diff --git a/lam/docs/manual-sources/howto.xml b/lam/docs/manual-sources/howto.xml
index e7bbcd9c..5313f88e 100644
--- a/lam/docs/manual-sources/howto.xml
+++ b/lam/docs/manual-sources/howto.xml
@@ -1064,9 +1064,12 @@ Have fun!
Additionally, you can enable HTTP authentication when using
"LDAP search". This way the web server is responsible to
authenticate your users. LAM will use the given user name + password
- for the LDAP login. To setup HTTP authentication in Apache please
- see this link.
+ for the LDAP login. You can also configure this to setup advanced
+ login restrictions (e.g. require group memberships for login). To
+ setup HTTP authentication in Apache please see this link
+ and an example for LDAP authentication here.
@@ -4617,75 +4620,126 @@ Run slapindex to rebuild the index.
Apache configuration
- LAM includes several .htaccess files to protect your configuration
- files and temporary data. Apache is often configured to not use
- .htaccess files by default. Therefore, please check your Apache
- configuration and change the override setting to:
+
+ Sensitive directories
- AllowOverride All
+ LAM includes several .htaccess files to protect your
+ configuration files and temporary data. Apache is often configured to
+ not use .htaccess files by default. Therefore, please check your
+ Apache configuration and change the override setting to:
- If you are experienced in configuring Apache then you can also
- copy the security settings from the .htaccess files to your main Apache
- configuration.
+ AllowOverride All
- If possible, you should not rely on .htaccess files but also move
- the config and sess directory to a place outside of your WWW root. You
- can put a symbolic link in the LAM directory so that LAM finds the
- configuration/session files.
+ If you are experienced in configuring Apache then you can also
+ copy the security settings from the .htaccess files to your main
+ Apache configuration.
- Security sensitive directories:
+ If possible, you should not rely on .htaccess files but also
+ move the config and sess directory to a place outside of your WWW
+ root. You can put a symbolic link in the LAM directory so that LAM
+ finds the configuration/session files.
- config: Contains your LAM
- configuration and account profiles
+ Security sensitive directories:
-
-
- LAM configuration passwords (SSHA hashed)
-
+ config: Contains your LAM
+ configuration and account profiles
-
- default values for new accounts
-
+
+
+ LAM configuration passwords (SSHA hashed)
+
-
- directory must be accessibly by Apache but needs not to be
- accessible by the browser
-
-
+
+ default values for new accounts
+
- sess: PHP session files
+
+ directory must be accessibly by Apache but needs not to be
+ accessible by the browser
+
+
-
-
- LAM admin password in clear text or MCrypt encrypted
-
+ sess: PHP session files
-
- cached LDAP entries in clear text or MCrypt encrypted
-
+
+
+ LAM admin password in clear text or MCrypt encrypted
+
-
- directory must be accessibly by Apache but needs not to be
- accessible by the browser
-
-
+
+ cached LDAP entries in clear text or MCrypt encrypted
+
- tmp: temporary files
+
+ directory must be accessibly by Apache but needs not to be
+ accessible by the browser
+
+
-
-
- PDF documents which may also include passwords
-
+ tmp: temporary files
-
- images of your users
-
+
+
+ PDF documents which may also include passwords
+
-
- directory contents must be accessible by browser but directory
- itself needs not to be browseable
-
-
+
+ images of your users
+
+
+
+ directory contents must be accessible by browser but
+ directory itself needs not to be browseable
+
+
+
+
+
+ Use LDAP HTTP authentication for LAM
+
+ With HTTP authentication Apache will be responsible to ask for
+ the user name and password. Both will then be forwarded to LAM which
+ will use it to access LDAP. This approach gives you more flexibility
+ to restrict the number of users that may access LAM (e.g. by requiring
+ group memberships).
+
+ First of all you need to load additional Apache modules. These
+ are "mod_ldap"
+ and "mod_authnz_ldap".
+
+ Next you can add a file called "lam_auth_ldap" to
+ /etc/apache/conf.d. This simple example restricts access to all URLs
+ beginning with "lam" to LDAP authentication.
+
+ <location /lam>
+ AuthType Basic
+ AuthBasicProvider ldap
+ AuthName "LAM"
+ AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
+ Require valid-user
+</location>
+
+ You can also require that your users belong to a certain Unix
+ group in LDAP:
+
+ <location /lam>
+ AuthType Basic
+ AuthBasicProvider ldap
+ AuthName "LAM"
+ AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
+ Require valid-user
+ # force membership of lam-admins
+ AuthLDAPGroupAttribute memberUid
+ AuthLDAPGroupAttributeIsDN off
+ Require ldap-group cn=lam-admins,ou=group,dc=company,dc=com
+</location>
+
+ Please see the Apache
+ documentation for more details.
+
diff --git a/lam/docs/manual-sources/style.css b/lam/docs/manual-sources/style.css
index 40de6b3f..f8ff4b51 100755
--- a/lam/docs/manual-sources/style.css
+++ b/lam/docs/manual-sources/style.css
@@ -99,6 +99,7 @@ div.noborder table {
}
pre.programlisting {
+ padding: 10px;
border-style:solid;
border-color:#696a65;
border-width:1px;