From acb13cffafc7f70036188337e450b8655c66b23d Mon Sep 17 00:00:00 2001 From: Victor Hahn Date: Tue, 29 Sep 2015 12:52:42 +0200 Subject: [PATCH] Amend documentation --- LICENSE | 1 + README.md | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 51 insertions(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index 46319ca..6cbc170 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,7 @@ /** * Copyright (C) 2011-2013 Valery Komarov * Copyright (C) 2013 Jiri Hruska + * Copyright (C) 2015 Victor Hahn Castell * All rights reserved. * * Redistribution and use in source and binary forms, with or without diff --git a/README.md b/README.md index cfc1996..2bd7638 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ Check HTTP_AUTH_LDAP options ``` -[*] HTTP_AUTH_LDAP 3rd party http_auth_ldap module +[*] HTTP_AUTH_LDAP 3rd party http_auth_ldap module ``` ## Linux @@ -71,3 +71,52 @@ And add required servers in correct order into your location/server directive: } ``` + +# Available config parameters + +## url +expected value: string + +Available URL schemes: ldap://, ldaps:// + +## binddn +expected value: string + +## binddn_passwd +expected value: string + +## group_attribute +expected value: string + +## group_attribute_is_dn +expected value: on or off, default off + +## require +expected value: valid_user, user, group + +## satisfy +expected value: all, any + +## connections +expected value: a number greater than 0 + +## ssl_check_cert +expected value: on or off, default off + +Verify the remote certificate for LDAPs connections. If disabled, any remote ceritificate will be +accepted which exposes you to possible man-in-the-middle attacks. Note that the server's +certificate will need to be signed by a proper CA trusted by your system if this is enabled. +See below how to trust CAs without installing them system-wide. + +## ssl_ca_file +expected value: file path + +Trust the CA certificate in this file (see ssl_check_cert above). + +## ssl_ca_dir +expected value: directory path + +Trust all CA certificates in this directory (see ssl_check_cert above). + +Note that you need to provide hash-based symlinks in the directory for this to work; +you'll basically need to run OpenSSL's c_rehash command in this directory.