PSARC 2011/088 Replace WU-ftpd with modern FTP server proftpd
6938409 Solaris needs new ftpd replacing dead WU-ftpd
5084971 FTP needs TLS security
6319934 ftp server should support file transfer auditing
6630488 FTP manifest for SMF is incomplete and not arc compliant
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/proftpd/Makefile Wed Jun 15 01:09:08 2011 -0700
@@ -0,0 +1,96 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+#
+
+include ../../make-rules/shared-macros.mk
+
+COMPONENT_NAME= proftpd
+COMPONENT_VERSION= 1.3.3
+COMPONENT_SUBVERSION= e
+COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION)$(COMPONENT_SUBVERSION)
+COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz
+COMPONENT_ARCHIVE_HASH= sha1:823e94c24447936ade6ae3948fe638077e0ba933
+COMPONENT_ARCHIVE_URL= ftp://ftp.proftpd.org/distrib/source/$(COMPONENT_ARCHIVE)
+
+# mod_gss subcomponent
+COMPONENT_NAME_1= mod_gss
+COMPONENT_VERSION_1= $(COMPONENT_VERSION)
+COMPONENT_SRC_1= $(COMPONENT_NAME_1)-$(COMPONENT_VERSION_1)
+COMPONENT_ARCHIVE_1= $(COMPONENT_SRC_1).tar.gz
+COMPONENT_ARCHIVE_HASH_1= sha1:b17015a49e41ee643f1891940f9f3f8a7d77e522
+COMPONENT_ARCHIVE_URL_1= http://downloads.sourceforge.net/gssmod/$(COMPONENT_ARCHIVE_1)
+
+include ../../make-rules/prep.mk
+include ../../make-rules/configure.mk
+include ../../make-rules/ips.mk
+
+# IPS_COMPONENT_VERSION is by default set to $(COMPONENT_VERSION) but it is not
+# enough for us. We need to include the $(COMPONENT_SUBVERSION) somehow.
+# Because the IPS_COMPONENT_VERSION cannot contain letters we used '.0.5'
+# instead of 'e'.
+IPS_COMPONENT_VERSION= $(COMPONENT_VERSION).0.5
+
+CONFIGURE_OPTIONS += CFLAGS="$(CFLAGS) -I/usr/include/kerberosv5 -DHAVE_KRB5_H=1 -DKRB5_DLLIMP="
+CONFIGURE_OPTIONS += LDFLAGS="-lbsm"
+CONFIGURE_OPTIONS += install_user=$(LOGNAME)
+CONFIGURE_OPTIONS += install_group=`groups | cut -f 1 -d ' '`
+CONFIGURE_OPTIONS += --sysconfdir=$(ETCDIR)
+CONFIGURE_OPTIONS += --localstatedir=/var/run
+CONFIGURE_OPTIONS += --libexecdir=$(USRLIBDIR)/proftpd
+CONFIGURE_OPTIONS += --enable-ipv6
+CONFIGURE_OPTIONS += --enable-ctrls
+CONFIGURE_OPTIONS += --enable-facl
+CONFIGURE_OPTIONS += --enable-nls
+CONFIGURE_OPTIONS += --enable-dso
+CONFIGURE_OPTIONS += --enable-openssl
+CONFIGURE_OPTIONS += --disable-static
+CONFIGURE_OPTIONS += --with-modules=mod_solaris_audit:mod_solaris_priv
+CONFIGURE_OPTIONS += --with-shared=mod_facl:mod_wrap:mod_tls:mod_auth_gss:mod_gss
+
+# Copy Solaris modules and GSSAPI modules to proftpd source tree
+COMPONENT_PRE_CONFIGURE_ACTION = \
+ ($(CP) mod_solaris_audit.c $(SOURCE_DIR)/contrib ; \
+ $(CP) mod_solaris_priv.c $(SOURCE_DIR)/contrib ; \
+ cd $(BUILD_DIR) ; \
+ $(UNPACK) $(UNPACK_ARGS) ../$(COMPONENT_ARCHIVE_1) ; \
+ cd $(COMPONENT_SRC_1) ; \
+ ./configure CC="$(CC)" CFLAGS="-I/usr/include/kerberosv5" ; \
+ $(CP) mod_gss.c mod_auth_gss.c $(SOURCE_DIR)/contrib ; \
+ $(CP) mod_gss.h $(SOURCE_DIR)/include ; \
+ $(CP) mod_gss.html $(SOURCE_DIR)/doc/contrib ; \
+ $(CLONEY) $(SOURCE_DIR) $(@D))
+
+# proftpd configure and build is not ready for run out of the source tree
+CONFIGURE_SCRIPT = $(@D)/configure
+
+build: $(BUILD_32)
+
+install: $(INSTALL_32)
+
+test: $(NO_TESTS)
+# libcheck and specific Perl Test::Unit version is required for full test
+
+BUILD_PKG_DEPENDENCIES = $(BUILD_TOOLS)
+
+include ../../make-rules/depend.mk
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/proftpd/ManageFTP.html Wed Jun 15 01:09:08 2011 -0700
@@ -0,0 +1,20 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<!--
+Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+-->
+<meta http-equiv="content-type" content="text/html;charset=iso-8859-1" />
+<title> </title>
+</head>
+<body>
+<p>
+When the Manage FTP Authorization is in the Authorizations Included column, it
+grants permission to enable, disable or restart the FTP server.
+</p>
+<p>
+If the Manage FTP Authorization is grayed, then you are not entitled to Add or Remove this authorization.
+</p>
+</body>
+</html>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/proftpd/auth_service-network-ftpd Wed Jun 15 01:09:08 2011 -0700
@@ -0,0 +1,1 @@
+solaris.smf.manage.ftp:::Manage FTP service states::help=ManageFTP.html
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/proftpd/ftp.xml Wed Jun 15 01:09:08 2011 -0700
@@ -0,0 +1,117 @@
+<?xml version="1.0"?>
+<!--
+ Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+
+ CDDL HEADER START
+
+ The contents of this file are subject to the terms of the
+ Common Development and Distribution License (the "License").
+ You may not use this file except in compliance with the License.
+
+ You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ or http://www.opensolaris.org/os/licensing.
+ See the License for the specific language governing permissions
+ and limitations under the License.
+
+ When distributing Covered Code, include this CDDL HEADER in each
+ file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ If applicable, add the following below this CDDL HEADER, with the
+ fields enclosed by brackets "[]" replaced with your own identifying
+ information: Portions Copyright [yyyy] [name of copyright owner]
+
+ CDDL HEADER END
+
+ NOTE: This service manifest is not editable; its contents will
+ be overwritten by package or patch operations, including
+ operating system upgrade. Make customizations in a different
+ file.
+-->
+
+<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
+
+<service_bundle type='manifest' name='network/ftp'>
+<service name='network/ftp' type='service' version='1'>
+ <create_default_instance enabled='false' />
+
+ <single_instance/>
+
+ <dependency name='net-loopback' grouping='require_any'
+ restart_on='none' type='service'>
+ <service_fmri value='svc:/network/loopback' />
+ </dependency>
+
+ <dependency name='net-service' grouping='require_all'
+ restart_on='none' type='service'>
+ <service_fmri value='svc:/network/service'/>
+ </dependency>
+
+ <dependency name='net-physical' grouping='require_all'
+ restart_on='none' type='service'>
+ <service_fmri value='svc:/network/physical' />
+ </dependency>
+
+ <dependency name='filesystem-local' grouping='require_all'
+ restart_on='none' type='service'>
+ <service_fmri value='svc:/system/filesystem/local' />
+ </dependency>
+
+ <exec_method
+ type='method'
+ name='start'
+ exec='/usr/lib/inet/proftpd'
+ timeout_seconds='60'>
+ <method_context>
+ <method_credential user='root' group='root' />
+ </method_context>
+ </exec_method>
+
+ <exec_method type='method'
+ name='stop'
+ exec=':kill'
+ timeout_seconds='60'>
+ </exec_method>
+
+ <property_group name='general' type='framework'>
+ <!-- manage FTP server state -->
+ <propval name='action_authorization' type='astring'
+ value='solaris.smf.manage.ftp' />
+ <propval name='value_authorization' type='astring'
+ value='solaris.smf.manage.ftp' />
+ </property_group>
+
+ <property_group name='startd' type='framework'>
+ <propval name='duration' type='astring' value='contract'/>
+ <!-- sub-process core dumps shouldn't restart session -->
+ <propval name='ignore_error'
+ type='astring' value='core,signal' />
+ </property_group>
+
+ <property_group name='firewall_context' type='com.sun,fw_definition'>
+ <propval name='ipf_method' type='astring'
+ value='/lib/svc/method/svc-ftp ipfilter' />
+ </property_group>
+
+ <property_group name='firewall_config' type='com.sun,fw_configuration'>
+ <propval name='policy' type='astring' value='use_global' />
+ <propval name='apply_to' type='astring' value='' />
+ <propval name='exceptions' type='astring' value='' />
+ <propval name='value_authorization' type='astring'
+ value='solaris.smf.value.firewall.config' />
+ </property_group>
+
+ <template>
+ <common_name>
+ <loctext xml:lang='C'>
+ FTP server
+ </loctext>
+ </common_name>
+ <documentation>
+ <manpage title='proftpd' section='1M'
+ manpath='/usr/share/man' />
+ <doc_link name='proftpd'
+ uri='file://usr/share/doc/proftpd/' />
+ </documentation>
+ </template>
+</service>
+
+</service_bundle>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/proftpd/ftprestart.sh Wed Jun 15 01:09:08 2011 -0700
@@ -0,0 +1,25 @@
+#!/sbin/sh
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+#
+
+/usr/sbin/ftpshut -R
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/proftpd/mod_solaris_audit.c Wed Jun 15 01:09:08 2011 -0700
@@ -0,0 +1,1173 @@
+/*
+ * ProFTPD - FTP server daemon
+ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * As a special exemption, copyright holders give permission to link
+ * this program with OpenSSL, and distribute the resulting executable,
+ * without including the source code for OpenSSL in the source distribution.
+ *
+ */
+
+#include "conf.h"
+#include <bsm/adt.h>
+#include <bsm/adt_event.h>
+#include <security/pam_appl.h>
+#include <sys/types.h>
+#include <pwd.h>
+#include <unistd.h>
+#include <ucred.h>
+
+#ifndef ADT_ftpd
+#define ADT_ftpd 152
+#endif
+
+#ifndef ADT_ftpd_logout
+#define ADT_ftpd_logout 153
+#endif
+
+module solaris_audit_module;
+
+static adt_session_data_t *asession = NULL;
+
+static int auth_retval = PAM_AUTH_ERR;
+
+static void audit_autherr_ev(const void *event_data, void *user_data) {
+
+ switch (*(int *)event_data) {
+ case PR_AUTH_NOPWD:
+ auth_retval = PAM_USER_UNKNOWN;
+ break;
+ case PR_AUTH_AGEPWD:
+ auth_retval = PAM_CRED_EXPIRED;
+ break;
+ case PR_AUTH_DISABLEDPWD:
+ auth_retval = PAM_ACCT_EXPIRED;
+ break;
+ case PR_AUTH_CRED_INSUFF:
+ auth_retval = PAM_CRED_INSUFFICIENT;
+ break;
+ case PR_AUTH_CRED_UNAVAIL:
+ auth_retval = PAM_CRED_UNAVAIL;
+ break;
+ case PR_AUTH_CRED_ERR:
+ auth_retval = PAM_CRED_ERR;
+ break;
+ case PR_AUTH_UNAVAIL:
+ auth_retval = PAM_AUTHINFO_UNAVAIL;
+ break;
+ case PR_AUTH_MAXTRIES:
+ auth_retval = PAM_MAXTRIES;
+ break;
+ case PR_AUTH_INIT_FAIL:
+ auth_retval = PAM_SESSION_ERR;
+ break;
+ case PR_AUTH_NEWTOK:
+ auth_retval = PAM_NEW_AUTHTOK_REQD;
+ break;
+ case PR_AUTH_OPEN_ERR:
+ auth_retval = PAM_OPEN_ERR;
+ break;
+ case PR_AUTH_SYMBOL_ERR:
+ auth_retval = PAM_SYMBOL_ERR;
+ break;
+ case PR_AUTH_SERVICE_ERR:
+ auth_retval = PAM_SERVICE_ERR;
+ break;
+ case PR_AUTH_SYSTEM_ERR:
+ auth_retval = PAM_SYSTEM_ERR;
+ break;
+ case PR_AUTH_BUF_ERR:
+ auth_retval = PAM_BUF_ERR;
+ break;
+ case PR_AUTH_CONV_ERR:
+ auth_retval = PAM_CONV_ERR;
+ break;
+ case PR_AUTH_PERM_DENIED:
+ auth_retval = PAM_PERM_DENIED;
+ break;
+ default: /* PR_AUTH_BADPWD */
+ auth_retval = PAM_AUTH_ERR;
+ break;
+ }
+
+}
+
+static void audit_failure(pool *p, char *authuser) {
+ adt_event_data_t *event = NULL;
+ const char *how;
+ int saved_errno = 0;
+ struct passwd pwd;
+ char *pwdbuf = NULL;
+ size_t pwdbuf_len;
+ long pwdbuf_len_max;
+ uid_t uid = ADT_NO_ATTRIB;
+ gid_t gid = ADT_NO_ATTRIB;
+
+ if ((pwdbuf_len_max = sysconf(_SC_GETPW_R_SIZE_MAX)) == -1) {
+ saved_errno = errno;
+ how = "couldn't determine maximum size of password buffer";
+ goto fail;
+ }
+
+ pwdbuf_len = (size_t)pwdbuf_len_max;
+ pwdbuf = pcalloc(p, pwdbuf_len);
+
+ if (adt_start_session(&asession, NULL, ADT_USE_PROC_DATA) != 0) {
+ saved_errno = errno;
+ how = "couldn't start adt session";
+ goto fail;
+ }
+
+ if ((authuser != NULL) && (authuser[0] != NULL) &&
+ (getpwnam_r(authuser, &pwd, pwdbuf, pwdbuf_len) != NULL)) {
+ uid = pwd.pw_uid;
+ gid = pwd.pw_gid;
+ }
+
+ if (adt_set_user(asession, uid, gid, uid, gid, NULL, ADT_NEW) != 0) {
+ saved_errno = errno;
+ how = "couldn't set adt user";
+ goto fail;
+ }
+
+ if ((event = adt_alloc_event(asession, ADT_ftpd)) == NULL) {
+ saved_errno = errno;
+ how = "couldn't allocate adt event";
+ goto fail;
+ }
+
+ if (adt_put_event(event, ADT_FAILURE, ADT_FAIL_PAM + auth_retval) != 0) {
+ saved_errno = errno;
+ how = "couldn't put adt event";
+ goto fail;
+ }
+
+ adt_free_event(event);
+ (void) adt_end_session(asession);
+ asession = NULL;
+ return;
+
+fail:
+ pr_log_pri(PR_LOG_ERR, "Auditing of login failed: %s (%s)", how,
+ strerror(saved_errno));
+
+ adt_free_event(event);
+ (void) adt_end_session(asession);
+ asession = NULL;
+}
+
+static void audit_success(void) {
+ adt_event_data_t *event = NULL;
+ const char *how;
+ int saved_errno = 0;
+
+ if (adt_start_session(&asession, NULL, ADT_USE_PROC_DATA) != 0) {
+ saved_errno = errno;
+ how = "couldn't start adt session";
+ goto fail;
+ }
+
+ if ((event = adt_alloc_event(asession, ADT_ftpd)) == NULL) {
+ saved_errno = errno;
+ how = "couldn't allocate adt event";
+ goto fail;
+ }
+
+ if (adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS) != 0) {
+ saved_errno = errno;
+ how = "couldn't put adt event";
+ goto fail;
+ }
+
+ adt_free_event(event);
+
+ /* Don't end adt session - leave for when logging out. */
+ return;
+
+fail:
+ pr_log_pri(PR_LOG_ERR, "Auditing of login failed: %s (%s)", how,
+ strerror(saved_errno));
+
+ adt_free_event(event);
+
+ /* Don't end adt session - leave for when logging out. */
+
+}
+
+static void audit_logout(void) {
+ adt_event_data_t *event = NULL;
+ const char *how;
+ int saved_errno = 0;
+
+ /* If audit session was not created during login then leave */
+ if (asession == NULL)
+ return;
+
+ if ((event = adt_alloc_event(asession, ADT_ftpd_logout)) == NULL) {
+ saved_errno = errno;
+ how = "couldn't allocate adt event";
+ goto fail;
+ }
+
+ if (adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS) != 0) {
+ saved_errno = errno;
+ how = "couldn't put adt event";
+ goto fail;
+ }
+
+ adt_free_event(event);
+ (void) adt_end_session(asession);
+ asession = NULL;
+ return;
+
+fail:
+ pr_log_pri(PR_LOG_ERR, "Auditing of logout failed: %s (%s)", how,
+ strerror(saved_errno));
+
+ adt_free_event(event);
+ (void) adt_end_session(asession);
+ asession = NULL;
+}
+
+/* Logout */
+static void audit_exit_ev(const void *event_data, void *user_data) {
+ audit_logout();
+}
+
+/* Login passed */
+MODRET solaris_audit_post_pass(cmd_rec *cmd) {
+
+ audit_success();
+
+ /* Set handler for logout/timeout */
+ pr_event_register(&solaris_audit_module, "core.exit", audit_exit_ev, NULL);
+
+ return PR_DECLINED(cmd);
+}
+
+/* Login failed */
+MODRET solaris_audit_post_fail(cmd_rec *cmd) {
+ char *login_user;
+
+ login_user = pr_table_get(session.notes, "mod_auth.orig-user", NULL);
+
+ audit_failure(cmd->tmp_pool, login_user);
+ return PR_DECLINED(cmd);
+}
+
+static int audit_sess_init(void) {
+ adt_session_data_t *aht;
+ adt_termid_t *termid;
+ priv_set_t *privset;
+ int rval = -1;
+
+ /* add privs for audit init */
+ if ((privset = priv_allocset()) == NULL) {
+ pr_log_pri(PR_LOG_ERR, "Auditing privilege initialization failed");
+ return rval;
+ }
+ (void) getppriv(PRIV_EFFECTIVE, privset);
+ priv_addset(privset, PRIV_SYS_AUDIT);
+ (void) setppriv(PRIV_SET, PRIV_EFFECTIVE, privset);
+
+ /* basic terminal id setup */
+ if (adt_start_session(&aht, NULL, 0) != 0) {
+ pr_log_pri(PR_LOG_ERR, "pam adt_start_session: %s", strerror(errno));
+ goto out;
+ }
+ if (adt_load_termid(session.c->rfd, &termid) != 0) {
+ pr_log_pri(PR_LOG_ERR, "adt_load_termid: %s", strerror(errno));
+ (void) adt_end_session(aht);
+ goto out;
+ }
+
+ if (adt_set_user(aht, ADT_NO_AUDIT, ADT_NO_AUDIT, 0, ADT_NO_AUDIT, termid,
+ ADT_SETTID) != 0) {
+ pr_log_pri(PR_LOG_ERR, "adt_set_user: %", strerror(errno));
+ free(termid);
+ (void) adt_end_session(aht);
+ goto out;
+ }
+ free(termid);
+ if (adt_set_proc(aht) != 0) {
+ pr_log_pri(PR_LOG_ERR, "adt_set_proc: %", strerror(errno));
+ (void) adt_end_session(aht);
+ goto out;
+ }
+ (void) adt_end_session(aht);
+
+ /* Set handler for authentication error */
+ pr_event_register(&solaris_audit_module, "mod_auth.authentication-code",
+ audit_autherr_ev, NULL);
+
+ rval = 0;
+
+out:
+
+ /* remove unneeded privileges */
+ priv_delset(privset, PRIV_SYS_AUDIT);
+ (void) setppriv(PRIV_SET, PRIV_EFFECTIVE, privset);
+ (void) setpflags(PRIV_AWARE_RESET, 1);
+ priv_freeset(privset);
+
+ return rval;
+}
+
+#define EVENT_KEY "event"
+
+/* Helper functions and global variables
+ * for the file transfer command handlers.
