 覆蓋項(xiàng)(Override) 狀態(tài) 模塊(Module) 兼容性(Compatibility) Apache核心(Core)特性 AcceptFilter AcceptPathInfo AccessFileName AddDefaultCharset AddOutputFilterByType AllowEncodedSlashes AllowOverride AuthName AuthType CGIMapExtension ContentDigest DefaultType <Directory> <DirectoryMatch> DocumentRoot EnableMMAP EnableSendfile ErrorDocument ErrorLog FileETag <Files> <FilesMatch> ForceType HostnameLookups <IfDefine> <IfModule> Include KeepAlive KeepAliveTimeout <Limit> <LimitExcept> LimitInternalRecursion LimitRequestBody LimitRequestFields LimitRequestFieldSize LimitRequestLine LimitXMLRequestBody <Location> <LocationMatch> LogLevel MaxKeepAliveRequests NameVirtualHost Options Require RLimitCPU RLimitMEM RLimitNPROC Satisfy ScriptInterpreterSource ServerAdmin ServerAlias ServerName ServerPath ServerRoot ServerSignature ServerTokens SetHandler SetInputFilter SetOutputFilter TimeOut TraceEnable UseCanonicalName UseCanonicalPhysicalPort <VirtualHost> Apache MPM 公共指令 AcceptMutex CoreDumpDirectory EnableExceptionHook GracefulShutdownTimeout Group Listen ListenBackLog LockFile MaxClients MaxMemFree MaxRequestsPerChild MaxSpareThreads MinSpareThreads PidFile ReceiveBufferSize ScoreBoardFile SendBufferSize ServerLimit StartServers StartThreads ThreadLimit ThreadsPerChild ThreadStackSize User Apache MPM beos MaxRequestsPerThread CoreDumpDirectory Group Listen ListenBacklog MaxClients MaxMemFree MaxSpareThreads MinSpareThreads PidFile ReceiveBufferSize ScoreBoardFile SendBufferSize StartThreads User Apache MPM event AcceptMutex CoreDumpDirectory EnableExceptionHook Group Listen ListenBacklog LockFile MaxClients MaxMemFree MaxRequestsPerChild MaxSpareThreads MinSpareThreads PidFile ScoreBoardFile SendBufferSize ServerLimit StartServers ThreadLimit ThreadsPerChild ThreadStackSize User Apache MPM netware MaxThreads Listen ListenBacklog MaxMemFree MaxRequestsPerChild MaxSpareThreads MinSpareThreads ReceiveBufferSize SendBufferSize StartThreads ThreadStackSize Apache MPM os2 Group Listen ListenBacklog MaxRequestsPerChild MaxSpareThreads MinSpareThreads PidFile ReceiveBufferSize SendBufferSize StartServers User Apache MPM prefork 工作方式 MaxSpareServers MinSpareServers AcceptMutex CoreDumpDirectory EnableExceptionHook Group Listen ListenBacklog LockFile MaxClients MaxMemFree MaxRequestsPerChild PidFile ReceiveBufferSize ScoreBoardFile SendBufferSize ServerLimit StartServers User Apache MPM winnt Win32DisableAcceptEx CoreDumpDirectory Listen ListenBacklog MaxMemFree MaxRequestsPerChild PidFile ReceiveBufferSize ScoreBoardFile SendBufferSize ThreadLimit ThreadsPerChild ThreadStackSize Apache MPM worker 工作方式 AcceptMutex CoreDumpDirectory EnableExceptionHook Group Listen ListenBacklog LockFile MaxClients MaxMemFree MaxRequestsPerChild MaxSpareThreads MinSpareThreads PidFile ReceiveBufferSize ScoreBoardFile SendBufferSize ServerLimit StartServers ThreadLimit ThreadsPerChild ThreadStackSize User