![[APACHE DOCUMENTATION]](../images/sub.gif)
This module is contained in the mod_access_identd.c file, and
is not compiled in by default. It provides mandatory access control based on
client username and host.
The username is obtained using the protocol defined in RFC1413, so the following conditions must be met in order for this module to function correctly:
IdentityCheck
directive active within the appropriate scope.
identd or another
RFC1413 server daemon.
If the Apache core
IdentityCheck
directive isn't set to On, RFC1413 credentials will
not be available and this module will return a 'Forbidden'
status. The document may still be served if discretionary
controls are in place; see the
Satisfy directive.
If the second condition isn't met, the Apache server may block for a significant time trying to obtain the credentials from a nonresponsive client.
The IdentityCheck is currently part of the core
Apache server, but it may well move into this module in a future
version.
IdentCheck directive
Syntax: IdentCheck On|Off
Default: IdentCheck Off
Context: server config, virtual host, directory, .htaccess
Override: Auth
Status: Third-party
Module: mod_access_identd
The IdentCheck directive controls whether or not
RFC1413 credentials will be checked for access control within the
directive's scope. If set to Off, this module will
not perform any access checking.
IdentOrder directive
Syntax: IdentOrder order-clause
Default: IdentOrder deny,allow
Context: server config, virtual host, directory, .htaccess
Override: Auth
Status: Third-party
Module: mod_access_identd
The IdentOrder directive defines how the module should
interpret its list of allow and deny access
control lists. The possible values of order-clause
and their meanings are:
allow,denyIdent allow directives,
and then revoking it from any listed in
Ident deny directives.
deny,allowIdent deny
directives are denied access, but the list of denied identities
is modified by any Ident allow directives.
No spaces are permitted in the order-clause.
Examples:
IdentCheck On IdentOrder allow,deny Ident allow *@localhost *@197.243.* Ident deny johndoe@localhost guest@*
Ident
line allows anyone on the local host to get in, or anyone whose
host name or IP address matches the second pattern, but the second
line revokes that permission from johndoe on the
local host and guest on any host.
IdentCheck On IdentOrder deny,allow Ident allow *@localhost *@197.243.* Ident deny johndoe@localhost guest@*
Ident line, the 'deny' rule, is processed
first, and disallows access to user johndoe on the
local host and user guest on any host whatsoever.
Next the 'allow' directive is processed, and it grants access
to any user on the local host and anyone with a host name or address
matching the second pattern. This cancels the effect of the
johndoe@localhost pattern, so johndoe
is given his access back again, and it also allows user
guest on the local host to have access as well.
User guest on any other host (except those matching
the '197.243.*' pattern) is still forbidden
to access documents in this scope.
Ident directive
Syntax: Ident permission user@host ...
Context: server config, virtual host, directory, .htaccess
Override: Auth
Status: Third-party
Module: mod_access_identd
The Ident directive is used to add user/host identities
to the list of those granted or denied access to documents in the current
scope. The value of permission may be one of the following:
allowdeny
See the IdentOrder directive
description for details of how the allow and deny lists are processed.
The user@host patterns identify which clients are affected.
Shell-style wildcards ('*', '?', and '['/']' enclosures) are permitted
in the user portion,
the host portion, or both. Two special shorthand
formats are equivalent to '*@*', matching all users
on all hosts: you may use either a single '*' or
the keyword 'all' to represent a pattern applying to
all clients everywhere.