+ * {
+ */
+
+static char src_realpath[PATH_MAX];
+static char dst_realpath[PATH_MAX];
+
+
+/*
+ * If an error occurs in any of the file transfer handlers,
+ * and the handler wants to return PR_ERROR(cmd), then it is necessary
+ * to send some FTP error message to user. This is in order to prevent
+ * a hang-up of the user's ftp client.
+ *
+ * This function sends the 451 error message to the user.
+ * It is only called in the "pre-" handlers. When a "pre-" handler
+ * returns PR_ERROR(cmd), then the corresponding "post_err-"
+ * handler is also called. Therefore it can happen that an error condition
+ * (such as no memory) can be logged (with the pr_log_pri() routine) twice.
+ * Once in the "pre-" handler, and once in the "post_err-" handler.
+ */
+static void error_451(void)
+{
+ pr_response_add_err(R_451,
+ "Requested action aborted: local error in processing.\n");
+}
+
+/*
+ * Allocate resources to process a command outcome.
+ *
+ * All file transfer command handlers need to allocate adt_event_data_t
+ * structure and also make a copy of the command argument.
+ * This function does both. If it can't, it logs an error and returns NULL.
+ * On success, it returns the pointer (event) to the allocated adt_event_data_t
+ * structure.
+ *
+ * If arg2 is not NULL, it makes a copy of the first (and only) command
+ * argument (using the memory pool "pool" from "cmd") and stores it to *arg2.
+ * There must be always exactly one command argument, otherwise it is an error.
+ *
+ * On success, the pointer to the created event structure is stored
+ * into cmd under "notes" variable, so that it is accessible
+ * by the subsequent corresponding "post-" or "post_err-" command handler.
+ */
+adt_event_data_t* __solaris_audit_pre_arg2(
+ cmd_rec *cmd, const char* description, int event_type, char **arg2) {
+
+ adt_event_data_t *event = NULL;
+ const char *how = "";
+ char *tmp = NULL;
+
+ /* The ftp server code will save errno into this variable
+ * in case an error happens, and there is a valid errno for it.
+ */
+ cmd->error_code = ADT_FAILURE;
+
+ if (cmd->argc != 2) {
+ pr_log_pri(PR_LOG_ERR, "Auditing of %s failed: %s",
+ description, "bad arguments");
+ goto err;
+ }
+
+ if (arg2 != NULL) {
+ *arg2 = NULL;
+
+ if ((tmp = pstrdup(cmd->pool, cmd->argv[1])) == NULL) {
+ how = "no memory";
+ pr_log_pri(PR_LOG_ERR, "Auditing of %s(%s) failed: %s",
+ description, cmd->argv[1], how);
+ goto err;
+ }
+ *arg2 = tmp;
+ }
+
+ if (cmd->notes == NULL ) {
+ pr_log_pri(PR_LOG_ERR, "Auditing of %s(%s) failed: %s",
+ description, cmd->argv[1], "API error, notes is NULL");
+ goto err;
+ }
+
+ if ((event = adt_alloc_event(asession, event_type)) == NULL) {
+ how = "couldn't allocate adt event";
+ pr_log_pri(PR_LOG_ERR, "Auditing of %s(%s) failed: %s(%s)",
+ description, cmd->argv[1], how, strerror(errno));
+ goto err;
+ }
+
+ if (pr_table_add(cmd->notes, EVENT_KEY, event, sizeof(*event))==-1) {
+ how = "pr_table_add() failed";
+ pr_log_pri(PR_LOG_ERR, "Auditing of %s(%s) failed: %s",
+ description, cmd->argv[1], how);
+ adt_free_event(event);
+ goto err;
+ }
+
+ return event;
+
+err:
+ return NULL;
+}
+
+/*
+ * This function implements logic that is common to most "post-"
+ * and "post_err-" file transfer command handlers.
+ *
+ * It retrieves the pointer (event) to the adt_event_data_t structure
+ * from "cmd->notes" and logs it. This structure has been created by the
+ * __solaris_audit_pre_arg2() function.
+ *
+ * Some audit event structures contain an optional *_stat member.
+ * If "fill_attr" is not NULL, it is called to fill in this member,
+ * before the audit event is logged.
+ *
+ * This function always returns PR_DECLINED, even if it failed
+ * to log the audit event. The reason is that it is called in the
+ * "post-" file transfer command handlers, which means that the command
+ * has been already successfully executed by the ftp server.
+ */
+MODRET __solaris_audit_post(cmd_rec *cmd,
+ const char* description, int exit_status, int __unused,
+ const char* (*fill_event)(cmd_rec *cmd, adt_event_data_t *event))
+{
+ adt_event_data_t *event = NULL;
+ const char* how = "";
+ const char* msg = NULL;
+ size_t size = 0;
+ int exit_error = cmd->error_code;
+
+ event = (adt_event_data_t*)pr_table_remove(cmd->notes, EVENT_KEY, &size);
+ if (event == NULL) {
+ how = "event is NULL";
+ pr_log_pri(PR_LOG_ERR, "Auditing of %s failed: %s", description, how);
+ goto out;
+ }
+
+ if (size != sizeof(*event)) {
+ how = "bad event size";
+ pr_log_pri(PR_LOG_ERR, "Auditing of %s failed: %s", description, how);
+ goto out;
+ }
+
+ if (fill_event != NULL) {
+ msg = fill_event(cmd, event);
+ if (msg != NULL) {
+ pr_log_pri(PR_LOG_ERR, "Auditing of %s failed: %s", description, msg);
+ goto out;
+ }
+ }
+
+ /* It can happen, that the ftp command succeeds but only to some degree.
+ * In such case, the exit_error might contain the errno number
+ * of the failure.
+ */
+ if (exit_status == ADT_SUCCESS) {
+ if (exit_error == ADT_FAILURE)
+ exit_error = ADT_SUCCESS;
+ }
+
+ if (adt_put_event(event, exit_status, exit_error) != 0) {
+ how = "couldn't put adt event";
+ pr_log_pri(PR_LOG_ERR, "Auditing of %s failed: %s (%s)",
+ description, how, strerror(errno));
+ }
+
+ adt_free_event(event);
+
+out:
+ return PR_DECLINED(cmd);
+}
+
+/*
+ * This is a generic function to fill in the given "stat" member
+ * of some audit event structure. The path and the member are specified
+ * by the caller. The pointer to cmd is supplied, because the stat64
+ * structure has to be allocated (the "stat" member is a pointer).
+ *
+ * The function returns NULL on success.
+ * In case of an error, it returns a descriptive message.
+ * This message is used by the caller to log an error.
+ *
+ * For some file transfer commands, the "stat" member is filled in
+ * the "pre-" handler (because the file is expected to exist prior
+ * to the execution of the command). For other file transfer commands,
+ * the "stat" member is filled in the "post-" handler (because
+ * the file is expected _not_ to exist prior to the execution of the command,
+ * but to exist after the command execution).
+ */
+static const char* __fill_attr
+(
+ cmd_rec *cmd, const char* path, adt_stat_t **ret)
+{
+ struct stat64 *ptr;
+ int err;
+
+ if (ret == NULL)
+ return "NULL pointer";
+
+ *ret = NULL;
+
+ ptr = palloc(cmd->pool, sizeof(*ptr));
+ if (ptr == NULL)
+ return "no memory";
+
+ err = stat64(path, ptr);
+ if (err == -1)
+ return "stat64() failed";
+
+ *ret = ptr;
+ return NULL;
+}
+/* } */
+
+
+/* Delete file. { */
+static const char* dele_fill_attr(cmd_rec *cmd, adt_event_data_t *event) {
+ return __fill_attr(
+ cmd, event->adt_ft_remove.f_path, &(event->adt_ft_remove.f_attr)
+ );
+}
+
+MODRET solaris_audit_pre_dele(cmd_rec *cmd) {
+ adt_event_data_t *event = NULL;
+ char* ptr = NULL;
+ char* rp = NULL;
+
+ event = __solaris_audit_pre_arg2(cmd, "remove", ADT_ft_remove, &ptr);
+ if (event == NULL) {
+ error_451();
+ return PR_ERROR(cmd);
+ }
+
+ rp = realpath(ptr, src_realpath);
+ if (rp == NULL) {
+ if (errno != ENOENT) {
+ pr_log_pri(PR_LOG_ERR, "Auditing of %s(%s) failed: %s",
+ "remove", ptr, "realpath() failed");
+ cmd->error_code = errno;
+ error_451();
+ return PR_ERROR(cmd);
+ }
+ /* If rp is NULL and errno is ENOENT, it means that
+ * the file to be deleted does not exist. In this case,
+ * the post_dele_err callback will be called to log this.
+ */
+ }
+
+ if (rp != NULL)
+ ptr = rp;
+
+ event->adt_ft_remove.f_path = ptr;
+ (void) dele_fill_attr(cmd, event);
+
+ return PR_DECLINED(cmd);
+}
+
+MODRET solaris_audit_post_dele(cmd_rec *cmd) {
+ return __solaris_audit_post(
+ cmd, "remove", ADT_SUCCESS, ADT_SUCCESS, NULL);
+}
+
+MODRET solaris_audit_post_dele_err(cmd_rec *cmd) {
+ return __solaris_audit_post(cmd, "remove", ADT_FAILURE, ADT_FAILURE, NULL);
+}
+/* } */
+
+
+/* Make directory. { */
+MODRET solaris_audit_pre_mkd(cmd_rec *cmd) {
+ adt_event_data_t *event = NULL;
+ char* ptr = NULL;
+
+ event = __solaris_audit_pre_arg2(cmd, "mkdir", ADT_ft_mkdir, &ptr);
+ if (event == NULL) {
+ error_451();
+ return PR_ERROR(cmd);
+ }
+
+ event->adt_ft_mkdir.d_path = ptr;
+ event->adt_ft_mkdir.d_attr = NULL;
+
+ /* Value 0777 is hardcoded in the ftp server. */
+ event->adt_ft_mkdir.arg = 0777;
+ event->adt_ft_mkdir.arg_id = 2;
+ event->adt_ft_mkdir.arg_desc = "mode";
+
+ return PR_DECLINED(cmd);
+}
+
+static const char* mkd_fill_event(cmd_rec *cmd, adt_event_data_t *event) {
+ char *rp = NULL;
+
+ rp = realpath(event->adt_ft_mkdir.d_path, src_realpath);
+ if (rp == NULL) {
+ cmd->error_code = errno;
+ return "realpath() failed";
+ }
+
+ event->adt_ft_mkdir.d_path = rp;
+ return __fill_attr(
+ cmd, event->adt_ft_mkdir.d_path, &(event->adt_ft_mkdir.d_attr)
+ );
+}
+
+static const char* mkd_fill_event_err(cmd_rec *cmd, adt_event_data_t *event) {
+ char *rp = NULL;
+
+ rp = realpath(event->adt_ft_mkdir.d_path, src_realpath);
+ if (rp != NULL) {
+ event->adt_ft_mkdir.d_path = rp;
+ (void) __fill_attr(
+ cmd, event->adt_ft_mkdir.d_path, &(event->adt_ft_mkdir.d_attr));
+ }
+
+ return NULL;
+}
+
+MODRET solaris_audit_post_mkd(cmd_rec *cmd) {
+ return __solaris_audit_post(
+ cmd, "mkdir", ADT_SUCCESS, ADT_SUCCESS, mkd_fill_event);
+}
+
+MODRET solaris_audit_post_mkd_err(cmd_rec *cmd) {
+ return __solaris_audit_post(
+ cmd, "mkdir", ADT_FAILURE, ADT_FAILURE, mkd_fill_event_err);
+}
+/* } */
+
+/* Remove directory. { */
+static const char* rmd_fill_attr(cmd_rec *cmd, adt_event_data_t *event) {
+ return __fill_attr(
+ cmd, event->adt_ft_rmdir.f_path, &(event->adt_ft_rmdir.f_attr)
+ );
+}
+
+MODRET solaris_audit_pre_rmd(cmd_rec *cmd) {
+ adt_event_data_t *event = NULL;
+ char* ptr = NULL;
+ char* rp = NULL;
+
+ event = __solaris_audit_pre_arg2(cmd, "rmdir", ADT_ft_rmdir, &ptr);
+ if (event == NULL) {
+ error_451();
+ return PR_ERROR(cmd);
+ }
+
+ rp = realpath(ptr, src_realpath);
+ if (rp == NULL) {
+ if (errno != ENOENT) {
+ cmd->error_code = errno;
+ pr_log_pri(PR_LOG_ERR, "Auditing of %s(%s) failed: %s",
+ "rmdir", ptr, "realpath() failed");
+ error_451();
+ return PR_ERROR(cmd);
+ }
+ }
+
+ if (rp != NULL)
+ ptr = rp;
+
+ event->adt_ft_rmdir.f_path = ptr;
+ (void) rmd_fill_attr(cmd, event);
+
+ return PR_DECLINED(cmd);
+}
+
+MODRET solaris_audit_post_rmd(cmd_rec *cmd) {
+ return __solaris_audit_post(cmd, "rmdir", ADT_SUCCESS, ADT_SUCCESS, NULL);
+}
+
+MODRET solaris_audit_post_rmd_err(cmd_rec *cmd) {
+ return __solaris_audit_post(cmd, "rmdir", ADT_FAILURE, ADT_FAILURE, NULL);
+}
+/* } */
+
+/* Get modification time and date. { */
+MODRET solaris_audit_pre_mdtm(cmd_rec *cmd) {
+ adt_event_data_t *event = NULL;
+ char* ptr = NULL;
+ char* rp = NULL;
+
+ event = __solaris_audit_pre_arg2(cmd, "utimes", ADT_ft_utimes, &ptr);
+ if (event == NULL) {
+ error_451();
+ return PR_ERROR(cmd);
+ }
+
+ rp = realpath(ptr, src_realpath);
+ if (rp == NULL) {
+ if (errno != ENOENT) {
+ cmd->error_code = errno;
+ pr_log_pri(PR_LOG_ERR, "Auditing of %s(%s) failed: %s",
+ "utimes", ptr, "realpath() failed");
+ error_451();
+ return PR_ERROR(cmd);
+ }
+ }
+
+ if (rp != NULL)
+ ptr = rp;
+
+ event->adt_ft_utimes.f_path = ptr;
+ event->adt_ft_utimes.f_attr = NULL;
+
+ return PR_DECLINED(cmd);
+}
+
+static const char* mdtm_fill_attr(cmd_rec *cmd, adt_event_data_t *event) {
+ return __fill_attr(
+ cmd, event->adt_ft_utimes.f_path, &(event->adt_ft_utimes.f_attr)
+ );
+}
+
+MODRET solaris_audit_post_mdtm(cmd_rec *cmd) {
+ return __solaris_audit_post(
+ cmd, "utimes", ADT_SUCCESS, ADT_SUCCESS, mdtm_fill_attr);
+}
+
+MODRET solaris_audit_post_mdtm_err(cmd_rec *cmd) {
+ return __solaris_audit_post(cmd, "utimes", ADT_FAILURE, ADT_FAILURE, NULL);
+}
+/* } */
+
+/* Upload file. { */
+MODRET solaris_audit_pre_put(cmd_rec *cmd) {
+ adt_event_data_t *event = NULL;
+ char* ptr = NULL;
+
+ event = __solaris_audit_pre_arg2(cmd, "put", ADT_ft_put, &ptr);
+ if (event == NULL) {
+ error_451();
+ return PR_ERROR(cmd);
+ }
+
+ event->adt_ft_put.f_path = ptr;
+ event->adt_ft_put.f_attr = NULL;
+
+ return PR_DECLINED(cmd);
+}
+
+static const char* put_fill_event(cmd_rec *cmd, adt_event_data_t *event) {
+ char *rp = NULL;
+
+ rp = realpath(event->adt_ft_put.f_path, src_realpath);
+ if (rp == NULL) {
+ cmd->error_code = errno;
+ return "realpath() failed";
+ }
+
+ event->adt_ft_put.f_path = rp;
+ return __fill_attr(
+ cmd, event->adt_ft_put.f_path, &(event->adt_ft_put.f_attr)
+ );
+}
+
+MODRET solaris_audit_post_put(cmd_rec *cmd) {
+ return __solaris_audit_post(
+ cmd, "put", ADT_SUCCESS, ADT_SUCCESS, put_fill_event);
+}
+
+MODRET solaris_audit_post_put_err(cmd_rec *cmd) {
+ return __solaris_audit_post(cmd, "put", ADT_FAILURE, ADT_FAILURE, NULL);
+}
+/* } */
+
+/* Download file. { */
+MODRET solaris_audit_pre_get(cmd_rec *cmd) {
+ adt_event_data_t *event = NULL;
+ char* ptr = NULL;
+ char* rp = NULL;
+
+ event = __solaris_audit_pre_arg2(cmd, "get", ADT_ft_get, &ptr);
+ if (event == NULL) {
+ error_451();
+ return PR_ERROR(cmd);
+ }
+
+ rp = realpath(ptr, src_realpath);
+ if (rp == NULL) {
+ if (errno != ENOENT) {
+ cmd->error_code = errno;
+ pr_log_pri(PR_LOG_ERR, "Auditing of %s(%s) failed: %s",
+ "get", ptr, "realpath() failed");
+ error_451();
+ return PR_ERROR(cmd);
+ }
+ }
+
+ if (rp != NULL)
+ ptr = rp;
+
+ event->adt_ft_get.f_path = ptr;
+ event->adt_ft_get.f_attr = NULL;
+
+ return PR_DECLINED(cmd);
+}
+
+static const char* get_fill_attr(cmd_rec *cmd, adt_event_data_t *event) {
+ return __fill_attr(
+ cmd, event->adt_ft_get.f_path, &(event->adt_ft_get.f_attr)
+ );
+}
+
+MODRET solaris_audit_post_get(cmd_rec *cmd) {
+ return __solaris_audit_post(
+ cmd, "get", ADT_SUCCESS, ADT_SUCCESS, get_fill_attr);
+}
+
+MODRET solaris_audit_post_get_err(cmd_rec *cmd) {
+ return __solaris_audit_post(cmd, "get", ADT_FAILURE, ADT_FAILURE, NULL);
+}
+/* } */
+
+/* Rename file. { */
+/*
+ * The rename file implementation uses malloc()/free(),
+ * which the ProFTP module interface prohibits. I do not see another way.