Apache Module mod_actions Action指令 Script指令 Apache Module mod_alias 處理順序 Alias AliasMatch Redirect RedirectMatch RedirectPermanent RedirectTemp ScriptAlias ScriptAliasMatch Apache Module mod_asis 用法 Apache Module mod_auth_basic AuthBasicAuthoritative AuthBasicProvider Apache Module mod_auth_digest 使用摘要認(rèn)證配合 MS Internet Explorer 6 工作 AuthDigestAlgorithm AuthDigestDomain AuthDigestNcCheck AuthDigestNonceFormat AuthDigestNonceLifetime AuthDigestProvider AuthDigestQop AuthDigestShmemSize Apache Module mod_authn_alias 示例 <AuthnProviderAlias> Apache Module mod_authn_anon 示例 Anonymous Anonymous_LogEmail Anonymous_MustGiveEmail Anonymous_NoUserID Anonymous_VerifyEmail Apache Module mod_authn_dbd 配置示例 AuthDBDUserPWQuery AuthDBDUserRealmQuery Apache Module mod_authn_dbm AuthDBMType AuthDBMUserFile Apache Module mod_authn_default AuthDefaultAuthoritative Apache Module mod_authn_file AuthUserFile Apache Module mod_authnz_ldap Contents Operation The require Directives 舉例 Using TLS Using SSL Using Microsoft FrontPage with mod_authnz_ldap AuthLDAPBindDN AuthLDAPBindPassword AuthLDAPCharsetConfig AuthLDAPCompareDNOnServer AuthLDAPDereferenceAliases AuthLDAPGroupAttribute AuthLDAPGroupAttributeIsDN AuthLDAPRemoteUserIsDN AuthLDAPUrl AuthzLDAPAuthoritative Apache Module mod_authz_dbm AuthDBMGroupFile AuthzDBMAuthoritative AuthzDBMType Apache Module mod_authz_default AuthzDefaultAuthoritative Apache Module mod_authz_groupfile AuthGroupFile AuthzGroupFileAuthoritative Apache Module mod_authz_host Allow Deny Order Apache Module mod_authz_owner 配置示例 AuthzOwnerAuthoritative Apache Module mod_authz_user AuthzUserAuthoritative Apache Module mod_autoindex Autoindex Request Query Arguments AddAlt AddAltByEncoding AddAltByType AddDescription AddIcon AddIconByEncoding AddIconByType DefaultIcon HeaderName IndexIgnore IndexOptions IndexOrderDefault IndexStyleSheet ReadmeName Apache Module mod_cache Related Modules and Directives 配置示例 CacheDefaultExpire CacheDisable CacheEnable CacheIgnoreCacheControl CacheIgnoreHeaders CacheIgnoreNoLastMod CacheLastModifiedFactor CacheMaxExpire CacheStoreNoStore CacheStorePrivate Apache Module mod_cern_meta MetaDir MetaFiles MetaSuffix Apache Module mod_cgi CGI 環(huán)境變量 CGI 腳本的調(diào)試 ScriptLog ScriptLogBuffer ScriptLogLength Apache Module mod_cgid ScriptSock ScriptLog ScriptLogBuffer ScriptLogLength Apache Module mod_charset_lite Common Problems CharsetDefault CharsetOptions CharsetSourceEnc Apache Module mod_dav Enabling WebDAV Security Issues Complex Configurations Dav DavDepthInfinity DavMinTimeout Apache Module mod_dav_fs DavLockDB Apache Module mod_dav_lock DavGenericLockDB Apache Module mod_dbd Connection Pooling Apache DBD API SQL Prepared Statements DBDExptime DBDKeep DBDMax DBDMin DBDParams DBDPersist DBDPrepareSQL DBDriver Apache Module mod_deflate 配置舉例啟用壓縮代理服務(wù)器 DeflateBufferSize DeflateCompressionLevel DeflateFilterNote DeflateMemLevel