[rs-commit] r103 - in /rs-manual/trunk/src/site: resources/images/mod_ca_ldap-ca_ldap_certstore.png resources/images/mod_ca_ldap-ca_ldap_reqauthz.png xhtml5/mod/mod_ca_ldap.xhtml5

rs-commit at redwax.eu rs-commit at redwax.eu
Mon Oct 21 00:12:33 CEST 2019 

Author: minfrin at redwax.eu
Date: Mon Oct 21 00:12:33 2019
New Revision: 103

Log:
Add hook implementation docs for mod_ca_ldap.

Added:
    rs-manual/trunk/src/site/resources/images/mod_ca_ldap-ca_ldap_certstore.png   (with props)
    rs-manual/trunk/src/site/resources/images/mod_ca_ldap-ca_ldap_reqauthz.png   (with props)
Modified:
    rs-manual/trunk/src/site/xhtml5/mod/mod_ca_ldap.xhtml5

Added: rs-manual/trunk/src/site/resources/images/mod_ca_ldap-ca_ldap_certstore.png
==============================================================================
Binary file - no diff available.

Propchange: rs-manual/trunk/src/site/resources/images/mod_ca_ldap-ca_ldap_certstore.png
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream

Added: rs-manual/trunk/src/site/resources/images/mod_ca_ldap-ca_ldap_reqauthz.png
==============================================================================
Binary file - no diff available.

Propchange: rs-manual/trunk/src/site/resources/images/mod_ca_ldap-ca_ldap_reqauthz.png
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream

Modified: rs-manual/trunk/src/site/xhtml5/mod/mod_ca_ldap.xhtml5
==============================================================================
--- rs-manual/trunk/src/site/xhtml5/mod/mod_ca_ldap.xhtml5	(original)
+++ rs-manual/trunk/src/site/xhtml5/mod/mod_ca_ldap.xhtml5	Mon Oct 21 00:12:33 2019
@@ -87,7 +87,7 @@
                   included with the certificate sign request, such as the
                   challenge password. If left unconfigured, all certificate
                   requests will be accepted.</p>
-                <p>The <a href="#CALdapUrl">CALdapUrl</a>
+                <p>The <a href="#directive-CALdapUrl">CALdapUrl</a>
                   directive enables the <a href="mod_ca.html#ca_reqauthz">Request Authorization Hook</a>
                   in <a href="mod_ca_ldap.html">mod_ca_ldap</a>.</p>
                 <table>
@@ -133,8 +133,8 @@
                 <p>This optional hook allows the newly generated certificate to
                   be stored locally or in a database or directory. If left
                   unconfigured, no local copy of the certificate will be stored.</p>
-                <p>Both the <a href="#CALdapUrl">CALdapUrl</a>
-                  directive and the <a href="#CALdapCertAttribute">CALdapCertAttribute</a>
+                <p>Both the <a href="#directive-CALdapUrl">CALdapUrl</a>
+                  directive and the <a href="#directive-CALdapCertAttribute">CALdapCertAttribute</a>
                   directive enables the <a href="mod_ca.html#ca_certstore">Certificate Storage Hook</a>
                   in <a href="mod_ca_ldap.html">mod_ca_ldap</a>.</p>
                 <table>
@@ -277,6 +277,103 @@
 
 
       <section class="wrapper style1 align-center"
+        id="hook-reference">
+        <div class="inner">
+          <h2>Hook Implementation Reference</h2>
+          <p>
+            The following backend hook implementations are provided by this module.
+          </p>
+          <div class="index align-left">
+
+            <section id="hook-ca_ldap_reqauthz">
+              <header>
+                <h3><a href="mod_ca.html#ca_reqauthz">LDAP Request Authorization</a></h3>
+              </header>
+              <div class="content">
+                <p>
+                  <img class="image right" src="../images/mod_ca_ldap-ca_ldap_reqauthz.png" />
+                  Verifies authorization against an LDAP directory.
+                </p>
+
+                <p>
+                  This optional hook implementaation allows you to verify the parameters
+                  included with the certificate sign request, such as the
+                  <code>challengePassword</code>. If left unconfigured, all certificate
+                  requests will be accepted.
+                </p>
+
+                <p>The <a href="#directive-CALdapUrl">CALdapUrl</a> and
+                  <a href="#directive-CALdapSubject">CALdapSubject</a> or
+                  <a href="#directive-CALdapSubjectAltName">CALdapSubjectAltName</a>
+                  directives enable verification.
+                </p>
+
+                <p>Once the subject or subject alternate request has been used to map
+                  the certificate to an entry in the directory, and if a
+                  <code>challengePassword</code> has been included with the certificate,
+                  this hook implementation will try to bind to the directory as that
+                  mapped object, and if this succeeds the request is authorized.
+                </p>
+
+              </div>
+            </section>
+
+            <section id="hook-ca_ldap_certstore">
+              <header>
+                <h3><a href="mod_ca.html#ca_certstore">LDAP Certificate Storage</a></h3>
+              </header>
+              <div class="content">
+
+                <p>
+                  <img class="image right" src="../images/mod_ca_ldap-ca_ldap_certstore.png" />
+                  Stores a generated certificate in an LDAP directory.
+                </p>
+
+                <p>
+                  This optional hook implementation extends and depends on the
+                  <a href="#hook-ca_ldap_reqauthz">LDAP Request Authorization</a> hook
+                  implementation above.
+                </p>
+
+                <p>
+                  If an LDAP object was found and verified above, the certificate will
+                  be stored in the directory in that object in an attribute specified by the
+                  <a href="#directive-CALdapCertAttribute">CALdapCertAttribute</a> directive. If
+                  an objectclass needs to be added, this is done with the
+                  <a href="#directive-CALdapCertObjectClass">CALdapCertObjectClass</a> directive.
+                </p>
+
+                <p>
+                  If it is required that the <code>challengePassword</code> be used just
+                  once, the <code>challengePassword</code> can be removed by specifying the
+                  <a href="#directive-CALdapPasswordAttribute">CALdapPasswordAttribute</a> directive.
+                  Similarly, if an objectclass needs to be removed, the objectclass can be
+                  specified using the
+                  <a href="#directive-CALdapPasswordObjectClass">CALdapPasswordObjectClass</a> directive.
+                </p>
+
+                <p>
+                  It is also possible to store the CertificateExactAssertion as described by
+                  RFC 4523 in the same object in an attribute specified by the
+                  <a href="#directive-CALdapPathAttribute">CALdapPathAttribute</a> directive. If
+                  an objectclass needs to be added, this is done with the
+                  <a href="#directive-CALdapPathObjectClass">CALdapPathObjectClass</a> directive.
+                </p>
+
+                <p>
+                  All of the above modifications to the directory are performed within the
+                  same LDAP modification, and are performed as a single transaction.
+                </p>
+
+              </div>
+            </section>
+
+          </div>
+        </div>
+      </section>
+
+
+      <section class="wrapper style1 align-center"
         id="directive-reference">
         <div class="inner">
           <h2>Directive Reference</h2>

More information about the rs-commit mailing list