+ *
+ * Any memory allocation method provided by the ProFTP API uses a memory pool.
+ * To avoid malloc()/free() a persistent memory pool is needed.
+ */
+
+/*
+ * To successfully log the rename audit event, a cooperation
+ * of RNFR and RNTO command handlers is necessary.
+ * The RNFR command specifies the source file name,
+ * and the RNTO command specifies the destination file name.
+ *
+ * The RNFR command handlers save the source file in the "src_path"
+ * variable, so that it is available to the RNTO command handler,
+ * which logs the audit event.
+ */
+static char* src_path = NULL;
+
+/* RNFR. { */
+static void __solaris_audit_rnfr_err(cmd_rec *cmd)
+{
+ adt_event_data_t *event = NULL;
+
+ if (src_path == NULL)
+ return;
+
+ event = __solaris_audit_pre_arg2(cmd, "RNFR", ADT_ft_rename, NULL);
+ if (event == NULL) {
+ error_451();
+ goto out;
+ }
+
+ event->adt_ft_rename.src_path = src_path;
+ event->adt_ft_rename.src_attr = NULL;
+ event->adt_ft_rename.dst_path = NULL;
+
+ (void) __solaris_audit_post(cmd, "RNFR", ADT_FAILURE, ADT_FAILURE, NULL);
+
+out:
+ free(src_path);
+ src_path = NULL;
+}
+
+MODRET solaris_audit_pre_rnfr(cmd_rec *cmd) {
+ adt_event_data_t *event = NULL;
+ char* ptr = NULL;
+
+ /*
+ * If src_path is not NULL, it means that this RNFR command immediatelly
+ * follows a successfull RNFR command not terminated with a RNTO command.
+ * In such case, log an audit error for this unterminated RNFR command,
+ * and then continue normally.
+ *
+ * A correctly working ftp client can not cause this situation to happen.
+ * But this situation can be created, for instance, by manually sending
+ * commands to the ftp server with a telnet client.
+ */
+ if (src_path != NULL)
+ __solaris_audit_rnfr_err(cmd);
+
+ /*
+ * Prepare the audit event structure and remember the new src_path.
+ * This audit event structure will be used, if the RNFR command fails.
+ * It will be unused, if it succeeds.
+ */
+ event = __solaris_audit_pre_arg2(cmd, "get", ADT_ft_rename, &ptr);
+ if (event == NULL)
+ goto err;
+
+ event->adt_ft_rename.src_path = ptr;
+ event->adt_ft_rename.src_attr = NULL;
+ event->adt_ft_rename.dst_path = "";
+
+ src_path = strdup(cmd->argv[1]);
+ if (src_path == NULL) {
+ pr_log_pri(PR_LOG_ERR, "Auditing of %s(%s) failed: %s",
+ "RNFR", ptr, "no memory");
+ goto err;
+ }
+
+ return PR_DECLINED(cmd);
+err:
+ return PR_ERROR(cmd);
+}
+
+/*
+ * On success, the RNFR command handlers do not log any audit event.
+ * A success means that a rename command is in progress and that
+ * the immediatelly following command is to be RNTO.
+ */
+MODRET solaris_audit_post_rnfr(cmd_rec *cmd) {
+
+ char *ptr;
+
+ ptr = realpath(src_path, src_realpath);
+ if (ptr == NULL) {
+ pr_log_pri(PR_LOG_ERR, "Auditing of %s(%s) failed: %s",
+ "RNFR", src_path, "realpath() failed");
+ error_451();
+ return PR_ERROR(cmd);
+ }
+
+ /*
+ * The argument to RNFR command is saved in src_path.
+ * It will be used in the subsequent RNTO command, or RNFR command.
+ */
+ return PR_DECLINED(cmd);
+}
+
+/* It can happen, that RNFR command fails, but the source path exists.
+ * Therefore make an attempt to resolve its realpath before doing
+ * the audit log.
+ *
+ * Even if the realpath() call fails, the src_path contents are still
+ * copied to src_realpath buffer. This makes them available to the RNTO
+ * command handlers.
+ */
+static const char* rnfr_err_fill_event(cmd_rec *cmd, adt_event_data_t *event) {
+ char *ptr = NULL;
+
+ if (src_path != NULL) {
+ ptr = realpath(src_path, src_realpath);
+ if (ptr != NULL)
+ event->adt_ft_rename.src_path = ptr;
+ }
+
+ return NULL;
+}
+
+/*
+ * On error, an audit event is logged, specifying that a rename
+ * command failed. The destination path in the audit event structure
+ * is empty, simply because the corresponding RNTO command did not yet
+ * happen, and it is not suppossed to happen.
+ */
+MODRET solaris_audit_post_rnfr_err(cmd_rec *cmd) {
+ MODRET ret;
+
+ ret = __solaris_audit_post(cmd, "RNFR", ADT_FAILURE, ADT_FAILURE,
+ rnfr_err_fill_event);
+
+ free(src_path);
+ src_path = NULL;
+
+ return ret;
+}
+/* } RNFR. */
+
+/* RNTO. { */
+static const char* rnto_fill_attr(cmd_rec *cmd, adt_event_data_t *event) {
+ return __fill_attr(
+ cmd, event->adt_ft_rename.src_path, &(event->adt_ft_rename.src_attr)
+ );
+}
+
+MODRET solaris_audit_pre_rnto(cmd_rec *cmd) {
+ adt_event_data_t *event = NULL;
+ const char* msg = NULL;
+ char* ptr = NULL;
+
+ event = __solaris_audit_pre_arg2(cmd, "get", ADT_ft_rename, &ptr);
+ if (event == NULL)
+ goto err;
+
+ /*
+ * If src_path is NULL, this means that there is no previous
+ * successfull RNFR command. The ftp server should know about this
+ * and terminate this RNTO command with an error (call the error callback).
+ */
+ event->adt_ft_rename.src_path = (src_path)?src_path:"";
+ event->adt_ft_rename.dst_path = ptr;
+
+ /*
+ * If the code executes here, it means that there is a successfully finished
+ * RNFR command immediatelly before us, which means that the src_path exists,
+ * and it should be therefore possible to get its status.
+ */
+ msg = rnto_fill_attr(cmd, event);
+ if (msg != NULL) {
+ pr_log_pri(PR_LOG_ERR, "Auditing of %s(%s,%s) failed: %s",
+ "RNTO", event->adt_ft_rename.src_path, ptr, msg);
+ goto err;
+ }
+
+ return PR_DECLINED(cmd);
+
+err:
+ error_451();
+ return PR_ERROR(cmd);
+}
+
+static const char* rnto_fill_event(cmd_rec *cmd, adt_event_data_t *event) {
+ char *ptr;
+
+ ptr = realpath(event->adt_ft_rename.dst_path, dst_realpath);
+ if (ptr == NULL) {
+ return "realpath() failed";
+ }
+
+ event->adt_ft_rename.src_path = src_realpath;
+ event->adt_ft_rename.dst_path = dst_realpath;
+
+ return NULL;
+}
+
+MODRET solaris_audit_post_rnto(cmd_rec *cmd) {
+ MODRET retval;
+
+ /* NULL means that there is no preceeding successfull RNFR command. */
+ if (src_path == NULL)
+ return PR_ERROR(cmd);
+
+ retval = __solaris_audit_post(cmd, "RNTO", ADT_SUCCESS, ADT_SUCCESS,
+ rnto_fill_event);
+
+ free(src_path);
+ src_path = NULL;
+
+ return retval;
+}
+
+/* It can happen, that RNTO command fails, but the destination path exists.
+ * Therefore make an attempt to resolve its realpath before doing
+ * the audit log.
+ */
+static const char* rnto_err_fill_event(cmd_rec *cmd, adt_event_data_t *event) {
+
+ (void) realpath(event->adt_ft_rename.dst_path, dst_realpath);
+ event->adt_ft_rename.src_path = src_realpath;
+ event->adt_ft_rename.dst_path = dst_realpath;
+
+ return NULL;
+}
+
+MODRET solaris_audit_post_rnto_err(cmd_rec *cmd) {
+ MODRET retval;
+ retval = __solaris_audit_post(cmd, "RNTO", ADT_FAILURE, ADT_FAILURE,
+ rnto_err_fill_event);
+ if (src_path != NULL) {
+ free(src_path);
+ src_path = NULL;
+ }
+ return retval;
+}
+/* } RNTO. */
+
+static cmdtable solaris_audit_commands[] = {
+ /* Login, logout. */
+ { POST_CMD, C_PASS, G_NONE, solaris_audit_post_pass, FALSE, FALSE },
+ { POST_CMD_ERR, C_PASS, G_NONE, solaris_audit_post_fail, FALSE, FALSE },
+
+ /* Delete file. */
+ { PRE_CMD, C_DELE, G_NONE, solaris_audit_pre_dele, FALSE, FALSE },
+ { POST_CMD, C_DELE, G_NONE, solaris_audit_post_dele, FALSE, FALSE },
+ { POST_CMD_ERR, C_DELE, G_NONE, solaris_audit_post_dele_err,
+ FALSE, FALSE },
+
+ /* Make directory. */
+ { PRE_CMD, C_MKD, G_NONE, solaris_audit_pre_mkd, FALSE, FALSE },
+ { POST_CMD, C_MKD, G_NONE, solaris_audit_post_mkd, FALSE, FALSE },
+ { POST_CMD_ERR, C_MKD, G_NONE, solaris_audit_post_mkd_err,
+ FALSE, FALSE },
+
+ /* Remove directory. */
+ { PRE_CMD, C_RMD, G_NONE, solaris_audit_pre_rmd, FALSE, FALSE },
+ { POST_CMD, C_RMD, G_NONE, solaris_audit_post_rmd, FALSE, FALSE },
+ { POST_CMD_ERR, C_RMD, G_NONE, solaris_audit_post_rmd_err,
+ FALSE, FALSE },
+
+ { PRE_CMD, C_XRMD, G_NONE, solaris_audit_pre_rmd, FALSE, FALSE },
+ { POST_CMD, C_XRMD, G_NONE, solaris_audit_post_rmd, FALSE, FALSE },
+ { POST_CMD_ERR, C_XRMD, G_NONE, solaris_audit_post_rmd_err,
+ FALSE, FALSE },
+
+ /* Get modification time. */
+ { PRE_CMD, C_MDTM, G_NONE, solaris_audit_pre_mdtm, FALSE, FALSE },
+ { POST_CMD, C_MDTM, G_NONE, solaris_audit_post_mdtm, FALSE, FALSE },
+ { POST_CMD_ERR, C_MDTM, G_NONE, solaris_audit_post_mdtm_err,
+ FALSE, FALSE },
+
+ /* Upload file. */
+ { PRE_CMD, C_STOR, G_WRITE, solaris_audit_pre_put, FALSE, FALSE },
+ { POST_CMD, C_STOR, G_WRITE, solaris_audit_post_put, FALSE, FALSE },
+ { POST_CMD_ERR, C_STOR, G_WRITE, solaris_audit_post_put_err,
+ FALSE, FALSE },
+
+ { PRE_CMD, C_STOU, G_WRITE, solaris_audit_pre_put, FALSE, FALSE },
+ { POST_CMD, C_STOU, G_WRITE, solaris_audit_post_put, FALSE, FALSE },
+ { POST_CMD_ERR, C_STOU, G_WRITE, solaris_audit_post_put_err,
+ FALSE, FALSE },
+
+ { PRE_CMD, C_APPE, G_WRITE, solaris_audit_pre_put, FALSE, FALSE },
+ { POST_CMD, C_APPE, G_WRITE, solaris_audit_post_put, FALSE, FALSE },
+ { POST_CMD_ERR, C_APPE, G_WRITE, solaris_audit_post_put_err,
+ FALSE, FALSE },
+
+ /* Download file. */
+ { PRE_CMD, C_RETR, G_READ, solaris_audit_pre_get, FALSE, FALSE },
+ { POST_CMD, C_RETR, G_READ, solaris_audit_post_get, FALSE, FALSE },
+ { POST_CMD_ERR, C_RETR, G_READ, solaris_audit_post_get_err,
+ FALSE, FALSE },
+
+ /* Rename file. */
+ { PRE_CMD, C_RNFR, G_NONE, solaris_audit_pre_rnfr, FALSE, FALSE },
+ { POST_CMD, C_RNFR, G_NONE, solaris_audit_post_rnfr, FALSE, FALSE },
+ { POST_CMD_ERR, C_RNFR, G_NONE, solaris_audit_post_rnfr_err,
+ FALSE, FALSE },
+
+ { PRE_CMD, C_RNTO, G_NONE, solaris_audit_pre_rnto, FALSE, FALSE },
+ { POST_CMD, C_RNTO, G_NONE, solaris_audit_post_rnto, FALSE, FALSE },
+ { POST_CMD_ERR, C_RNTO, G_NONE, solaris_audit_post_rnto_err,
+ FALSE, FALSE },
+
+ { 0, NULL }
+};
+
+module solaris_audit_module = {
+ NULL, NULL, /* Always NULL */
+ 0x20, /* API Version 2.0 */
+ "solaris_audit",
+ NULL, /* configuration table */
+ solaris_audit_commands, /* command table is for local use only */
+ NULL, /* No authentication handlers */
+ NULL, /* No initialization function */
+ audit_sess_init /* Post-fork "child mode" init */
+};
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/proftpd/mod_solaris_priv.c Wed Jun 15 01:09:08 2011 -0700
@@ -0,0 +1,446 @@
+/*
+ * ProFTPD - FTP server daemon
+ * Copyright (c) 1997, 1998 Public Flood Software
+ * Copyright (c) 2003-2010 The ProFTPD Project team
+ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * As a special exemption, the copyright holders give permission to link
+ * this program with OpenSSL and distribute the resulting executable without
+ * including the source code for OpenSSL in the source distribution.
+ */
+
+/* Use Solaris privileges to severely limit root's access. After user
+ * authentication, this module _completely_ gives up most privileges,
+ * except for the * bare minimum functionality that is required.
+ * VERY highly recommended for security-consious admins.
+ *
+ * The concept of this was copied from the Linux mod_cap. Solaris
+ * also has the concept of basic privileges that we can take away to further
+ * restrict a process lower than what a normal user process can do, this
+ * module removes some of those as well.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <priv.h>
+
+#include "conf.h"
+#include "privs.h"
+
+#define MOD_SOLARIS_PRIV_VERSION "mod_solaris_priv/1.0"
+
+/* Configuration handlers
+ */
+
+#define PRIV_USE_FILE_CHOWN 0x0001
+#define PRIV_USE_FILE_CHOWN_SELF 0x0002
+#define PRIV_USE_DAC_READ 0x0004
+#define PRIV_USE_DAC_WRITE 0x0008
+#define PRIV_USE_DAC_SEARCH 0x0010
+#define PRIV_USE_SETID 0x0020
+#define PRIV_USE_FILE_OWNER 0x0040
+#define PRIV_DROP_FILE_WRITE 0x0080
+
+static unsigned int solaris_priv_flags = 0;
+static unsigned char use_privs = TRUE;
+
+MODRET set_solaris_priv(cmd_rec *cmd) {
+ unsigned int flags = 0;
+ config_rec *c = NULL;
+ register unsigned int i = 0;
+
+ if (cmd->argc - 1 < 1)
+ CONF_ERROR(cmd, "need at least one parameter");
+
+ CHECK_CONF(cmd, CONF_ROOT|CONF_VIRTUAL|CONF_GLOBAL);
+
+ /* PRIV_CHOWN is enabled by default. */
+ flags |= PRIV_USE_FILE_CHOWN;
+
+ for (i = 1; i < cmd->argc; i++) {
+ char *cp = cmd->argv[i];
+ cp++;
+
+ if (*cmd->argv[i] != '+' && *cmd->argv[i] != '-')
+ CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, ": bad option: '",
+ cmd->argv[i], "'", NULL));
+
+ if (strcasecmp(cp, "PRIV_USE_FILE_CHOWN") == 0) {
+ if (*cmd->argv[i] == '-')
+ flags &= ~PRIV_USE_FILE_CHOWN;
+
+ } else if (strcasecmp(cp, "PRIV_FILE_CHOWN_SELF") == 0) {
+ if (*cmd->argv[i] == '-')
+ flags &= ~PRIV_USE_FILE_CHOWN_SELF;
+
+ } else if (strcasecmp(cp, "PRIV_DAC_READ") == 0) {
+ if (*cmd->argv[i] == '+')
+ flags |= PRIV_USE_DAC_READ;
+
+ } else if (strcasecmp(cp, "PRIV_DAC_WRITE") == 0) {
+ if (*cmd->argv[i] == '+')
+ flags |= PRIV_USE_DAC_WRITE;
+
+ } else if (strcasecmp(cp, "PRIV_DAC_SEARCH") == 0) {
+ if (*cmd->argv[i] == '+')
+ flags |= PRIV_USE_DAC_SEARCH;
+
+ } else if (strcasecmp(cp, "PRIV_FILE_OWNER") == 0) {
+ if (*cmd->argv[i] == '+')
+ flags |= PRIV_USE_FILE_OWNER;
+
+ } else {
+ CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, "unknown privilege: '",
+ cp, "'", NULL));
+ }
+ }
+
+ c = add_config_param(cmd->argv[0], 1, NULL);
+ c->argv[0] = pcalloc(c->pool, sizeof(unsigned int));
+ *((unsigned int *) c->argv[0]) = flags;
+
+ return PR_HANDLED(cmd);
+}
+
+
+MODRET set_solaris_priv_engine(cmd_rec *cmd) {
+ int bool = -1;
+ config_rec *c = NULL;
+
+ CHECK_ARGS(cmd, 1);
+ CHECK_CONF(cmd, CONF_ROOT|CONF_VIRTUAL|CONF_GLOBAL);
+
+ bool = get_boolean(cmd, 1);
+ if (bool == -1)
+ CONF_ERROR(cmd, "expecting Boolean parameter");
+
+ c = add_config_param(cmd->argv[0], 1, NULL);
+ c->argv[0] = pcalloc(c->pool, sizeof(unsigned char));
+ *((unsigned char *) c->argv[0]) = bool;
+
+ return PR_HANDLED(cmd);
+}
+
+/* Command handlers
+ */
+
+/* The POST_CMD handler for "PASS" is only called after PASS has
+ * successfully completed, which means authentication is successful,
+ * so we can "tweak" our root access down to almost nothing.