DeflateWindowSize Apache Module mod_dir DirectoryIndex DirectorySlash Apache Module mod_disk_cache CacheDirLength CacheDirLevels CacheMaxFileSize CacheMinFileSize CacheRoot Apache Module mod_dumpio 啟用dumpio支持 DumpIOInput DumpIOOutput Apache Module mod_echo ProtocolEcho Apache Module mod_env PassEnv SetEnv UnsetEnv Apache Module mod_example Compiling the example module Using the mod_example Module Example Apache Module mod_expires 交替間隔語法 ExpiresActive ExpiresByType ExpiresDefault Apache Module mod_ext_filter 舉例 ExtFilterDefine ExtFilterOptions Apache Module mod_file_cache Using mod_file_cache CacheFile MMapFile Apache Module mod_filter Smart Filtering Filter Declarations Configuring the Chain Examples Protocol Handling FilterChain FilterDeclare FilterProtocol FilterProvider FilterTrace Apache Module mod_headers 處理順序前處理和后處理舉例 Header RequestHeader Apache Module mod_ident IdentityCheck IdentityCheckTimeout Apache Module mod_imagemap New Features Imagemap File Example Mapfile Referencing your mapfile ImapBase ImapDefault ImapMenu Apache Module mod_include Enabling Server-Side Includes PATH_INFO with Server Side Includes Basic Elements Include Variables Variable Substitution Flow Control Elements SSIEndTag SSIErrorMsg SSIStartTag SSITimeFormat SSIUndefinedEcho XBitHack Apache Module mod_info 安全問題選擇哪些信息可以被顯示已知的局限 AddModuleInfo Apache Module mod_isapi 用法附加注釋程序員注記 ISAPIAppendLogToErrors ISAPIAppendLogToQuery ISAPICacheFile ISAPIFakeAsync ISAPILogNotSupported ISAPIReadAheadBuffer Apache Module mod_ldap 示例配置 LDAP 連接池 LDAP 緩沖使用SSL/TLS SSL/TLS 證書 LDAPCacheEntries LDAPCacheTTL LDAPConnectionTimeout LDAPOpCacheEntries LDAPOpCacheTTL LDAPSharedCacheFile LDAPSharedCacheSize LDAPTrustedClientCert LDAPTrustedGlobalCert LDAPTrustedMode LDAPVerifyServerCert Apache Module mod_log_config 定制日志文件格式安全考慮 BufferedLogs CookieLog CustomLog LogFormat TransferLog Apache Module mod_log_forensic 定制日志文件格式安全考慮 ForensicLog Apache Module mod_logio 定制日志文件格式 Apache Module mod_mem_cache MCacheMaxObjectCount MCacheMaxObjectSize MCacheMaxStreamingBuffer MCacheMinObjectSize MCacheRemovalAlgorithm MCacheSize Apache Module mod_mime 帶多擴(kuò)展名的文件內(nèi)容編碼字符集和語言 AddCharset AddEncoding AddHandler AddInputFilter AddLanguage AddOutputFilter AddType DefaultLanguage ModMimeUsePathInfo MultiviewsMatch RemoveCharset RemoveEncoding RemoveHandler RemoveInputFilter RemoveLanguage RemoveOutputFilter RemoveType TypesConfig Apache Module mod_mime_magic "Magic文件"的格式性能問題注意 MimeMagicFile Apache Module mod_negotiation 類型表 MultiViews CacheNegotiatedDocs ForceLanguagePriority LanguagePriority Apache Module mod_nw_ssl NWSSLTrustedCerts NWSSLUpgradeable SecureListen Apache Module mod_proxy 正向和反向代理簡單示例控制對代理服務(wù)器的訪問緩慢啟動局域網(wǎng)代理協(xié)議調(diào)整請求體 AllowCONNECT NoProxy <Proxy> ProxyBadHeader ProxyBlock ProxyDomain ProxyErrorOverride ProxyIOBufferSize <ProxyMatch> ProxyMaxForwards ProxyPass ProxyPassReverse ProxyPassReverseCookieDomain