+ */
+MODRET solaris_priv_post_pass(cmd_rec *cmd) {
+ int res = 0;
+ priv_set_t *p, *i;
+
+ if (!use_privs)
+ return PR_DECLINED(cmd);
+
+ pr_signals_block();
+
+ /* The only privilege we need is PRIV_NET_PRIVADDR (bind
+ * ports < 1024). Everything else can be discarded. We set this
+ * in the permitted set only, as when we switch away from root
+ * we lose effective anyhow, and must reset it.
+ *
+ * We also remove the basic Solaris privileges we know we will
+ * never need.
+ */
+
+ i = priv_allocset();
+ priv_basicset(i);
+ priv_delset(i, PRIV_PROC_EXEC);
+ priv_delset(i, PRIV_PROC_FORK);
+ priv_delset(i, PRIV_PROC_INFO);
+ priv_delset(i, PRIV_PROC_SESSION);
+ setppriv(PRIV_SET, PRIV_INHERITABLE, i);
+
+ p = priv_allocset();
+ priv_basicset(p);
+
+ priv_addset(p, PRIV_NET_PRIVADDR);
+ priv_addset(p, PRIV_PROC_AUDIT);
+
+ priv_delset(p, PRIV_PROC_EXEC);
+ priv_delset(p, PRIV_PROC_FORK);
+ priv_delset(p, PRIV_PROC_INFO);
+ priv_delset(p, PRIV_PROC_SESSION);
+
+ if (solaris_priv_flags & PRIV_USE_SETID)
+ priv_addset(p, PRIV_PROC_SETID);
+
+ /* Add any of the configurable privileges. */
+ if (solaris_priv_flags & PRIV_USE_FILE_CHOWN)
+ priv_addset(p, PRIV_FILE_CHOWN);
+
+ if (solaris_priv_flags & PRIV_USE_FILE_CHOWN_SELF)
+ priv_addset(p, PRIV_FILE_CHOWN_SELF);
+
+ if (solaris_priv_flags & PRIV_USE_DAC_READ)
+ priv_addset(p, PRIV_FILE_DAC_READ);
+
+ if (solaris_priv_flags & PRIV_USE_DAC_WRITE)
+ priv_addset(p, PRIV_FILE_DAC_WRITE);
+
+ if (solaris_priv_flags & PRIV_USE_DAC_SEARCH)
+ priv_addset(p, PRIV_FILE_DAC_SEARCH);
+
+ if (solaris_priv_flags & PRIV_USE_FILE_OWNER)
+ priv_addset(p, PRIV_FILE_OWNER);
+
+ if (solaris_priv_flags & PRIV_DROP_FILE_WRITE)
+ priv_delset(p, PRIV_FILE_WRITE);
+
+ res = setppriv(PRIV_SET, PRIV_PERMITTED, p);
+ res = setppriv(PRIV_SET, PRIV_EFFECTIVE, p);
+
+ if (setreuid(session.uid, session.uid) == -1) {
+ pr_log_pri(PR_LOG_ERR, MOD_SOLARIS_PRIV_VERSION ": setreuid: %s",
+ strerror(errno));
+ pr_signals_unblock();
+ end_login(1);
+ }
+ pr_signals_unblock();
+
+ if (res != -1) {
+ /* That's it! Disable all further id switching */
+ session.disable_id_switching = TRUE;
+
+ } else {
+ pr_log_pri(PR_LOG_NOTICE, MOD_SOLARIS_PRIV_VERSION ": attempt to configure "
+ "capabilities failed, reverting to normal operation");
+ }
+
+ return PR_DECLINED(cmd);
+}
+
+/* The POST_CMD_ERR handler for "PASS" is only called after PASS has
+ * failed so we need only limited set of privs to complete cleanup and logging.
+ */
+MODRET solaris_priv_post_fail(cmd_rec *cmd) {
+ int res = 0;
+ priv_set_t *p, *i;
+
+ if (!use_privs)
+ return PR_DECLINED(cmd);
+
+ pr_signals_block();
+
+ /* The only privilege we need is PRIV_NET_PRIVADDR (bind
+ * ports < 1024). Everything else can be discarded. We set this
+ * in the permitted set only, as when we switch away from root
+ * we lose effective anyhow, and must reset it.
+ *
+ * We also remove the basic Solaris privileges we know we will
+ * never need.
+ */
+
+ i = priv_allocset();
+ priv_basicset(i);
+ priv_delset(i, PRIV_PROC_EXEC);
+ priv_delset(i, PRIV_PROC_FORK);
+ priv_delset(i, PRIV_PROC_INFO);
+ priv_delset(i, PRIV_PROC_SESSION);
+ setppriv(PRIV_SET, PRIV_INHERITABLE, i);
+
+ p = priv_allocset();
+ priv_basicset(p);
+
+ priv_addset(p, PRIV_NET_PRIVADDR);
+ priv_addset(p, PRIV_PROC_AUDIT);
+
+ priv_delset(p, PRIV_PROC_EXEC);
+ priv_delset(p, PRIV_PROC_FORK);
+ priv_delset(p, PRIV_PROC_INFO);
+ priv_delset(p, PRIV_PROC_SESSION);
+
+ res = setppriv(PRIV_SET, PRIV_PERMITTED, p);
+ res = setppriv(PRIV_SET, PRIV_EFFECTIVE, p);
+
+ if (setreuid(session.uid, session.uid) == -1) {
+ pr_log_pri(PR_LOG_ERR, MOD_SOLARIS_PRIV_VERSION ": setreuid: %s",
+ strerror(errno));
+ pr_signals_unblock();
+ end_login(1);
+ }
+ pr_signals_unblock();
+
+ if (res != -1) {
+ /* That's it! Disable all further id switching */
+ session.disable_id_switching = TRUE;
+
+ } else {
+ pr_log_pri(PR_LOG_NOTICE, MOD_SOLARIS_PRIV_VERSION ": attempt to configure "
+ "capabilities failed, reverting to normal operation");
+ }
+
+ return PR_DECLINED(cmd);
+}
+
+/* Initialization routines
+ */
+
+static int solaris_priv_sess_init(void) {
+ /* Check to see if the lowering of capabilities has been disabled in the
+ * configuration file.
+ */
+ if (use_privs) {
+ unsigned char *solaris_priv_engine;
+
+ solaris_priv_engine = get_param_ptr(main_server->conf, "PrivilegeEngine", FALSE);
+ if (solaris_priv_engine &&
+ *solaris_priv_engine == FALSE) {
+ pr_log_debug(DEBUG3, MOD_SOLARIS_PRIV_VERSION
+ ": lowering of capabilities disabled");
+ use_privs = FALSE;
+ }
+ }
+
+ /* Check for which specific capabilities to include/exclude. */
+ if (use_privs) {
+ int use_setuid = FALSE;
+ config_rec *c;
+
+ c = find_config(main_server->conf, CONF_PARAM, "PrivilegeSet", FALSE);
+ if (c != NULL) {
+ solaris_priv_flags = *((unsigned int *) c->argv[0]);
+
+ if (!(solaris_priv_flags & PRIV_USE_FILE_CHOWN)) {
+ pr_log_debug(DEBUG3, MOD_SOLARIS_PRIV_VERSION
+ ": removing PRIV_CHOWN privilege");
+ }
+
+ if (solaris_priv_flags & PRIV_USE_DAC_READ) {
+ pr_log_debug(DEBUG3, MOD_SOLARIS_PRIV_VERSION
+ ": adding PRIV_FILE_DAC_READ privilege");
+ }
+
+ if (solaris_priv_flags & PRIV_USE_DAC_WRITE) {
+ pr_log_debug(DEBUG3, MOD_SOLARIS_PRIV_VERSION
+ ": adding PRIV_FILE_DAC_WRITE privilege");
+ }
+
+ if (solaris_priv_flags & PRIV_USE_DAC_SEARCH) {
+ pr_log_debug(DEBUG3, MOD_SOLARIS_PRIV_VERSION
+ ": adding PRIV_DAC_SEARCH privilege");
+ }
+
+ if (solaris_priv_flags & PRIV_USE_FILE_OWNER) {
+ pr_log_debug(DEBUG3, MOD_SOLARIS_PRIV_VERSION
+ ": adding PRIV_FILE_OWNER privilege");
+ }
+ }
+
+ c = find_config(main_server->conf, CONF_PARAM, "AllowOverwrite", FALSE);
+ if (c && *((int *) c->argv[0]) == FALSE) {
+ pr_log_debug(DEBUG3, MOD_SOLARIS_PRIV_VERSION
+ ": removing PRIV_FILE_WRITE basic privilege");
+ solaris_priv_flags |= PRIV_DROP_FILE_WRITE;
+ }
+
+
+ /* We also need to check for things which want to revoke root privs
+ * altogether: mod_exec, mod_sftp, and the RootRevoke directive.
+ * Revoking root privs completely requires the SETUID/SETGID
+ * capabilities.
+ */
+
+ if (use_setuid == FALSE &&
+ pr_module_exists("mod_sftp.c")) {
+ c = find_config(main_server->conf, CONF_PARAM, "SFTPEngine", FALSE);
+ if (c &&
+ *((int *) c->argv[0]) == TRUE) {
+ use_setuid = TRUE;
+ }
+ }
+
+ if (use_setuid == FALSE &&
+ pr_module_exists("mod_exec.c")) {
+ c = find_config(main_server->conf, CONF_PARAM, "ExecEngine", FALSE);
+ if (c &&
+ *((unsigned char *) c->argv[0]) == TRUE) {
+ use_setuid = TRUE;
+ }
+ }
+
+ if (use_setuid == FALSE) {
+ c = find_config(main_server->conf, CONF_PARAM, "RootRevoke", FALSE);
+ if (c &&
+ *((unsigned char *) c->argv[0]) == TRUE) {
+ use_setuid = TRUE;
+ }
+ }
+
+ if (use_setuid) {
+ solaris_priv_flags |= PRIV_USE_SETID;
+ pr_log_debug(DEBUG3, MOD_SOLARIS_PRIV_VERSION
+ ": adding PRIV_SETID ");
+ }
+
+ }
+
+ return 0;
+}
+
+static int solaris_priv_module_init(void) {
+
+ return 0;
+}
+
+
+/* Module API tables
+ */
+
+static conftable solaris_priv_conftab[] = {
+ { "PrivilegeEngine", set_solaris_priv_engine, NULL },
+ { "PrivilegeSet", set_solaris_priv, NULL },
+ { NULL, NULL, NULL }
+};
+
+static cmdtable solaris_priv_cmdtab[] = {
+ { POST_CMD, C_PASS, G_NONE, solaris_priv_post_pass, FALSE, FALSE },
+ { POST_CMD_ERR, C_PASS, G_NONE, solaris_priv_post_fail, FALSE, FALSE },
+ { 0, NULL }
+};
+
+module solaris_priv_module = {
+ NULL, NULL,
+
+ /* Module API version */
+ 0x20,
+
+ /* Module name */
+ "cap",
+
+ /* Module configuration handler table */
+ solaris_priv_conftab,
+
+ /* Module command handler table */
+ solaris_priv_cmdtab,
+
+ /* Module authentication handler table */
+ NULL,
+
+ /* Module initialization */
+ solaris_priv_module_init,
+
+ /* Session initialization */
+ solaris_priv_sess_init,
+
+ /* Module version */
+ MOD_SOLARIS_PRIV_VERSION
+};
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/proftpd/patches/proftpd-configuration-html.patch Wed Jun 15 01:09:08 2011 -0700
@@ -0,0 +1,12280 @@
+--- proftpd-1.3.3e/doc/Configuration.html Fri Oct 5 17:38:32 2007
++++ proftpd-1.3.3e/doc/Configuration.html Wed Apr 6 10:47:44 2011
+@@ -3,9 +3,7 @@
+ ><HEAD
+ ><TITLE
+ >Configuration Directive List</TITLE
+-><META
+-NAME="GENERATOR"
+-CONTENT="Modular DocBook HTML Stylesheet Version 1.79"></HEAD
++><meta name="generator" content="Bluefish 2.0.2" ></HEAD
+ ><BODY
+ CLASS="BOOK"
+ BGCOLOR="#FFFFFF"
+@@ -113,11 +111,6 @@
+ > -- User based allow rules</DT
+ ><DT
+ ><A
+-HREF="#ANONRATIO"
+-> AnonRatio</A
+-> -- Ratio directive</DT
+-><DT
+-><A
+ HREF="#ANONREJECTPASSWORDS"
+ > AnonRejectPasswords</A
+ > -- Block certain anonymous user passwords</DT
+@@ -178,21 +171,6 @@
+ > -- Bind the server or Virtualhost to a specific IP address [deprecated]</DT
+ ><DT
+ ><A
+-HREF="#BYTERATIOERRMSG"
+-> ByteRatioErrMsg</A
+-> -- Ratio directive</DT
+-><DT
+-><A
+-HREF="#CAPABILITIESENGINE"
+-> CapabilitiesEngine</A
+-> -- Enable/disable mod_cap</DT
+-><DT
+-><A
+-HREF="#CAPABILITIESSET"
+-> CapabilitiesSet</A
+-> -- Configure the set of Linux capabilities processed</DT
+-><DT
+-><A
+ HREF="#CDPATH"
+ > CDPath</A
+ > -- Sets "search paths" for the cd command</DT
+@@ -218,11 +196,6 @@
+ > -- Create and populate users' home directories as needed</DT
+ ><DT
+ ><A
+-HREF="#CWDRATIOMSG"
+-> CwdRatioMsg</A
+-> -- Ratio directive</DT
+-><DT
+-><A
+ HREF="#DEBUGLEVEL"
+ > DebugLevel</A
+ > -- Set the debugging output level</DT
+@@ -364,21 +337,11 @@
+ > -- Set the file to display on quit</DT
+ ><DT
+ ><A
+-HREF="#DISPLAYREADME"
+-> DisplayReadme</A
+-> -- Enable display of file modification times on a file pattern</DT
+-><DT
+-><A
+ HREF="#EXTENDEDLOG"
+ > ExtendedLog</A
+ > -- Specify custom logfiles</DT
+ ><DT
+ ><A
+-HREF="#FILERATIOERRMSG"
+-> FileRatioErrMsg</A
+-> -- (docs incomplete)</DT
+-><DT
+-><A
+ HREF="#GLOBAL"
+ > Global</A
+ > -- Set some directives to apply across the entire daemon</DT
+@@ -399,11 +362,6 @@
+ > -- Set a group-wide password</DT
+ ><DT
+ ><A
+-HREF="#GROUPRATIO"
+-> GroupRatio</A
+-> -- Ratio directive</DT
+-><DT
+-><A
+ HREF="#HIDDENSTOR"
+ > HiddenStor</A
+ > -- Enables more safe file uploads [deprecated]</DT
+@@ -435,11 +393,6 @@
+ > -- Enable hiding of files based on user owner</DT
+ ><DT
+ ><A
+-HREF="#HOSTRATIO"
+-> HostRatio</A
+-> -- Ratio directive</DT
+-><DT
+-><A
+ HREF="#IDENTLOOKUPS"
+ > IdentLookups</A
+ > -- Toggle ident lookups</DT
+@@ -465,170 +418,6 @@
+ > -- Load additional configuration directives from a file</DT
+ ><DT
+ ><A
+-HREF="#LDAPALIASDEREFERENCE"
+-> LDAPAliasDereference</A
+-> -- Specify how LDAP alias dereferencing is done</DT
+-><DT
+-><A
+-HREF="#LDAPATTR"
+-> LDAPAttr</A
+-> -- Map LDAP Attributes to something non standard</DT
+-><DT
+-><A
+-HREF="#LDAPAUTHBINDS"
+-> LDAPAuthBinds</A
+-> -- (docs incomplete)</DT
+-><DT
+-><A
+-HREF="#LDAPDEFAULTAUTHSCHEME"
+-> LDAPDefaultAuthScheme</A
+-> -- Set the authentication scheme/hash that is used when no leading
+- {hashname} is present.
+- </DT
+-><DT
+-><A
+-HREF="#LDAPDEFAULTGID"
+-> LDAPDefaultGID</A
+-> -- Set the default GID to be assigned to users when no uidNumber
+- attribute is found.
+- </DT
+-><DT
+-><A
+-HREF="#LDAPDEFAULTUID"
+-> LDAPDefaultUID</A
+-> -- Set the default UID to be assigned to users when no uidNumber
+- attribute is found.
+- </DT
+-><DT
+-><A
+-HREF="#LDAPDNINFO"
+-> LDAPDNInfo</A
+-> -- Set DN information to be used for initial bind</DT
+-><DT
+-><A
+-HREF="#LDAPDOAUTH"
+-> LDAPDoAuth</A
+-> -- Enable LDAP authentication</DT
+-><DT
+-><A
+-HREF="#LDAPDOGIDLOOKUPS"
+-> LDAPDoGIDLookups</A
+-> -- Enable LDAP lookups for user group membership and GIDs in
+- directory listings
+- </DT
+-><DT
+-><A
+-HREF="#LDAPDOQUOTALOOKUPS"
+-> LDAPDoQuotaLookups</A
+-> -- Enable LDAP quota limit support</DT
+-><DT
+-><A
+-HREF="#LDAPDOUIDLOOKUPS"
+-> LDAPDoUIDLookups</A
+-> -- Enable LDAP lookups for UIDs in directory listings
+- </DT
+-><DT
+-><A
+-HREF="#LDAPFORCEDEFAULTGID"
+-> LDAPForceDefaultGID</A
+-> -- Force all LDAP-authenticated users to use the same GID.</DT
+-><DT
+-><A
+-HREF="#LDAPFORCEDEFAULTUID"
+-> LDAPForceDefaultUID</A
+-> -- Force all LDAP-authenticated users to use the same UID.</DT
+-><DT
+-><A
+-HREF="#LDAPFORCEGENERATEDHOMEDIR"
+-> LDAPForceGeneratedHomedir</A
+-> -- Force all LDAP-authenticated users to use the default HomeDironDemand
+- prefix/suffix.
+- </DT
+-><DT
+-><A
+-HREF="#LDAPFORCEHOMEDIRONDEMAND"
+-> LDAPForceHomedirOnDemand</A
+-> -- Force all LDAP-authenticated users to use the default HomeDironDemand
+- prefix/suffix. [deprecated]
+- </DT
+-><DT
+-><A
+-HREF="#LDAPGENERATEHOMEDIR"
+-> LDAPGenerateHomedir</A
+-> -- Enable the creation of user home directories on demand
+- </DT
+-><DT
+-><A
+-HREF="#LDAPGENERATEHOMEDIRPREFIX"
+-> LDAPGenerateHomedirPrefix</A
+-> -- Enable the creation of user home directories on demand
+- </DT
+-><DT
+-><A
+-HREF="#LDAPGENERATEHOMEDIRPREFIXNOUSERNAME"
+-> LDAPGenerateHomedirPrefixNoUsername</A
+-> -- (docs incomplete)</DT
+-><DT
+-><A
+-HREF="#LDAPHOMEDIRONDEMAND"
+-> LDAPHomedirOnDemand</A
+-> -- Enable the creation of user home directories on demand [deprecated]
+- </DT
+-><DT
+-><A
+-HREF="#LDAPHOMEDIRONDEMANDPREFIX"
+-> LDAPHomedirOnDemandPrefix</A
+-> -- Enable the creation of user home directories on demand [deprecated]
+- </DT
+-><DT
+-><A
+-HREF="#LDAPHOMEDIRONDEMANDPREFIXNOUSERNAME"
+-> LDAPHomedirOnDemandPrefixNoUsername</A
+-> -- (docs incomplete)</DT
+-><DT
+-><A
+-HREF="#LDAPHOMEDIRONDEMANDSUFFIX"
+-> LDAPHomedirOnDemandSuffix</A
+-> -- Specify an additional directory to be created inside a user's
+- home directory on demand. [deprecated]
+- </DT
+-><DT
+-><A
+-HREF="#LDAPNEGATIVECACHE"
+-> LDAPNegativeCache</A
+-> -- Enable negative caching for LDAP lookups</DT
+-><DT
+-><A
+-HREF="#LDAPPROTOCOLVERSION"
+-> LDAPProtocolVersion</A
+-> -- Set the LDAP protocol version</DT
+-><DT
+-><A
+-HREF="#LDAPQUERYTIMEOUT"
+-> LDAPQueryTimeout</A
+-> -- Set a timeout for LDAP queries</DT
+-><DT
+-><A
+-HREF="#LDAPSEARCHSCOPE"
+-> LDAPSearchScope</A
+-> -- Specify the search scope used in LDAP queries</DT
+-><DT
+-><A
+-HREF="#LDAPSERVER"
+-> LDAPServer</A
+-> -- Specify the LDAP server to use for lookups</DT
+-><DT
+-><A
+-HREF="#LDAPUSETLS"
+-> LDAPUseTLS</A
+-> -- Enable TLS/SSL connections to the LDAP server.</DT
+-><DT
+-><A
+-HREF="#LEECHRATIOMSG"
+-> LeechRatioMsg</A
+-> -- Sets the 'over ratio' error message</DT
+-><DT
+-><A
+ HREF="#LIMIT"
+ > Limit</A
+ > -- Set the commands/actions to be controlled</DT
+@@ -749,86 +538,11 @@
+ > -- Set the port for the control socket</DT
+ ><DT
+ ><A
+-HREF="#RADIUSACCTSERVER"
+-> RadiusAcctServer</A
+-> -- Setup RADIUS accounting details</DT
+-><DT
+-><A
+-HREF="#RADIUSAUTHSERVER"
+-> RadiusAuthServer</A
+-> -- Setup RADIUS authenticator details</DT
+-><DT
+-><A
+-HREF="#RADIUSENGINE"
+-> RadiusEngine</A
+-> -- Enable RADIUS support</DT
+-><DT
+-><A
+-HREF="#RADIUSLOG"
+-> RadiusLog</A
+-> -- Specify the logfile for reporting / debugging</DT
+-><DT
+-><A
+-HREF="#RADIUSREALM"
+-> RadiusRealm</A
+-> -- Setup the authentication realm</DT
+-><DT
+-><A
+-HREF="#RADIUSUSERINFO"
+-> RadiusUserInfo</A
+-> -- Configure login information via RADIUS</DT
+-><DT
+-><A
+-HREF="#RATIOFILE"
+-> RatioFile</A
+-> -- Ratio directive</DT
+-><DT
+-><A
+-HREF="#RATIOS"
+-> Ratios</A
+-> -- (docs incomplete)</DT
+-><DT
+-><A
+-HREF="#RATIOTEMPFILE"
+-> RatioTempFile</A
+-> -- Ratio directive</DT
+-><DT
+-><A
+ HREF="#REQUIREVALIDSHELL"
+ > RequireValidShell</A
+ > -- Allow connections based on /etc/shells</DT
+ ><DT
+ ><A
+-HREF="#REWRITECONDITION"
+-> RewriteCondition</A
+-> -- Define a rule condition</DT
+-><DT
+-><A
+-HREF="#REWRITEENGINE"
+-> RewriteEngine</A
+-> -- Enable/disable mod_rewrite</DT
+-><DT
+-><A
+-HREF="#REWRITELOCK"
+-> RewriteLock</A
+-> -- Set the filename for synchronization lockfile</DT
+-><DT
+-><A
+-HREF="#REWRITELOG"
+-> RewriteLog</A
+-> -- Specify a log file for mod_rewrite reporting</DT
+-><DT
+-><A
+-HREF="#REWRITEMAP"
+-> RewriteMap</A
+-> -- Define a rewrite map</DT
+-><DT
+-><A
+-HREF="#REWRITERULE"
+-> RewriteRule</A
+-> -- Define a rewrite rule</DT
+-><DT
+-><A
+ HREF="#RLIMITCPU"
+ > RLimitCPU</A
+ > -- Configure the maximum CPU time in seconds used by a process</DT
+@@ -854,11 +568,6 @@
+ > -- Drop root privileges completely</DT
+ ><DT
+ ><A
+-HREF="#SAVERATIOS"
+-> SaveRatios</A
+-> -- FIXME FIXME</DT
+-><DT
+-><A
+ HREF="#SCOREBOARDFILE"
+ > ScoreboardFile</A
+ > -- Sets the name and path of the scoreboard file</DT
+@@ -891,7 +600,7 @@
+ ><A
+ HREF="#SETENV"
+ > SetEnv</A
+-> -- (docs incomplete)</DT
++> -- Set environment variable</DT
+ ><DT
+ ><A
+ HREF="#SHOWSYMLINKS"
+@@ -909,131 +618,6 @@
+ > -- Tune socket-level options</DT
+ ><DT
+ ><A
+-HREF="#SQLAUTHENTICATE"
+-> SQLAuthenticate</A
+-> -- Specify authentication methods and what to authenticate
+- </DT
+-><DD
+-><DL
+-><DT
+-><A
+-HREF="#AEN8505"
+->Group Table Structure</A
+-></DT
+-></DL
+-></DD
+-><DT
+-><A
+-HREF="#SQLAUTHTYPES"
+-> SQLAuthTypes</A
+-> -- Specify the allowed authentication types and their check order</DT
+-><DT
+-><A
+-HREF="#SQLBACKEND"
+-> SQLBackend</A
+-> -- Set the SQL backend module</DT
+-><DT
+-><A
+-HREF="#SQLCONNECTINFO"
+-> SQLConnectInfo</A
+-> -- Specify connection information for the backend</DT
+-><DT
+-><A
+-HREF="#SQLDEFAULTGID"
+-> SQLDefaultGID</A
+-> -- Configure the default GID for users</DT
+-><DT
+-><A
+-HREF="#SQLDEFAULTHOMEDIR"
+-> SQLDefaultHomedir</A
+-> -- Configure the default homedir</DT
+-><DT
+-><A
+-HREF="#SQLDEFAULTUID"
+-> SQLDefaultUID</A
+-> -- Configure the default UID for users</DT
+-><DT
+-><A
+-HREF="#SQLENGINE"
+-> SQLEngine</A
+-> -- Configure how mod_sql will operate</DT
+-><DT
+-><A
+-HREF="#SQLGROUPINFO"
+-> SQLGroupInfo</A
+-> -- Configure the group table and fields that hold group information</DT
+-><DT
+-><A
+-HREF="#SQLGROUPWHERECLAUSE"
+-> SQLGroupWhereClause</A
+-> -- Configure a WHERE clause for every group query</DT
+-><DT
+-><A
+-HREF="#SQLHOMEDIRONDEMAND"
+-> SQLHomedirOnDemand</A
+-> -- Have mod_sql create home directories as needed [deprecated]</DT
+-><DT
+-><A
+-HREF="#SQLLOG"
+-> SQLLog</A
+-> -- Log information to a database table</DT
+-><DT
+-><A
+-HREF="#SQLLOGFILE"
+-> SQLLogFile</A
+-> -- Specify a log file for mod_sql reporting and debugging</DT
+-><DT
+-><A
+-HREF="#SQLMINID"
+-> SQLMinID</A
+-> -- Set SQLMinUserGID and SQLMinUserID in one place</DT
+-><DT
+-><A
+-HREF="#SQLMINUSERGID"
+-> SQLMinUserGID</A
+-> -- Set a minimum GID</DT
+-><DT
+-><A
+-HREF="#SQLMINUSERUID"
+-> SQLMinUserUID</A
+-> -- Set a minimum UID</DT
+-><DT
+-><A
+-HREF="#SQLNAMEDQUERY"
+-> SQLNamedQuery</A
+-> -- Specify a query and an identifier for SQLShowInfo and SQLLog</DT
+-><DT
+-><A
+-HREF="#SQLNEGATIVECACHE"
+-> SQLNegativeCache</A
+-> -- Enable negative caching for SQL lookups</DT
+-><DT
+-><A
+-HREF="#SQLRATIOS"
+-> SQLRatios</A
+-> -- (docs incomplete)</DT
+-><DT
+-><A
+-HREF="#SQLRATIOSTATS"
+-> SQLRatioStats</A
+-> -- (docs incomplete)</DT
+-><DT
+-><A
+-HREF="#SQLSHOWINFO"
+-> SQLShowInfo</A
+-> -- Create a message to be sent to the user after any successful command</DT
+-><DT
+-><A
+-HREF="#SQLUSERINFO"
+-> SQLUserInfo</A
+-> -- Configure the user table and fields that hold user information</DT
+-><DT
+-><A
+-HREF="#SQLUSERWHERECLAUSE"
+-> SQLUserWhereClause</A
+-> -- Configure a WHERE clause for every user query<</DT
+-><DT
+-><A
+ HREF="#STOREUNIQUEPREFIX"
+ > StoreUniquePrefix</A
+ > -- Set the prefix to be added to uniquely generated filenames</DT
+@@ -1186,7 +770,7 @@
+ ><A
+ HREF="#TLSPASSPHRASEPROVIDER"
+ > TLSPassPhraseProvider</A
+-> -- FIXFIXFIX</DT
++> -- Configure external provider for key</DT
+ ><DT
+ ><A
+ HREF="#TLSPROTOCOL"
+@@ -1246,7 +830,7 @@
+ ><A
+ HREF="#UNSETENV"
+ > UnsetEnv</A
+-> -- (docs incomplete)</DT
++> -- Unset environment variable</DT
+ ><DT
+ ><A
+ HREF="#USEFTPUSERS"
+@@ -1294,11 +878,6 @@
+ > -- Creates a hardcoded username/password pair</DT
+ ><DT
+ ><A
+-HREF="#USERRATIO"
+-> UserRatio</A
+-> -- Ratio directive</DT
+-><DT
+-><A
+ HREF="#USESENDFILE"
+ > UseSendfile</A
+ > -- Toggles use of sendfile() functionality</DT
+@@ -1348,11 +927,6 @@
+ > -- Prevent information leak through timing attacks</DT
+ ><DT
+ ><A
+-HREF="#MOD-LDAP"
+-> mod_ldap</A
+-> -- LDAP authentication support</DT
+-><DT
+-><A
+ HREF="#MOD-LOG"
+ > mod_log</A
+ > -- Logging support</DT
+@@ -1363,31 +937,6 @@
+ > -- file listing functionality</DT
+ ><DT
+ ><A
+-HREF="#MOD-RADIUS"
+-> mod_radius</A
+-> -- RADIUS based authentication support</DT
+-><DT
+-><A
+-HREF="#MOD-RATIO"
+-> mod_ratio</A
+-> -- FIX ME FIX ME</DT
+-><DT
+-><A
+-HREF="#MOD-README"
+-> mod_readme</A
+-> -- "README" file support</DT
+-><DT
+-><A
+-HREF="#AEN12975"
+-></A
+-> -- </DT
+-><DT
+-><A
+-HREF="#MOD-SQL"
+-> mod_sql</A
+-> -- SQL support module</DT
+-><DT
+-><A
+ HREF="#MOD-TLS"
+ > mod_tls</A
+ > -- TLS/SSL support module</DT
+@@ -1400,7 +949,7 @@
+ ><A
+ HREF="#MOD-XFER"
+ > mod_xfer</A
+-> -- FIX ME FIX ME</DT
++> -- control transfer</DT
+ ></DL
+ ></DD
+ ><DT
+@@ -1465,26 +1014,6 @@
+ ></DL
+ ></DIV
+ ><DIV
+-CLASS="LOT"
+-><DL
+-CLASS="LOT"
+-><DT
+-><B
+->List of Examples</B
+-></DT
+-><DT
+->1-1. <A
+-HREF="#EXAMPLE-USERMAP"
+->Example Usermap</A
+-></DT
+-><DT
+->1-2. <A
+-HREF="#EXAMPLE-FIFONAMEDPIPE"
+->Example FIFO/Named Pipe 1:1 mapping</A
+-></DT
+-></DL
+-></DIV
+-><DIV
+ CLASS="CHAPTER"
+ ><HR><H1
+ ><A
+@@ -3216,113 +2745,6 @@
+ ></DIV
+ ><H1
+ ><A
+-NAME="ANONRATIO"
+-></A
+->
+-AnonRatio</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN701"
+-></A
+-><H2
+->Name</H2
+->AnonRatio -- Ratio directive</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN704"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->AnonRatio</B
+-> [ <CODE
+-CLASS="OPTION"
+->foo1 foo2 foo3</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None known</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ratio</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->at least 1.2.0 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN731"
+-></A
+-><H2
+->Description</H2
+-><P
+->The AnonRatio directive ....</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN734"
+-></A
+-><H2
+->See also</H2
+-><P
+->AnonRatio</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN737"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+ NAME="ANONREJECTPASSWORDS"
+ ></A
+ >
+@@ -4845,320 +4267,6 @@
+ ></DIV
+ ><H1
+ ><A
+-NAME="BYTERATIOERRMSG"
+-></A
+->
+-ByteRatioErrMsg</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN1336"
+-></A
+-><H2
+->Name</H2
+->ByteRatioErrMsg -- Ratio directive</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN1339"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->ByteRatioErrMsg</B
+-> [ <CODE
+-CLASS="OPTION"
+->foo1 foo2 foo3</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None known</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ratio</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->at least 1.2.0 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN1366"
+-></A
+-><H2
+->Description</H2
+-><P
+->The ByteRatioErrMsg directive ....
+-Example:
+-ByteRatioErrMsg</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN1369"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN1372"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="CAPABILITIESENGINE"
+-></A
+->
+-CapabilitiesEngine</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN1383"
+-></A
+-><H2
+->Name</H2
+->CapabilitiesEngine -- Enable/disable mod_cap</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN1386"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->CapabilitiesEngine</B
+-> [ <CODE
+-CLASS="OPTION"
+->on</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->off</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->CapabilitiesEngine On, if running on a Linux hosts that supports capabilities</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <VirtualHost>, <Global></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_cap</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.8rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN1414"
+-></A
+-><H2
+->Description</H2
+-><P
+->The CapabilitiesEngine directive enables or disables the module's
+- runtime capabilities engine. If set to off, this module does no runtime
+- capabilities processing at all. Use this directive to disable the
+- module.</P
+-></DIV
+-><H1
+-><A
+-NAME="CAPABILITIESSET"
+-></A
+->
+-CapabilitiesSet</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN1425"
+-></A
+-><H2
+->Name</H2
+->CapabilitiesSet -- Configure the set of Linux capabilities processed</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN1428"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->CapabilitiesSet</B
+-> [ <CODE
+-CLASS="OPTION"
+->[+/-]capability</CODE
+->...]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->CapabilitiesSet +CAP_CHOWN</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <VirtualHost>, <Global></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_cap</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.8rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN1455"
+-></A
+-><H2
+->Description</H2
+-><P
+->By default, mod_cap removes all but two capabilities from the
+- session-handling process: CAP_NET_BIND_SERVICE, for binding to ports lower
+- than 1024 (required for active data transfers), and CAP_CHOWN, for
+- allowing a process to change a file's ownership to a different user. The
+- latter capability is only strictly necessary if the UserOwner
+- configuration directive is in use; if not being used, the CAP_CHOWN
+- capability is best removed. The CapabilitiesSet directive is used to
+- manipulate the set of capabilities that mod_cap grants.</P
+-><P
+->To remove a capability, prefix the name with a '-'; to enable a
+- capability, use '+'. At present, this directive only supports one
+- capability: CAP_CHOWN.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN1459"
+-></A
+-><H2
+->Example</H2
+-><P
+-> <IfModule mod_cap.c>
+- CapabilitiesEngine on
+- CapabilitiesSet -CAP_CHOWN
+- </IfModule></P
+-></DIV
+-><H1
+-><A
+ NAME="CDPATH"
+ ></A
+ >
+@@ -5781,115 +4889,6 @@
+ ></DIV
+ ><H1
+ ><A
+-NAME="CWDRATIOMSG"
+-></A
+->
+-CwdRatioMsg</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN1720"
+-></A
+-><H2
+->Name</H2
+->CwdRatioMsg -- Ratio directive</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN1723"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->CwdRatioMsg</B
+-> [ <CODE
+-CLASS="OPTION"
+->foo1 foo2 foo3</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None known</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ratio</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->at least 1.2.0 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN1750"
+-></A
+-><H2
+->Description</H2
+-><P
+->The CwdRatioMsg directive ....