ProxyPassReverseCookiePath ProxyPreserveHost ProxyReceiveBufferSize ProxyRemote ProxyRemoteMatch ProxyRequests ProxyTimeout ProxyVia Apache Module mod_proxy_ajp Overview of the protocol Basic Packet Structure Request Packet Structure Response Packet Structure Apache Module mod_proxy_balancer Load balancer scheduler algorithm Request Counting Algorithm Weighted Traffic Counting Algorithm Enabling Balancer Manager Support Apache Module mod_proxy_connect Apache Module mod_proxy_ftp 為什么xxx類型的文件不能從FTP下載？如何強(qiáng)制文件xxx使用FTP的ASCII形式下載？我如何使用FTP上傳？我如何能訪問我自己home目錄以外的FTP文件？我如何才能在瀏覽器的URL框中隱藏FTP的明文密碼？ Apache Module mod_proxy_http Apache Module mod_rewrite 特殊字符的引用環(huán)境變量實(shí)用方案 RewriteBase RewriteCond RewriteEngine RewriteLock RewriteLog RewriteLogLevel RewriteMap RewriteOptions RewriteRule Apache Module mod_setenvif BrowserMatch BrowserMatchNoCase SetEnvIf SetEnvIfNoCase Apache Module mod_so 為Windows創(chuàng)建可加載模塊 LoadFile LoadModule Apache Module mod_speling CheckSpelling Apache Module mod_ssl 環(huán)境變量 Custom Log Formats SSLCACertificateFile SSLCACertificatePath SSLCADNRequestFile SSLCADNRequestPath SSLCARevocationFile SSLCARevocationPath SSLCertificateChainFile SSLCertificateFile SSLCertificateKeyFile SSLCipherSuite SSLCryptoDevice SSLEngine SSLHonorCipherOrder SSLMutex SSLOptions SSLPassPhraseDialog SSLProtocol SSLProxyCACertificateFile SSLProxyCACertificatePath SSLProxyCARevocationFile SSLProxyCARevocationPath SSLProxyCipherSuite SSLProxyEngine SSLProxyMachineCertificateFile SSLProxyMachineCertificatePath SSLProxyProtocol SSLProxyVerify SSLProxyVerifyDepth SSLRandomSeed SSLRequire SSLRequireSSL SSLSessionCache SSLSessionCacheTimeout SSLUserName SSLVerifyClient SSLVerifyDepth Apache Module mod_status Enabling Status Support 自動更新 Machine Readable Status File ExtendedStatus Apache Module mod_suexec SuexecUserGroup Apache Module mod_unique_id Theory Apache Module mod_userdir UserDir Apache Module mod_usertrack Logging 2-digit or 4-digit dates for cookies? CookieDomain CookieExpires CookieName CookieStyle CookieTracking Apache Module mod_version <IfVersion> Apache Module mod_vhost_alias 目錄名稱的轉(zhuǎn)換示例 VirtualDocumentRoot VirtualDocumentRootIP VirtualScriptAlias VirtualScriptAliasIP 開發(fā)者文檔 Overview Topics External Resources Apache API notes Basic concepts How handlers work Resource allocation and resource pools Configuration Debugging Memory Allocation in APR Available debugging options Allowable Combinations Activating Debugging Options Documenting Apache 2.0 Apache 2.0 Hook Functions Creating a hook function Hooking the hook Converting Modules from Apache 1.3 to Apache 2.0 The easier changes ... The messier changes... Request Processing in Apache 2.0 The Request Processing Cycle The Request Parsing Phase The Security Phase The Preparation Phase The Handler Phase How Filters Work in Apache 2.0 Filter Types How are filters inserted? Asis Explanations 詞匯和索引詞匯表模塊索引指令索引指令速查譯者聲明