+-Example:
+-CwdRatioMsg</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN1753"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN1756"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+ NAME="DEBUGLEVEL"
+ ></A
+ >
+@@ -9452,128 +8451,6 @@
+ ></DIV
+ ><H1
+ ><A
+-NAME="DISPLAYREADME"
+-></A
+->
+-DisplayReadme</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN3148"
+-></A
+-><H2
+->Name</H2
+->DisplayReadme -- Enable display of file modification times on a file pattern</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN3151"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->DisplayReadme</B
+-> [ <CODE
+-CLASS="OPTION"
+->DisplayReadme filename or pattern</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <VirtualHost>, <Anonymous>, <Global></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_readme</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.0pre8 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN3178"
+-></A
+-><H2
+->Description</H2
+-><P
+->Module: mod_readme
+-The DisplayReadme directive notifies the user of the last change date of the
+-specified file or pattern. Only a single DisplayReadme directive is allowed per configuration
+-scope.
+-DisplayReadme README
+-Will result in:
+-Please read the file README it was last modified on Sun Oct 17 10:36:14
+-1999 - 0 days ago
+-Being displayed to the user on a cwd.
+-DisplayReadmePattern README*
+-Will result in:
+-Please read the file README
+-it was last modified on Tue Jan 25 04:47:48 2000 - 0 days ago
+-Please read the file README.first
+-it was last modified on Tue Jan 25 04:48:04 2000 - 0 days ago
+-Being displayed to the user on a cwd. </P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN3181"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN3184"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+ NAME="EXTENDEDLOG"
+ ></A
+ >
+@@ -9733,115 +8610,6 @@
+ ></DIV
+ ><H1
+ ><A
+-NAME="FILERATIOERRMSG"
+-></A
+->
+-FileRatioErrMsg</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN3249"
+-></A
+-><H2
+->Name</H2
+->FileRatioErrMsg -- (docs incomplete)</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN3252"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->FileRatioErrMsg</B
+-> [ <CODE
+-CLASS="OPTION"
+->FileRatioErrMsg foo1 foo2 foo3</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None known</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ratio</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->at least 1.2.0 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN3279"
+-></A
+-><H2
+->Description</H2
+-><P
+->The FileRatioErrMsg directive ....
+-Example:
+-FileRatioErrMsg</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN3282"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN3285"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+ NAME="GLOBAL"
+ ></A
+ >
+@@ -10297,115 +9065,6 @@
+ ></DIV
+ ><H1
+ ><A
+-NAME="GROUPRATIO"
+-></A
+->
+-GroupRatio</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN3486"
+-></A
+-><H2
+->Name</H2
+->GroupRatio -- Ratio directive</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN3489"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->GroupRatio</B
+-> [ <CODE
+-CLASS="OPTION"
+->GroupRatio foo1 foo2 foo3</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None known</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ratio</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->at least 1.2.0 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN3516"
+-></A
+-><H2
+->Description</H2
+-><P
+->The GroupRatio directive ....
+-Example:
+-GroupRatio</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN3519"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN3522"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+ NAME="HIDDENSTOR"
+ ></A
+ >
+@@ -11103,115 +9762,6 @@
+ ></DIV
+ ><H1
+ ><A
+-NAME="HOSTRATIO"
+-></A
+->
+-HostRatio</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN3817"
+-></A
+-><H2
+->Name</H2
+->HostRatio -- Ratio directive</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN3820"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->HostRatio</B
+-> [ <CODE
+-CLASS="OPTION"
+->HostRatio foo1 foo2 foo3</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None known</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ratio</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->at least 1.2.0 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN3847"
+-></A
+-><H2
+->Description</H2
+-><P
+->The HostRatio directive ....
+-Example:
+-HostRatio</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN3850"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN3853"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+ NAME="IDENTLOOKUPS"
+ ></A
+ >
+@@ -11818,3747 +10368,6 @@
+ ></DIV
+ ><H1
+ ><A
+-NAME="LDAPALIASDEREFERENCE"
+-></A
+->
+- LDAPAliasDereference</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN4111"
+-></A
+-><H2
+->Name</H2
+->LDAPAliasDereference -- Specify how LDAP alias dereferencing is done</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN4114"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPAliasDereference</B
+-> [ <CODE
+-CLASS="OPTION"
+->never</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->find</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->search</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->always</CODE
+->
+- ]</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4122"
+-></A
+-><H2
+-></H2
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->LDAPAliasDereference never</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->2.8.16 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4145"
+-></A
+-><H2
+->Description</H2
+-><P
+->Should be one of never, always, search, or find to specify that
+- aliases are never dereferenced, always dereferenced, dereferenced when
+- searching, or dereferenced only when locating the base object for the
+- search.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4148"
+-></A
+-><H2
+->Examples</H2
+-><P
+->LDAPAliasDereference always</P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPATTR"
+-></A
+->
+-LDAPAttr</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN4159"
+-></A
+-><H2
+->Name</H2
+->LDAPAttr -- Map LDAP Attributes to something non standard</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN4162"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPAttr</B
+-> [ <CODE
+-CLASS="OPTION"
+->uid</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->uidNumber</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->gidNumber</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->homeDirectory</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->userPassword</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->loginShell</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->cn</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->memberUid</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->ftpQuota</CODE
+->] [ <CODE
+-CLASS="OPTION"
+->"NewAttribute"</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->2.8.13 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4199"
+-></A
+-><H2
+->Description</H2
+-><P
+->FIXMEFIXMEFIXME</P
+-><P
+->This dicrective has to be set before any of the LDAPDo* directives.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4203"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4206"
+-></A
+-><H2
+->Examples</H2
+-><P
+-CLASS="LITERALLAYOUT"
+->FIXFIXFIX</P
+-><P
+->FIXFIX</P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPAUTHBINDS"
+-></A
+->
+- LDAPAuthBinds</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN4218"
+-></A
+-><H2
+->Name</H2
+->LDAPAuthBinds -- (docs incomplete)</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN4221"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->Syntax: LDAPAuthBinds</B
+-> [ <CODE
+-CLASS="OPTION"
+->on</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->off</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+->(docs incomplete)</B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> LDAPAuthBinds off in mod_ldap <= 2.7.6,
+- LDAPAuthBinds on in mod_ldap >= 2.8
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v2.5 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4249"
+-></A
+-><H2
+->Description</H2
+-><P
+->By default, the DN specified by LDAPDNInfo will be used to
+- bind to the LDAP server to obtain user information, including the
+- userPassword attribute. If LDAPAuthBinds is set to on, the DN
+- specified by LDAPDNInfo will be used to fetch all user information
+- except the userPassword attribute. Then, mod_ldap will bind to the
+- LDAP server as the user who is logging in via FTP with the
+- user-supplied password. If this bind succeeds, the user is
+- considered authenticated and is allowed to log in. This method of
+- LDAP authentication has the added benefit of supporting any password
+- encryption scheme that your LDAP server supports.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4252"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4255"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPDEFAULTAUTHSCHEME"
+-></A
+->
+- LDAPDefaultAuthScheme</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN4266"
+-></A
+-><H2
+->Name</H2
+->LDAPDefaultAuthScheme -- Set the authentication scheme/hash that is used when no leading
+- {hashname} is present.
+- </DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN4269"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPDefaultAuthScheme</B
+-> [ <CODE
+-CLASS="OPTION"
+->crypt</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->clear</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> LDAPDefaultAuthScheme "crypt"
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v2.0 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4297"
+-></A
+-><H2
+->Description</H2
+-><P
+->Specifies the authentication scheme used for passwords with no
+- {prefix} in the LDAP database. For example, if you are using
+- something like userPassword: mypass in your LDAP database, you would
+- want to set LDAPDefaultAuthScheme to clear.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4300"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4303"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPDEFAULTGID"
+-></A
+->
+- LDAPDefaultGID</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN4314"
+-></A
+-><H2
+->Name</H2
+->LDAPDefaultGID -- Set the default GID to be assigned to users when no uidNumber
+- attribute is found.
+- </DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN4317"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPDefaultGID</B
+-> [ <CODE
+-CLASS="OPTION"
+->default-gid</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> None
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v2.0 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4344"
+-></A
+-><H2
+->Description</H2
+-><P
+->This directive is useful primarily in virtual-user
+- environments common in large-scale ISPs and hosting organizations.
+- If a user does not have a LDAP gidNumber attribute, the
+- LDAPDefaultGID is used. This allows one to have a large number of
+- users in an LDAP database without gidNumber attributes; setting this
+- configuration directive will automatically assign those users a
+- single GID.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4347"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4350"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPDEFAULTUID"
+-></A
+->
+- LDAPDefaultUID</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN4361"
+-></A
+-><H2
+->Name</H2
+->LDAPDefaultUID -- Set the default UID to be assigned to users when no uidNumber
+- attribute is found.
+- </DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN4364"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPDefaultUID</B
+-> [ <CODE
+-CLASS="OPTION"
+->default-uid</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> None
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v2.0 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4391"
+-></A
+-><H2
+->Description</H2
+-><P
+->This directive is useful primarily in virtual-user
+- environments common in large-scale ISPs and hosting organizations.
+- If a user does not have a LDAP uidNumber attribute, the
+- LDAPDefaultUID is used. This allows one to have a large number of
+- users in an LDAP database without uidNumber attributes; setting this
+- configuration directive will automatically assign those users a
+- single UID.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4394"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4397"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPDNINFO"
+-></A
+->
+- LDAPDNInfo</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN4408"
+-></A
+-><H2
+->Name</H2
+->LDAPDNInfo -- Set DN information to be used for initial bind</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN4411"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPDNInfo</B
+-> [ <CODE
+-CLASS="OPTION"
+->LDAPDNInfo "ldap-dn" "dn-password"</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> LDAPDNInfo "" "" (anonymous bind)
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v2.0 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4438"
+-></A
+-><H2
+->Description</H2
+-><P
+->This directive specifies the LDAP DN and password to use when
+- binding to the LDAP server. If this configuration directive is not
+- specified, anonymous binds are used.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4441"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4444"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPDOAUTH"
+-></A
+->
+- LDAPDoAuth</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN4455"
+-></A
+-><H2
+->Name</H2
+->LDAPDoAuth -- Enable LDAP authentication</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN4458"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPDoAuth</B
+-> [ <CODE
+-CLASS="OPTION"
+->on</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->off</CODE
+->
+- ] [ <CODE
+-CLASS="OPTION"
+->"auth-base-dn"</CODE
+->
+- ] [ <CODE
+-CLASS="OPTION"
+->"search-filter-template"</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> LDAPDoAuth off
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v2.0 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4490"
+-></A
+-><H2
+->Description</H2
+-><P
+->This configuration directive activates LDAP authentication.
+- The second argument to this directive is the LDAP base DN to use for
+- authentication. The third argument is a template to be used for the
+- search filter; %v will be replaced with the username that is being
+- authenticated.
+- By default, the search filter template
+- "(&(uid=%v)(objectclass=posixAccount))" is used.
+- The uid for the the search filter is taken from the
+- <A
+-HREF="#LDAPATTR"
+->LDAPAttr</A
+-> directive.
+- Search filter
+- templates are only supported in mod_ldap v2.7 and later.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4494"
+-></A
+-><H2
+->See also</H2
+-><P
+-> <A
+-HREF="#LDAPATTR"
+->LDAPAttr</A
+->
+- </P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4498"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPDOGIDLOOKUPS"
+-></A
+->
+- LDAPDoGIDLookups</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN4509"
+-></A
+-><H2
+->Name</H2
+->LDAPDoGIDLookups -- Enable LDAP lookups for user group membership and GIDs in
+- directory listings
+- </DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN4512"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPDoGIDLookups</B
+-> [ <CODE
+-CLASS="OPTION"
+->on</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->off</CODE
+->
+- ] [ <CODE
+-CLASS="OPTION"
+->"gid-base-dn"</CODE
+->
+- ] [ <CODE
+-CLASS="OPTION"
+->"cn-filter-template"</CODE
+->
+- ] [ <CODE
+-CLASS="OPTION"
+->"gid-number-filter-template"</CODE
+->
+- ] [ <CODE
+-CLASS="OPTION"
+->"member-uid-filter-template"</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> LDAPDoGIDLookups off
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v2.0 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4548"
+-></A
+-><H2
+->Description</H2
+-><P
+->This configuration directive activates LDAP GID-to-name
+- lookups in directory listings. The second argument to this directive
+- is the LDAP base DN to use for GID-to-name lookups. The third
+- through fifth arguments are templates to be used for the search
+- filter; %v will be replaced with the GID that is being looked
+- up.</P
+-><P
+->By default, the search filter templates look like this:</P
+-><P
+-> cn_filter: "(cn=%v)(objectclass=posixGroup))",
+- gidnumber_filter: "(gidNumber=%v)(objectclass=posixGroup))",
+- memberuid_filter: "(memberUid=%v)(objectclass=posixGroup))".
+- </P
+-><P
+->The attribute names used in the default search filters are
+- taken from the <A
+-HREF="#LDAPATTR"
+->LDAPAttr</A
+->
+- directive.</P
+-><P
+->Filter templates are only supported in mod_ldap v2.8.3 and
+- later.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4556"
+-></A
+-><H2
+->See also</H2
+-><P
+-> <A
+-HREF="#LDAPATTR"
+->LDAPAttr</A
+->
+- </P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4560"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPDOQUOTALOOKUPS"
+-></A
+->
+- LDAPDoQuotaLookups</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN4571"
+-></A
+-><H2
+->Name</H2
+->LDAPDoQuotaLookups -- Enable LDAP quota limit support</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN4574"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPDoQuotaLookups</B
+-> [ <CODE
+-CLASS="OPTION"
+->on</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->off</CODE
+->
+- ] [ <CODE
+-CLASS="OPTION"
+->"base-dn"</CODE
+->
+- ] [ <CODE
+-CLASS="OPTION"
+->"quota-filter-template"</CODE
+->
+- ] [ <CODE
+-CLASS="OPTION"
+->"default-quota"</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> LDAPDoQuotaLookups off
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v2.8.12 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4608"
+-></A
+-><H2
+->Description</H2
+-><P
+->This configuration directive activates LDAP quota lookups.
+- The second argument to this directive is the LDAP base DN to use for
+- quota limit search. The third argument is a template to be used for
+- the search filter; %v will be replaced with the username that is
+- being authenticated. By default, the search filter template
+- "(&(LDAPAttr_uid=%v)(objectclass=posixAccount))" is used.
+-
+- The uid for the the search filter is taken from the
+- <A
+-HREF="#LDAPATTR"
+->LDAPAttr</A
+-> directive
+- Search filter
+- templates are only supported in mod_ldap v2.7 and later.</P
+-><P
+->If specified, the <CODE
+-CLASS="OPTION"
+->default-quota<CODE
+-CLASS="OPTION"
+-> argument
+- specifies the quota limits to use if a user does not have a ftpQuota
+- attribute. This argument is formatted the same way as the ftpQuota
+- LDAP attribute.</CODE
+-></CODE
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4615"
+-></A
+-><H2
+->See also</H2
+-><P
+-> <A
+-HREF="#LDAPATTR"
+->LDAPAttr</A
+->
+- </P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4619"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPDOUIDLOOKUPS"
+-></A
+->
+- LDAPDoUIDLookups</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN4630"
+-></A
+-><H2
+->Name</H2
+->LDAPDoUIDLookups -- Enable LDAP lookups for UIDs in directory listings
+- </DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN4633"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPDoUIDLookups</B
+-> [ <CODE
+-CLASS="OPTION"
+->on</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->off</CODE
+->
+- ] [ <CODE
+-CLASS="OPTION"
+->"uid-base-dn"</CODE
+->
+- ] [ <CODE
+-CLASS="OPTION"
+->"uid-filter-template"</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> LDAPDoUIDLookups off
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v2.0 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4665"
+-></A
+-><H2
+->Description</H2
+-><P
+-> This configuration directive activates LDAP UID-to-name
+- lookups in directory listings. The second argument to this directive
+- is the LDAP base DN to use for UID-to-name lookups. The third
+- argument is a template to be used for the search filter; %v will be
+- replaced with the UID that is being looked up. By default, the
+- search filter template
+- "(&(LDAPAttr_uidNumber=%v)(objectclass=posixAccount))" is used.
+- The uid for the the search filter is taken from the
+- <A
+-HREF="#LDAPATTR"
+->LDAPAttr</A
+-> directive
+- Search
+- filter templates are only supported in mod_ldap v2.7 and
+- later.
+- </P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4669"
+-></A
+-><H2
+->See also</H2
+-><P
+-> <A
+-HREF="#LDAPATTR"
+->LDAPAttr</A
+->
+- </P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4673"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPFORCEDEFAULTGID"
+-></A
+->
+- LDAPForceDefaultGID</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN4684"
+-></A
+-><H2
+->Name</H2
+->LDAPForceDefaultGID -- Force all LDAP-authenticated users to use the same GID.</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN4687"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->Syntax: LDAPForceDefaultGID</B
+-> [ <CODE
+-CLASS="OPTION"
+->on</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->off</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> LDAPForceDefaultGID off
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v2.8 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4715"
+-></A
+-><H2
+->Description</H2
+-><P
+->Even when a <A
+-HREF="#LDAPDEFAULTGID"
+->LDAPDefaultGID</A
+->
+- is configured, mod_ldap will allow individual users to have
+- gidNumber attributes that will override this default GID. With
+- LDAPForceDefaultGID enabled, all LDAP-authenticated users are given
+- the default GID; GIDs may not be overridden by gidNumber
+- attributes.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4719"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4722"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPFORCEDEFAULTUID"
+-></A
+->
+- LDAPForceDefaultUID</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN4733"
+-></A
+-><H2
+->Name</H2
+->LDAPForceDefaultUID -- Force all LDAP-authenticated users to use the same UID.</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN4736"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->Syntax: LDAPForceDefaultUID</B
+-> [ <CODE
+-CLASS="OPTION"
+->on</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->off</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> LDAPForceDefaultUID off
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v2.8 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4764"
+-></A
+-><H2
+->Description</H2
+-><P
+->Even when a <A
+-HREF="#LDAPDEFAULTUID"
+->LDAPDefaultUID</A
+->
+- is configured, mod_ldap will allow individual users to have
+- uidNumber attributes that will override this default UID. With
+- LDAPForceDefaultUID enabled, all LDAP-authenticated users are given
+- the default UID; UIDs may not be overridden by uidNumber
+- attributes.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4768"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4771"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPFORCEGENERATEDHOMEDIR"
+-></A
+->
+- LDAPForceGeneratedHomedir</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN4782"
+-></A
+-><H2
+->Name</H2
+->LDAPForceGeneratedHomedir -- Force all LDAP-authenticated users to use the default HomeDironDemand
+- prefix/suffix.