?
? ????? PHP ??? ???? ??? ?? ??

Apache模塊 mod_ldap

說明	為其它LDAP模塊提供LDAP連接池和結(jié)果緩沖服務(wù)
狀態(tài)	擴(kuò)展(E)
模塊名	ldap_module
源文件	util_ldap.c
兼容性	僅在 Apache 2.0.41 及以后的版本中可用

概述

本模塊通過后端連接LDAP服務(wù)來改善網(wǎng)站性能。除了標(biāo)準(zhǔn)LDAP庫提供的功能外，本模塊增加了一個LDAP連接池和一個LDAP共享內(nèi)存緩沖區(qū)。

為了使用本模塊的功能，LDAP支持必須編譯進(jìn)APU。這是通過在編譯Apache時，在configure腳本命令行上增加 --with-ldap 開關(guān)來實(shí)現(xiàn)的。

為了支持SSL/TLS ，需要APR連接以下一個LDAP SDK ：OpenLDAP SDK(2.x或更新), Novell LDAP SDK, Mozilla LDAP SDK, 本地 Solaris LDAP SDK (基于Mozilla), 本地 Microsoft LDAP SDK, iPlanet (Netscape) SDK 。參見APR網(wǎng)站以獲取更多信息。

示例配置

下面的配置是一個使用mod_ldap模塊來提升mod_authnz_ldap提供的HTTP基本認(rèn)證性能的例子。

# 開啟LDAP連接池及共享內(nèi)存緩沖。 # 開啟LDAP緩沖狀態(tài)處理器。需要載入mod_ldap和mod_authnz_ldap模塊。 # 把"yourdomain.example.com"改為你真實(shí)的域名。 LDAPSharedCacheSize 200000 LDAPCacheEntries 1024 LDAPCacheTTL 600 LDAPOpCacheEntries 1024 LDAPOpCacheTTL 600 <Location /ldap-status> SetHandler ldap-status Order deny,allow Deny from all Allow from yourdomain.example.com AuthLDAPEnabled on AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one AuthLDAPAuthoritative on require valid-user </Location>

LDAP連接池

LDAP連接是在請求之間共享的。這就允許LDAP服務(wù)器在跳過unbind->connect->rebind這樣一個工作周期的情況下，保留連接以減少為下一次請求準(zhǔn)備連接的時間。這種性能優(yōu)化有點(diǎn)象HTTP服務(wù)的Keep-Alives功能。

在一個比較繁忙的服務(wù)器上，很有可能許多請求同時嘗試與同一個LDAP服務(wù)進(jìn)行連接并得到它的服務(wù)。如果一個LDAP連接正在使用，Apache會在原來連接的基礎(chǔ)上，生成一個新的連接。這將確保連接池不會成為瓶頸。

不需要在Apache配置中手動開啟連接池功能。任何使用本模塊來訪問LDAP服務(wù)的模塊會自動共享連接池。

LDAP緩沖

為了改善性能，mod_ldap模塊使用一種積極的緩沖策略以盡量減少與LDAP服務(wù)器的聯(lián)系。通過緩沖，可以方便地使Apache在提供受mod_authnz_ldap保護(hù)的頁面時，得到二倍或三倍的吞吐量。同時，LDAP服務(wù)器的負(fù)載也會明顯地減小。

mod_ldap支持兩種類型的LDAP緩沖。在search/bind階段，使用一個search/bind緩沖，在compare階段，使用兩個operation緩沖。服務(wù)器引用的每個LDAP URL都有一組它自己的上述三個緩沖。

Search/Bind緩沖

處理一個查詢和綁定操作對LDAP實(shí)施來講，是非常耗時，尤其當(dāng)目錄很大時，這一點(diǎn)更加明顯。Search/bind緩沖用來緩沖所有的最終能成功綁定的查詢。失敗的結(jié)果(比如：不成功的查詢或查詢結(jié)果無法成功綁定)不會被緩沖。這樣做是因?yàn)樾湃侮P(guān)系失敗的連接在所有連接中只占了很小的一個百分比，因此，通過不緩沖這些連接，可以減少緩沖區(qū)的大小。

mod_ldap在緩沖區(qū)里儲存了用戶名、得到的DN 、用來綁定的口令、綁定的時間。當(dāng)一個新的連接用同一個用戶名來初始化的時候，mod_ldap將新的連接的口令與保存在緩沖區(qū)里的口令進(jìn)行比較。如果口令匹配，并且那個緩沖項(xiàng)目尚未失效的話，mod_ldap就跳過search/bind階段。

查詢與綁定緩沖由LDAPCacheEntries和LDAPCacheTTL指令來控制。

Operation緩沖

在區(qū)分與辨別過程中，mod_ldap使用兩個操作緩沖區(qū)來緩沖比較的操作。第一個緩沖區(qū)用來緩沖是否LDAP組成員的測試結(jié)果，第二個用來緩沖不同名字間鑒別的比較結(jié)果。

這兩個緩沖區(qū)都是由LDAPOpCacheEntries和LDAPOpCacheTTL指令來控制的。

緩沖區(qū)的監(jiān)控

mod_ldap包含了一個完整的處理器，通過它可以使管理員監(jiān)控緩沖區(qū)的性能。這個處理器的名字是ldap-status ，因此可以用下列指令來得到mod_ldap緩沖區(qū)的相關(guān)信息：

<Location /server/cache-info> SetHandler ldap-status </Location>

通過URL http://servername/cache-info ，管理員可以得到mod_ldap使用的每個緩沖的狀態(tài)報告。注意，如果Apache不支持共享內(nèi)存，那么每個httpd實(shí)例都有它自己的緩沖區(qū)，因此，每次使用上述URL都可能會得到不同的結(jié)果，這取決于具體哪個httpd實(shí)例處理了這個請求。