+- </DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN4785"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPForceGeneratedHomedir</B
+-> [ <CODE
+-CLASS="OPTION"
+->on</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->off</CODE
+->
+- ] [ <CODE
+-CLASS="OPTION"
+->directory-mode</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> LDAPForceGeneratedHomedir off
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v2.8.13 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4815"
+-></A
+-><H2
+->Description</H2
+-><P
+->Even when a
+- <A
+-HREF="#LDAPGENERATEHOMEDIRPREFIX"
+->LDAPGenerateHomedirPrefix</A
+->
+- is configured, mod_ldap will allow individual users to have
+- homeDirectory attributes that will override the default. With
+- LDAPForceHomeDironDemand enabled, all LDAP-authenticated users are given
+- the default prefix and/or suffix; homedirs may not be overridden by LDAP
+- homeDirectory attributes.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4819"
+-></A
+-><H2
+->See also</H2
+-><P
+-> <A
+-HREF="#LDAPGENERATEHOMEDIR"
+->LDAPGenerateHomedir</A
+->
+- <A
+-HREF="#LDAPGENERATEHOMEDIRPREFIX"
+->LDAPGenerateHomedirPrefix</A
+->
+- <A
+-HREF="#LDAPGENERATEHOMEDIRPREFIXNOUSERNAME"
+->LDAPGenerateHomedirPrefixNoUsername</A
+->
+- </P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4825"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPFORCEHOMEDIRONDEMAND"
+-></A
+->
+- LDAPForceHomedirOnDemand</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN4836"
+-></A
+-><H2
+->Name</H2
+->LDAPForceHomedirOnDemand -- Force all LDAP-authenticated users to use the default HomeDironDemand
+- prefix/suffix. [deprecated]
+- </DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN4839"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPForceHomedirOnDemand</B
+-> [ <CODE
+-CLASS="OPTION"
+->on</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->off</CODE
+->
+- ] [ <CODE
+-CLASS="OPTION"
+->directory-mode</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> LDAPForceHomedirOnDemand off
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v2.8.11 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4869"
+-></A
+-><H2
+->Description</H2
+-><P
+->This directive has been deprecated with mod_ldap v2.8.13.
+- Please take a look at LDAPForceGenerateHomedir
+- </P
+-><P
+->Even when a
+- <A
+-HREF="#LDAPHOMEDIRONDEMANDPREFIX"
+->LDAPHomeDironDemandPrefix</A
+->
+- is configured, mod_ldap will allow individual users to have
+- homeDirectory attributes that will override the default. With
+- LDAPForceHomeDironDemand enabled, all LDAP-authenticated users are given
+- the default prefix and/or suffix; homedirs may not be overridden by LDAP
+- homeDirectory attributes.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4875"
+-></A
+-><H2
+->See also</H2
+-><P
+->LDAPForceGenerateHomedir</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4879"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPGENERATEHOMEDIR"
+-></A
+->
+- LDAPGenerateHomedir</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN4890"
+-></A
+-><H2
+->Name</H2
+->LDAPGenerateHomedir -- Enable the creation of user home directories on demand
+- </DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN4893"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPGenerateHomedir</B
+-> [ <CODE
+-CLASS="OPTION"
+->on</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->off</CODE
+->
+- ] [ <CODE
+-CLASS="OPTION"
+->directory-mode</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> LDAPGenerateHomedir off
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v2.8.13 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4923"
+-></A
+-><H2
+->Description</H2
+-><P
+->LDAPGenerateHomedir activates on-demand home directory creation.
+- If a user logs in and does not yet have a home directory, a home
+- directory is created automatically.</P
+-><P
+->In mod_ldap <= 2.7.6, the home directory will be owned by the
+- same user and group that ProFTPD runs as (see the User and Group
+- configuration directives). mod_ldap >= 2.8 can create home
+- directories for users with any UID/GID, not just those with the same
+- UID/GID as the main ProFTPD server.</P
+-><P
+->The second argument allows you to specify the mode (default
+- permissions) to use when creating home directories on demand,
+- subject to ProFTPD's umask (see the Umask directive). If no
+- directory mode is specified, the default of 0755 is used. Directory
+- mode setting is only supported in mod_ldap v2.7 or later.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4928"
+-></A
+-><H2
+->See also</H2
+-><P
+-> <A
+-HREF="#LDAPFORCEGENERATEDHOMEDIR"
+->LDAPForceGeneratedHomedir</A
+->
+- <A
+-HREF="#LDAPGENERATEHOMEDIRPREFIX"
+->LDAPGenerateHomedirPrefix</A
+->
+- <A
+-HREF="#LDAPGENERATEHOMEDIRPREFIXNOUSERNAME"
+->LDAPGenerateHomedirPrefixNoUsername</A
+->
+- </P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4934"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+->%<H1
+-><A
+-NAME="LDAPGENERATEHOMEDIRPREFIX"
+-></A
+->
+- LDAPGenerateHomedirPrefix</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN4945"
+-></A
+-><H2
+->Name</H2
+->LDAPGenerateHomedirPrefix -- Enable the creation of user home directories on demand
+- </DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN4948"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPGenerateHomedirPrefix</B
+-> [ <CODE
+-CLASS="OPTION"
+->leading-path</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> LDAPGenerateHomedirPrefix off
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v2.8.13 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4975"
+-></A
+-><H2
+->Description</H2
+-><P
+->LDAPGenerateHomedirPrefix enables a prefix to be specified for
+- on-demand home directory creation. This is most useful if mod_ldap
+- is being used to authenticate against an LDAP directory that does
+- not return a homeDirectory attribute, either because it cannot
+- (Microsoft Active Directory, for example) or because you do not wish
+- to extend your existing directory schema.</P
+-><P
+->For example, setting this directive to "/home" and logging in
+- as the user "joe" would result in his home directory being created
+- as "/home/joe". The directory will be created with the mode
+- specified in <A
+-HREF="#LDAPGENERATEHOMEDIR"
+->LDAPGenerateHomedir</A
+->. To use
+- this directive, <A
+-HREF="#LDAPGENERATEHOMEDIR"
+->LDAPGenerateHomedir</A
+-> must be
+- enabled.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4981"
+-></A
+-><H2
+->See also</H2
+-><P
+-> <A
+-HREF="#LDAPFORCEGENERATEDHOMEDIR"
+->LDAPForceGeneratedHomedir</A
+->
+- <A
+-HREF="#LDAPGENERATEHOMEDIR"
+->LDAPGenerateHomedir</A
+->
+- <A
+-HREF="#LDAPGENERATEHOMEDIRPREFIXNOUSERNAME"
+->LDAPGenerateHomedirPrefixNoUsername</A
+->
+- </P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN4987"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPGENERATEHOMEDIRPREFIXNOUSERNAME"
+-></A
+->
+-LDAPGenerateHomedirPrefixNoUsername</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN4998"
+-></A
+-><H2
+->Name</H2
+->LDAPGenerateHomedirPrefixNoUsername -- (docs incomplete)</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN5001"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPGenerateHomedirPrefixNoUsername</B
+-> [ <CODE
+-CLASS="OPTION"
+->on</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->off</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->(docs incomplete)</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost>, <Anonymous>, <Limit>, .ftpaccess</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap 2.8.13 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5029"
+-></A
+-><H2
+->Description</H2
+-><P
+->(docs incomplete)</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5032"
+-></A
+-><H2
+->See also</H2
+-><P
+-> <A
+-HREF="#LDAPFORCEGENERATEDHOMEDIR"
+->LDAPForceGeneratedHomedir</A
+->
+- <A
+-HREF="#LDAPGENERATEHOMEDIR"
+->LDAPGenerateHomedir</A
+->
+- <A
+-HREF="#LDAPGENERATEHOMEDIRPREFIX"
+->LDAPGenerateHomedirPrefix</A
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPHOMEDIRONDEMAND"
+-></A
+->
+- LDAPHomedirOnDemand</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN5046"
+-></A
+-><H2
+->Name</H2
+->LDAPHomedirOnDemand -- Enable the creation of user home directories on demand [deprecated]
+- </DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN5049"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPHomedirOnDemand</B
+-> [ <CODE
+-CLASS="OPTION"
+->on</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->off</CODE
+->
+- ] [ <CODE
+-CLASS="OPTION"
+->directory-mode</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> LDAPHomedirOnDemand off
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v2.0 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5079"
+-></A
+-><H2
+->Description</H2
+-><P
+->This directive has been deprecated with mod_ldap v2.8.13.
+- Please take a look at <A
+-HREF="#LDAPGENERATEHOMEDIR"
+->LDAPGenerateHomedir</A
+->
+- </P
+-><P
+->LDAPHomedirOnDemand activates on-demand home directory creation.
+- If a user logs in and does not yet have a home directory, a home
+- directory is created automatically.</P
+-><P
+->In mod_ldap <= 2.7.6, the home directory will be owned by the
+- same user and group that ProFTPD runs as (see the User and Group
+- configuration directives). mod_ldap >= 2.8 can create home
+- directories for users with any UID/GID, not just those with the same
+- UID/GID as the main ProFTPD server.</P
+-><P
+->The second argument allows you to specify the mode (default
+- permissions) to use when creating home directories on demand,
+- subject to ProFTPD's umask (see the Umask directive). If no
+- directory mode is specified, the default of 0755 is used. Directory
+- mode setting is only supported in mod_ldap v2.7 or later.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5086"
+-></A
+-><H2
+->See also</H2
+-><P
+-><A
+-HREF="#LDAPGENERATEHOMEDIR"
+->LDAPGenerateHomedir</A
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5090"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPHOMEDIRONDEMANDPREFIX"
+-></A
+->
+- LDAPHomedirOnDemandPrefix</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN5101"
+-></A
+-><H2
+->Name</H2
+->LDAPHomedirOnDemandPrefix -- Enable the creation of user home directories on demand [deprecated]
+- </DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN5104"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPHomedirOnDemandPrefix</B
+-> [ <CODE
+-CLASS="OPTION"
+->leading-path</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> LDAPHomedirOnDemandPrefix off
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v2.8 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5131"
+-></A
+-><H2
+->Description</H2
+-><P
+->This directive has been deprecated with mod_ldap v2.8.13.
+- Please take a look at <A
+-HREF="#LDAPGENERATEHOMEDIRPREFIX"
+->LDAPGenerateHomedirPrefix</A
+->
+- </P
+-><P
+->LDAPHomedirOnDemandPrefix enables a prefix to be specified for
+- on-demand home directory creation. This is most useful if mod_ldap
+- is being used to authenticate against an LDAP directory that does
+- not return a homeDirectory attribute, either because it cannot
+- (Microsoft Active Directory, for example) or because you do not wish
+- to extend your existing directory schema.</P
+-><P
+->For example, setting this directive to "/home" and logging in
+- as the user "joe" would result in his home directory being created
+- as "/home/joe". The directory will be created with the mode
+- specified in <A
+-HREF="#LDAPHOMEDIRONDEMAND"
+->LDAPHomedirOnDemand</A
+->. To use
+- this directive, <A
+-HREF="#LDAPHOMEDIRONDEMAND"
+->LDAPHomedirOnDemand</A
+-> must be
+- enabled.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5139"
+-></A
+-><H2
+->See also</H2
+-><P
+-> <A
+-HREF="#LDAPGENERATEHOMEDIRPREFIX"
+->LDAPGenerateHomedirPrefix</A
+->
+- </P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5143"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPHOMEDIRONDEMANDPREFIXNOUSERNAME"
+-></A
+->
+-LDAPHomedirOnDemandPrefixNoUsername</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN5154"
+-></A
+-><H2
+->Name</H2
+->LDAPHomedirOnDemandPrefixNoUsername -- (docs incomplete)</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN5157"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPHomedirOnDemandPrefixNoUsername</B
+-> [ <CODE
+-CLASS="OPTION"
+->"name" limit|regex|ip value</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->(docs incomplete)</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost>, <Anonymous>, <Limit>, .ftpaccess</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.5rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5184"
+-></A
+-><H2
+->Description</H2
+-><P
+->This directive has been deprecated with mod_ldap v2.8.13.
+- Please take a look at <A
+-HREF="#LDAPGENERATEHOMEDIRPREFIXNOUSERNAME"
+->LDAPGenerateHomedirPrefixNoUsername</A
+->
+- </P
+-><P
+->(docs incomplete)</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5189"
+-></A
+-><H2
+->See also</H2
+-><P
+-><A
+-HREF="#LDAPGENERATEHOMEDIRPREFIXNOUSERNAME"
+->LDAPGenerateHomedirPrefixNoUsername</A
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPHOMEDIRONDEMANDSUFFIX"
+-></A
+->
+- LDAPHomedirOnDemandSuffix</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN5201"
+-></A
+-><H2
+->Name</H2
+->LDAPHomedirOnDemandSuffix -- Specify an additional directory to be created inside a user's
+- home directory on demand. [deprecated]
+- </DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN5204"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPHomedirOnDemandSuffix</B
+-> [ <CODE
+-CLASS="OPTION"
+->additional-directory1</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->additional-directory2</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->additional-directory3</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> LDAPHomedirOnDemandSuffix ""
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v2.6 and later.
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5233"
+-></A
+-><H2
+->Description</H2
+-><P
+-> This directive is deprecated and was removed from mod_ldap v2.8.13.
+- It has no replacement option.
+- </P
+-><P
+->to be created within a user's home directory when it is
+- created on demand. For example, if a user's home directory is
+- "/home/user", setting this configuration directive to "public_html"
+- will also create "/home/user/public_html" on demand. In mod_ldap
+- v2.7.6 and earlier, you must also activate LDAPHomedirOnDemand in
+- your configuration.</P
+-><P
+->mod_ldap >= 2.8 supports multiple suffix arguments and does
+- not require LDAPHomedirOnDemand to be enabled.</P
+-><P
+->mod_ldap >= 2.8.11 supports additional mode information;
+- you can add ":octal-mode" to a directory argument to have it created
+- with that mode. For example,
+- LDAPHomedirOnDemandSuffix foo:700 will create the
+- suffix directory foo with the mode 700.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5239"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5242"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPNEGATIVECACHE"
+-></A
+->
+- LDAPNegativeCache</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN5253"
+-></A
+-><H2
+->Name</H2
+->LDAPNegativeCache -- Enable negative caching for LDAP lookups</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN5256"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPNegativeCache</B
+-> [ <CODE
+-CLASS="OPTION"
+->on</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->off</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> LDAPNegativeCache off
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v1.1 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5284"
+-></A
+-><H2
+->Description</H2
+-><P
+->LDAPNegativeCache specifies whether or not to cache negative
+- responses from the LDAP server when using LDAP for UID/GID lookups.