使用SSL/TSL

通過LDAPTrustedGlobalCert, LDAPTrustedClientCert, LDAPTrustedMode指令可以定義與LDAP服務(wù)器建立SSL/TSL聯(lián)接。這些指令指定了使用的CA和可選的客戶端證書，以及連接使用的加密類型(none, SSL, TLS/STARTTLS)。

# 在636端口建立一個SSL LDAP聯(lián)接。需要模塊mod_ldap和mod_authnz_ldap的支持。 # 將"yourdomain.example.com"修改為您自己的域名。 LDAPTrustedGlobalCert CA_DER /certs/certfile.der <Location /ldap-status> SetHandler ldap-status Order deny,allow Deny from all Allow from yourdomain.example.com AuthLDAPEnabled on AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one AuthLDAPAuthoritative on require valid-user </Location>

# 在389端口建立一個TLS LDAP聯(lián)接。需要模塊mod_ldap和mod_authnz_ldap的支持。 # 將"yourdomain.example.com"修改為您自己的域名。 LDAPTrustedGlobalCert CA_DER /certs/certfile.der <Location /ldap-status> SetHandler ldap-status Order deny,allow Deny from all Allow from yourdomain.example.com AuthLDAPEnabled on LDAPTrustedMode TLS AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one AuthLDAPAuthoritative on require valid-user </Location>

SSL/TLS Certificates

The different LDAP SDKs have widely different methods of setting and handling both CA and client side certificates.

If you intend to use SSL or TLS, read this section CAREFULLY so as to understand the differences between configurations on the different LDAP toolkits supported.

Netscape/Mozilla/iPlanet SDK

CA certificates are specified within a file called cert7.db. The SDK will not talk to any LDAP server whose certificate was not signed by a CA specified in this file. If client certificates are required, an optional key3.db file may be specified with an optional password. The secmod file can be specified if required. These files are in the same format as used by the Netscape Communicator or Mozilla web browsers. The easiest way to obtain these files is to grab them from your browser installation.

Client certificates are specified per connection using the LDAPTrustedClientCert directive by referring to the certificate "nickname". An optional password may be specified to unlock the certificate's private key.

The SDK supports SSL only. An attempt to use STARTTLS will cause an error when an attempt is made to contact the LDAP server at runtime.

# Specify a Netscape CA certificate file LDAPTrustedGlobalCert CA_CERT7_DB /certs/cert7.db # Specify an optional key3.db file for client certificate support LDAPTrustedGlobalCert CERT_KEY3_DB /certs/key3.db # Specify the secmod file if required LDAPTrustedGlobalCert CA_SECMOD /certs/secmod <Location /ldap-status> SetHandler ldap-status Order deny,allow Deny from all Allow from yourdomain.example.com AuthLDAPEnabled on LDAPTrustedClientCert CERT_NICKNAME <nickname> [password] AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one AuthLDAPAuthoritative on require valid-user </Location>

Novell SDK

One or more CA certificates must be specified for the Novell SDK to work correctly. These certificates can be specified as binary DER or Base64 (PEM) encoded files.

Note: Client certificates are specified globally rather than per connection, and so must be specified with the LDAPTrustedGlobalCert directive as below. Trying to set client certificates via the LDAPTrustedClientCert directive will cause an error to be logged when an attempt is made to connect to the LDAP server..

The SDK supports both SSL and STARTTLS, set using the LDAPTrustedMode parameter. If an ldaps:// URL is specified, SSL mode is forced, override this directive.

# Specify two CA certificate files LDAPTrustedGlobalCert CA_DER /certs/cacert1.der LDAPTrustedGlobalCert CA_BASE64 /certs/cacert2.pem # Specify a client certificate file and key LDAPTrustedGlobalCert CERT_BASE64 /certs/cert1.pem LDAPTrustedGlobalCert KEY_BASE64 /certs/key1.pem [password] # Do not use this directive, as it will throw an error #LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem

OpenLDAP SDK

One or more CA certificates must be specified for the OpenLDAP SDK to work correctly. These certificates can be specified as binary DER or Base64 (PEM) encoded files.

Client certificates are specified per connection using the LDAPTrustedClientCert directive.

The documentation for the SDK claims to support both SSL and STARTTLS, however STARTTLS does not seem to work on all versions of the SDK. The SSL/TLS mode can be set using the LDAPTrustedMode parameter. If an ldaps:// URL is specified, SSL mode is forced. The OpenLDAP documentation notes that SSL (ldaps://) support has been deprecated to be replaced with TLS, although the SSL functionality still works.

# Specify two CA certificate files LDAPTrustedGlobalCert CA_DER /certs/cacert1.der LDAPTrustedGlobalCert CA_BASE64 /certs/cacert2.pem <Location /ldap-status> SetHandler ldap-status Order deny,allow Deny from all Allow from yourdomain.example.com AuthLDAPEnabled on LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem LDAPTrustedClientCert KEY_BASE64 /certs/key1.pem AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one AuthLDAPAuthoritative on require valid-user </Location>

Solaris SDK

SSL/TLS for the native Solaris LDAP libraries is not yet supported. If required, install and use the OpenLDAP libraries instead.

Microsoft SDK

SSL/TLS certificate configuration for the native Microsoft LDAP libraries is done inside the system registry, and no configuration directives are required.

Both SSL and TLS are supported by using the ldaps:// URL format, or by using the LDAPTrustedMode directive accordingly.

Note: The status of support for client certificates is not yet known for this toolkit.

LDAPCacheEntries 指令

說明	主LDAP緩沖的最大條目數(shù)
語法	`LDAPCacheEntries number`
默認(rèn)值	`LDAPCacheEntries 1024`
作用域	server config
狀態(tài)	擴(kuò)展(E)
模塊	mod_ldap

指定主LDAP緩沖的最大條目數(shù)。這個緩沖區(qū)包含了成功的search/bind對。把它設(shè)為0可以關(guān)閉search/bind緩沖。默認(rèn)值是1024 。

LDAPCacheTTL 指令

說明	search/bind緩沖項(xiàng)目有效時限
語法	`LDAPCacheTTL seconds`
默認(rèn)值	`LDAPCacheTTL 600`
作用域	server config
狀態(tài)	擴(kuò)展(E)
模塊	mod_ldap

指定search/bind緩沖項(xiàng)目有效的時間，以秒為單位。默認(rèn)為600秒(10分鐘)。

LDAPConnectionTimeout 指令

說明	指定套接字連接超時秒數(shù)
語法	`LDAPConnectionTimeout seconds`
作用域	server config
狀態(tài)	擴(kuò)展(E)
模塊	mod_ldap

Specifies the timeout value (in seconds) in which the module will attempt to connect to the LDAP server. If a connection is not successful with the timeout period, either an error will be returned or the module will attempt to connect to a secondary LDAP server if one is specified. The default is 10 seconds.

LDAPOpCacheEntries 指令

說明	LDAP compare緩沖區(qū)的大小
語法	`LDAPOpCacheEntries number`
默認(rèn)值	`LDAPOpCacheEntries 1024`
作用域	server config
狀態(tài)	擴(kuò)展(E)
模塊	mod_ldap

指定mod_ldap使用的LDAP compare緩沖區(qū)大小。默認(rèn)值是1024條。把它設(shè)為0可以關(guān)閉操作緩沖。

LDAPOpCacheTTL 指令

說明	操作緩沖有效時限
語法	`LDAPOpCacheTTL seconds`
默認(rèn)值	`LDAPOpCacheTTL 600`
作用域	server config
狀態(tài)	擴(kuò)展(E)
模塊	mod_ldap

指定操作緩沖項(xiàng)目的有效時長，以秒為單位。默認(rèn)為600秒。

LDAPSharedCacheFile 指令

說明	設(shè)置共享內(nèi)存緩沖區(qū)文件
語法	`LDAPSharedCacheFile directory-path/filename`
作用域	server config
狀態(tài)	擴(kuò)展(E)
模塊	mod_ldap

設(shè)置共享內(nèi)存緩沖區(qū)文件。若未設(shè)置，將使用匿名共享內(nèi)存(若平臺支持)。

LDAPSharedCacheSize 指令

說明	共享內(nèi)存緩沖區(qū)的字節(jié)大小
語法	`LDAPSharedCacheSize bytes`
默認(rèn)值	`LDAPSharedCacheSize 102400`
作用域	server config
狀態(tài)	擴(kuò)展(E)
模塊	mod_ldap

指定共享內(nèi)存緩沖區(qū)的大小，以Byte為單位。默認(rèn)為100KB。

LDAPTrustedClientCert 指令

說明	Sets the file containing or nickname referring to a per connection client certificate. Not all LDAP toolkits support per connection client certificates.
語法	`LDAPTrustedClientCert type directory-path/filename/nickname [password]`
作用域	server config, virtual host, directory, .htaccess
狀態(tài)	擴(kuò)展(E)
模塊	mod_ldap

It specifies the directory path, file name or nickname of a per connection client certificate used when establishing an SSL or TLS connection to an LDAP server. Different locations or directories may have their own independant client certificate settings. Some LDAP toolkits (notably Novell) do not support per connection client certificates, and will throw an error on LDAP server connection if you try to use this directive (Use the LDAPTrustedGlobalCert directive instead for Novell client certificates - See the SSL/TLS certificate guide above for details). The type specifies the kind of certificate parameter being set, depending on the LDAP toolkit being used. Supported types are:

CERT_DER - binary DER encoded client certificate
CERT_BASE64 - PEM encoded client certificate
CERT_NICKNAME - Client certificate "nickname" (Netscape SDK)
KEY_DER - binary DER encoded private key
KEY_BASE64 - PEM encoded private key

LDAPTrustedGlobalCert 指令

說明	Sets the file or database containing global trusted Certificate Authority or global client certificates
語法	`LDAPTrustedGlobalCert type directory-path/filename [password]`
作用域	server config
狀態(tài)	擴(kuò)展(E)
模塊	mod_ldap

It specifies the directory path and file name of the trusted CA certificates and/or system wide client certificates mod_ldap should use when establishing an SSL or TLS connection to an LDAP server. Note that all certificate information specified using this directive is applied globally to the entire server installation. Some LDAP toolkits (notably Novell) require all client certificates to be set globally using this directive. Most other toolkits require clients certificates to be set per Directory or per Location using LDAPTrustedClientCert. If you get this wrong, an error may be logged when an attempt is made to contact the LDAP server, or the connection may silently fail (See the SSL/TLS certificate guide above for details). The type specifies the kind of certificate parameter being set, depending on the LDAP toolkit being used. Supported types are:

CA_DER - binary DER encoded CA certificate
CA_BASE64 - PEM encoded CA certificate
CA_CERT7_DB - Netscape cert7.db CA certificate database file
CA_SECMOD - Netscape secmod database file
CERT_DER - binary DER encoded client certificate
CERT_BASE64 - PEM encoded client certificate
CERT_KEY3_DB - Netscape key3.db client certificate database file
CERT_NICKNAME - Client certificate "nickname" (Netscape SDK)
CERT_PFX - PKCS#12 encoded client certificate (Novell SDK)
KEY_DER - binary DER encoded private key
KEY_BASE64 - PEM encoded private key
KEY_PFX - PKCS#12 encoded private key (Novell SDK)

LDAPTrustedMode 指令

說明	Specifies the SSL/TLS mode to be used when connecting to an LDAP server.
語法	`LDAPTrustedMode type`
作用域	server config, virtual host, directory, .htaccess
狀態(tài)	擴(kuò)展(E)
模塊	mod_ldap

The following modes are supported:

NONE - no encryption
SSL - ldaps:// encryption on default port 636
TLS - STARTTLS encryption on default port 389

Not all LDAP toolkits support all the above modes. An error message will be logged at runtime if a mode is not supported, and the connection to the LDAP server will fail.

If an ldaps:// URL is specified, the mode becomes SSL and the setting of LDAPTrustedMode is ignored.

LDAPVerifyServerCert 指令

說明	Force server certificate verification
語法	`LDAPVerifyServerCert On\|Off`
默認(rèn)值	`LDAPVerifyServerCert On`
作用域	server config
狀態(tài)	擴(kuò)展(E)
模塊	mod_ldap

Specifies whether to force the verification of a server certificate when establishing an SSL connection to the LDAP server.

?? ??： ?? ??：