+- This option is useful if you also use/are in transition from another
+- authentication system; if there are many users in your old
+- authentication system that aren't in the LDAP database, there can be
+- a significant delay when a directory listing is performed as the
+- UIDs not in the LDAP database are repeatedly looked up in an attempt
+- to present usernames instead of UIDs in directory listings. With
+- LDAPNegativeCache set to on, negative ("not found") responses from
+- the LDAP server will be cached and speed will improve on directory
+- listings that contain many users not present in the LDAP
+- database.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5287"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5290"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPPROTOCOLVERSION"
+-></A
+->
+-LDAPProtocolVersion</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN5301"
+-></A
+-><H2
+->Name</H2
+->LDAPProtocolVersion -- Set the LDAP protocol version</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN5304"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPProtocolVersion</B
+-> [ <CODE
+-CLASS="OPTION"
+->2 | 3</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->3</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->2.8.13 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5331"
+-></A
+-><H2
+->Description</H2
+-><P
+->FIX FIX FIX</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5334"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5337"
+-></A
+-><H2
+->Examples</H2
+-><P
+-CLASS="LITERALLAYOUT"
+->FIXFIXFIX</P
+-><P
+->FIXFIX</P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPQUERYTIMEOUT"
+-></A
+->
+- LDAPQueryTimeout</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN5349"
+-></A
+-><H2
+->Name</H2
+->LDAPQueryTimeout -- Set a timeout for LDAP queries</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN5352"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPQueryTimeout</B
+-> [ <CODE
+-CLASS="OPTION"
+->timeout-seconds</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> LDAPQueryTimeout default-api-timeout
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v2.0 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5379"
+-></A
+-><H2
+->Description</H2
+-><P
+->Sets the timeout used for LDAP directory queries. The default
+- is the default timeout used by your LDAP API.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5382"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5385"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPSEARCHSCOPE"
+-></A
+->
+- LDAPSearchScope</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN5396"
+-></A
+-><H2
+->Name</H2
+->LDAPSearchScope -- Specify the search scope used in LDAP queries</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN5399"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPSearchScope</B
+-> [ <CODE
+-CLASS="OPTION"
+->onelevel</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->subtree</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> LDAPSearchScope subtree
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v2.6 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5427"
+-></A
+-><H2
+->Description</H2
+-><P
+->Set the scope used for LDAP searches. The default setting,
+- subtree, searches for all entries in the tree from the current level
+- down. Setting this directive to onelevel searches only one level
+- deep in the LDAP tree.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5430"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5433"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPSERVER"
+-></A
+->
+- LDAPServer</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN5444"
+-></A
+-><H2
+->Name</H2
+->LDAPServer -- Specify the LDAP server to use for lookups</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN5447"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LDAPServer</B
+-> [ <CODE
+-CLASS="OPTION"
+->"hostname1:port1 hostname2:port2"</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> LDAPServer "localhost"
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v1.0 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5474"
+-></A
+-><H2
+->Description</H2
+-><P
+->LDAPServer allows you to to specify the hostname(s) and
+- port(s) of the LDAP server(s) to use for LDAP authentication. If no
+- LDAPServer configuration directive is present, the default LDAP
+- servers specified by your LDAP API will be used.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5477"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5480"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LDAPUSETLS"
+-></A
+->
+- LDAPUseTLS</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN5491"
+-></A
+-><H2
+->Name</H2
+->LDAPUseTLS -- Enable TLS/SSL connections to the LDAP server.</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN5494"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->Syntax: LDAPUseTLS</B
+-> [ <CODE
+-CLASS="OPTION"
+->on</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->off</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> LDAPUseTLS off
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ldap
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_ldap v2.8 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5522"
+-></A
+-><H2
+->Description</H2
+-><P
+->By default, mod_ldap connects to the LDAP server via a
+- non-encrypted connection. Enabling this option causes mod_ldap to
+- use an encrypted (TLS/SSL) connection to the LDAP server. If a
+- secure connection to the LDAP server fails, mod_ldap will not
+- authenticate users (mod_ldap will *not* fall back to an unsecure
+- connection).</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5525"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5528"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="LEECHRATIOMSG"
+-></A
+->
+-LeechRatioMsg</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN5539"
+-></A
+-><H2
+->Name</H2
+->LeechRatioMsg -- Sets the 'over ratio' error message</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN5542"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->LeechRatioMsg</B
+-> [ <CODE
+-CLASS="OPTION"
+->LeechRatioMsg foo1 foo2 foo3</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None known</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ratio</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->at least 1.2.0 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5569"
+-></A
+-><H2
+->Description</H2
+-><P
+->The LeechRatioMsg directive defines the response message sent
+-back to the client upon breaking their quota limits.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5572"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN5575"
+-></A
+-><H2
+->Examples</H2
+-><PRE
+-CLASS="PROGRAMLISTING"
+->LeechRatioMsg "please upload as well as download"</PRE
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+ NAME="LIMIT"
+ ></A
+ >
+@@ -18584,967 +13393,6 @@
+ ></DIV
+ ><H1
+ ><A
+-NAME="RADIUSACCTSERVER"
+-></A
+->
+-RadiusAcctServer</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN6758"
+-></A
+-><H2
+->Name</H2
+->RadiusAcctServer -- Setup RADIUS accounting details</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN6761"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->RadiusAcctServer</B
+-> [ <CODE
+-CLASS="OPTION"
+->server[:port] shared-secret [timeout]</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->none</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_radius</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.7rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN6788"
+-></A
+-><H2
+->Description</H2
+-><P
+->The RadiusAcctServer is used to specify a RADIUS server to be used for accounting. The server parameter may be either an IP address or a DNS hostname. If not specified, the port used will be the IANA-registered 1813. The optional timeout parameter is used to tell mod_radius how long to wait for a response from the server; it defaults to 30 seconds.</P
+-><P
+->Multiple RadiusAcctServers may be configured; each will be tried, in order of appearance in the configuration file, until that server times out or mod_radius receives a response.</P
+-><P
+->If no RadiusAcctServers are configured, mod_radius will not use RADIUS for accounting.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN6793"
+-></A
+-><H2
+->See also</H2
+-><P
+-><A
+-HREF="#RADIUSAUTHSERVER"
+->RadiusAuthServer</A
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="RADIUSAUTHSERVER"
+-></A
+->
+-RadiusAuthServer</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN6805"
+-></A
+-><H2
+->Name</H2
+->RadiusAuthServer -- Setup RADIUS authenticator details</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN6808"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->RadiusAuthServer</B
+-> [ <CODE
+-CLASS="OPTION"
+->server[:port] shared-secret [timeout]</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->none</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_radius</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.7rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN6835"
+-></A
+-><H2
+->Description</H2
+-><P
+->The RadiusAcctServer is used to specify a RADIUS server to be used for accounting. The server parameter may be either an IP address or a DNS hostname. If not specified, the port used will be the IANA-registered 1813. The optional timeout parameter is used to tell mod_radius how long to wait for a response from the server; it defaults to 30 seconds.</P
+-><P
+->Multiple RadiusAcctServers may be configured; each will be tried, in order of appearance in the configuration file, until that server times out or mod_radius receives a response.</P
+-><P
+->If no RadiusAcctServers are configured, mod_radius will not use RADIUS for accounting.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN6840"
+-></A
+-><H2
+->See also</H2
+-><P
+-><A
+-HREF="#RADIUSAUTHSERVER"
+->RadiusAuthServer</A
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="RADIUSENGINE"
+-></A
+->
+-RadiusEngine</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN6852"
+-></A
+-><H2
+->Name</H2
+->RadiusEngine -- Enable RADIUS support</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN6855"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->RadiusEngine</B
+-> [ <CODE
+-CLASS="OPTION"
+->on|off</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->off</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_radius</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.7rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN6882"
+-></A
+-><H2
+->Description</H2
+-><P
+->The RadiusEngine directive enables or disables the module's runtime RADIUS engine. If it is set to off this module does no RADIUS authentication or accounting at all. Use this directive to disable the module instead of commenting out all mod_radius directives. </P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN6885"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="RADIUSLOG"
+-></A
+->
+-RadiusLog</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN6896"
+-></A
+-><H2
+->Name</H2
+->RadiusLog -- Specify the logfile for reporting / debugging</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN6899"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->RadiusLog</B
+-> [ <CODE
+-CLASS="OPTION"
+->"file"|none</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->none</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_radius</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.7rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN6926"
+-></A
+-><H2
+->Description</H2
+-><P
+->The RadiusLog directive is used to a specify a log file for mod_radius
+-reporting and debugging, and can be done a per-server basis. The file
+-parameter must be the full path to the file to use for logging. Note
+-that this path must not be to a world-writeable directory and, unless
+-AllowLogSymlinks is explicitly set to on (generally a bad idea), the
+-path must not be a symbolic link.</P
+-><P
+->If file is "none", no logging will be done at all; this setting can be
+-used to override a RadiusLog setting inherited from a <Global> context.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN6930"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="RADIUSREALM"
+-></A
+->
+-RadiusRealm</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN6941"
+-></A
+-><H2
+->Name</H2
+->RadiusRealm -- Setup the authentication realm</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN6944"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->RadiusRealm</B
+-> [ <CODE
+-CLASS="OPTION"
+->realm</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->none</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_radius</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.7rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN6971"
+-></A
+-><H2
+->Description</H2
+-><P
+->The RadiusRealm directive configures a realm string that will be added to the username in the constructed RADIUS packets.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN6974"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN6977"
+-></A
+-><H2
+->Examples</H2
+-><P
+-CLASS="LITERALLAYOUT"
+-> RadiusRealm .castaglia.org</P
+-></DIV
+-><H1
+-><A
+-NAME="RADIUSUSERINFO"
+-></A
+->
+-RadiusUserInfo</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN6988"
+-></A
+-><H2
+->Name</H2
+->RadiusUserInfo -- Configure login information via RADIUS</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN6991"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->RadiusUserInfo</B
+-> [ <CODE
+-CLASS="OPTION"
+->uid gid home shell [suppl-group-names suppl-group-ids]</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->none</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_radius</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.7rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7018"
+-></A
+-><H2
+->Description</H2
+-><P
+->The RadiusUserInfo directive is used to configure login information used for every user authenticated via RADIUS. The optional suppl-group-names and suppl-group-ids parameters are used to specify supplemental group membership for each user; the number of names and IDs must match if these parameters are used.</P
+-><P
+->In order to support RADIUS servers that may use custom attributes in their Access-Accept response packets to supply user information back to the RADIUS client (mod_radius in this case), this directive allows the following syntax for some of its parameters:</P
+-><P
+-> <P
+-CLASS="LITERALLAYOUT"
+-> $(attribute-id:default-value)</P
+-> </P
+-><P
+->where the enclosing $() signals that the parameter is to be supplied by
+-the RADIUS server, attribute-id is the custom attribute ID for which to
+-search in the response packet, and default-value is the value to use in
+-case the requested attribute is not present in the response packet. This
+-syntax is not supported for the suppl-group-names or suppl-group-ids
+-parameters.</P
+-><P
+->If RadiusUserInfo is not used, mod_radius will perform pure "yes/no"
+-authentication only, in the style of PAM. The information that would
+-have been configured via this directive will be pulled from other sources
+-(e.g. /etc/passwd, AuthUserFiles, MySQL tables, etc).</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7026"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="RATIOFILE"
+-></A
+->
+-RatioFile</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN7037"
+-></A
+-><H2
+->Name</H2
+->RatioFile -- Ratio directive</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN7040"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->RatioFile</B
+-> [ <CODE
+-CLASS="OPTION"
+->RatioFile foo1 foo2 foo3</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None known</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ratio</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->at least 1.2.0 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7067"
+-></A
+-><H2
+->Description</H2
+-><P
+->The RatioFile directive ....
+-Example:
+-RatioFile</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7070"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7073"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="RATIOS"
+-></A
+->
+-Ratios</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN7084"
+-></A
+-><H2
+->Name</H2
+->Ratios -- (docs incomplete)</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN7087"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->Ratios</B
+-> [ <CODE
+-CLASS="OPTION"
+->Ratios foo1 foo2 foo3</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None known</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ratio</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->at least 1.2.0 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7114"
+-></A
+-><H2
+->Description</H2
+-><P
+->The Ratios directive ....
+-Example:
+-Ratios</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7117"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7120"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="RATIOTEMPFILE"
+-></A
+->
+-RatioTempFile</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN7131"
+-></A
+-><H2
+->Name</H2
+->RatioTempFile -- Ratio directive</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN7134"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->RatioTempFile</B
+-> [ <CODE
+-CLASS="OPTION"
+->RatioTempFile foo1 foo2 foo3</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None known</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ratio</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->at least 1.2.0 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7161"
+-></A
+-><H2
+->Description</H2
+-><P
+->The RatioTempFile directive ....
+-Example:
+-RatioTempFile</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7164"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7167"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+ NAME="REQUIREVALIDSHELL"
+ ></A
+ >
+@@ -19656,1592 +13504,6 @@
+ ></DIV
+ ><H1
+ ><A
+-NAME="REWRITECONDITION"
+-></A
+->
+-RewriteCondition</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN7225"
+-></A
+-><H2
+->Name</H2
+->RewriteCondition -- Define a rule condition</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN7228"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->RewriteCondition</B
+-> [ <CODE
+-CLASS="OPTION"
+->condition pattern</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost>, <Anonymous>, <Directory></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_rewrite</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.6rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7255"
+-></A
+-><H2
+->Description</H2
+-><P
+->The RewriteCondition directive defines a rule condition. Precede a
+-<A
+-HREF="#REWRITERULE"
+->RewriteRule</A
+-> directive with one or more
+-RewriteCondition directives. The following rewriting rule is only used if
+-its pattern matches the current state of the FTP command and if these
+-additional conditions apply too.</P
+-><P
+->Condition is a string which can contain the following expanded constructs
+-in addition to plain text:</P
+-><P
+-></P
+-><UL
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-> <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->RewriteRule backreferences</B
+-></SPAN
+->
+- </P
+-><P
+-> These are backreferences of the form:
+- </P
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->$N</B
+-></SPAN
+-></P
+-><P
+-> (0 <= N <= 9) which provide access to the grouped
+- parts (parentheses!) of the pattern from the corresponding
+- RewriteRule directive (the one following the current bunch
+- of RewriteCondition directives). Note that $0 will refer
+- back to the entire original string being matched.
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-> <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->RewriteCondition backreferences</B
+-></SPAN
+->
+- </P
+-><P
+-> These are backreferences of the form:
+- </P
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->%N</B
+-></SPAN
+-></P
+-><P
+-> (0 <= N <= 9) which provide access to the grouped parts
+- (parentheses!) of the pattern from the previous
+- RewriteCondition attached to this RewriteRule.
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-> <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->RewriteMap expansions:</B
+-></SPAN
+->
+- </P
+-><P
+-> These are expansions of the form:
+- </P
+-><P
+-> <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->${map-name:lookup-key|default-value}</B
+-></SPAN
+->
+- </P
+-><P
+-> See the documentation for <A
+-HREF="#REWRITEMAP"
+->RewriteMap
+- </A
+-> for more details.
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-> <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->Variable substitutions:</B
+-></SPAN
+->
+- </P
+-><P
+-> These are substitutions of the form:
+- </P
+-><P
+-></P
+-><UL
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-> <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->%a</B
+-></SPAN
+->
+- client IP address
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-> <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->%c</B
+-></SPAN
+->
+- name of Class for current session
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-> <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->%f</B
+-></SPAN
+->
+- filename
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-> <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->%F</B
+-></SPAN
+->
+- transfer path, as seen by the client (only useful
+- for upload/download commands)
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-> <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->%g</B
+-></SPAN
+->
+- primary group of authenticated user
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-> <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->%G</B
+-></SPAN
+->
+- supplemental groups of authenticated user
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-> <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->%h</B
+-></SPAN
+->
+- client DNS name
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-> <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->%m</B
+-></SPAN
+->
+- FTP command
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-> <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->%p</B
+-></SPAN
+->
+- port of server handling the session
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-> <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->%u</B
+-></SPAN
+->
+- name of authenticated user
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-> <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->%U</B
+-></SPAN
+->
+- name of user sent by client via USER
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-> <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->%v</B
+-></SPAN
+->
+- ServerName of server handling the session
+- </P
+-></LI
+-></UL
+-></LI
+-></UL
+-><P
+->Pattern is the condition pattern, i.e., a regular expression which is
+-applied to the current instance of the condition, i.e., condition is
+-evaluated and then matched against pattern. You can prefix the pattern
+-string with a '!' character (exclamation mark) to specify a non-matching
+-pattern.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7325"
+-></A
+-><H2
+->See also</H2
+-><P
+-><A
+-HREF="#REWRITERULE"
+->RewriteRule</A
+->
+-<A
+-HREF="#REWRITEMAP"
+->RewriteMap</A
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7330"
+-></A
+-><H2
+->Examples</H2
+-><P
+-CLASS="LITERALLAYOUT"
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="REWRITEENGINE"
+-></A
+->
+-RewriteEngine</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN7341"
+-></A
+-><H2
+->Name</H2
+->RewriteEngine -- Enable/disable mod_rewrite</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN7344"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->RewriteEngine</B
+-> [ <CODE
+-CLASS="OPTION"
+->on|off</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->off</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_rewrite</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.6rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7371"
+-></A
+-><H2
+->Description</H2
+-><P
+->The RewriteEngine directive enables or disables the module's runtime
+-rewriting engine. If it is set to off this module does no parsing or
+-rewriting at all. Use this directive to disable the module instead of
+-commenting out all mod_rewrite directives.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7374"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="REWRITELOCK"
+-></A
+->
+-RewriteLock</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN7385"
+-></A
+-><H2
+->Name</H2
+->RewriteLock -- Set the filename for synchronization lockfile</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN7388"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->RewriteLock</B
+-> [ <CODE
+-CLASS="OPTION"
+->filename</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_rewrite</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.6rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7415"
+-></A
+-><H2
+->Description</H2
+-><P
+->The RewriteLock directive sets the filename for a synchronization lockfile
+-which mod_rewrite needs to communicate with RewriteMaps of type fifo. Set
+-file to a local absolute path (not on a NFS-mounted device) when you want
+-to use a rewriting FIFO. It is not required for other types of rewriting maps.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7418"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="REWRITELOG"
+-></A
+->
+-RewriteLog</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN7429"
+-></A
+-><H2
+->Name</H2
+->RewriteLog -- Specify a log file for mod_rewrite reporting</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN7432"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->RewriteLog</B
+-> [ <CODE
+-CLASS="OPTION"
+->file|"none"</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_rewrite</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.6rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7459"
+-></A
+-><H2
+->Description</H2
+-><P
+->The RewriteLog directive is used to a specify a log file for mod_rewrite
+-reporting and debugging, and can be done a per-server basis. The file
+-parameter must be the full path to the file to use for logging. Note
+-that this path must <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->not</B
+-></SPAN
+-> be to a
+-world-writeable directory and, unless AllowLogSymlinks is explicitly
+-set to on (generally a bad idea), the path must
+-<SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->not</B
+-></SPAN
+-> be a symbolic link. In general,
+-this directive should only be used for debugging your mod_rewrite
+-configuration, and should be removed once debugging is completed;
+-<SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->do not use this directive in a production
+-configuration.</B
+-></SPAN
+-></P
+-><P
+->If file is "none", no logging will be done at all; this setting can be
+-used to override a RewriteLog setting inherited from a <Global> context. </P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7466"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="REWRITEMAP"
+-></A
+->
+-RewriteMap</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN7477"
+-></A
+-><H2
+->Name</H2
+->RewriteMap -- Define a rewrite map</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN7480"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->RewriteMap</B
+-> [ <CODE
+-CLASS="OPTION"
+->map-name map-type:map-soure</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_rewrite</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.6rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7507"
+-></A
+-><H2
+->Description</H2
+-><P
+->The RewriteMap directive defines a rewriting map which can be used inside
+-rule substitution strings by the mapping-functions to insert/substitute
+-fields through a key lookup. The source of this lookup can be of various types.</P
+-><P
+->The map-name is the name of the map and will be used to specify a
+-mapping-function for the substitution strings of a rewriting rule via
+-one of the following constructs:</P
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->${ map-name : lookup-key }</B
+-></SPAN
+-></P
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->${ map-name : lookup-key</B
+-></SPAN
+->
+- |
+-<SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->default-value</B
+-></SPAN
+-></P
+-><P
+->When such a construct occurs the map map-name is consulted and the key
+-lookup-key is resolved. If the key is found, the map-function construct
+-is substituted by subst-value. If the key is not found then it is
+-substituted by default-value or by the empty string if no default-value
+-was specified.</P
+-><P
+->The following combinations for map-type and map-src can be used:</P
+-><P
+-></P
+-><UL
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-> <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->Standard Plain Text</B
+-></SPAN
+->
+- </P
+-><P
+-> map-type: txt, map-src: Unix filesystem path to
+- valid regular file.
+- </P
+-><P
+-> This is the standard rewriting map feature where
+- the map-src is a plain ASCII file containing either blank
+- lines, comment lines (starting with a '#' character) or
+- pairs like the following - one per line.
+- </P
+-><P
+-> <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->matching-key subst-value</B
+-></SPAN
+->
+- </P
+-><DIV
+-CLASS="EXAMPLE"
+-><A
+-NAME="EXAMPLE-USERMAP"
+-></A
+-><P
+-><B
+->Example 1-1. Example Usermap</B
+-></P
+-><PRE
+-CLASS="PROGRAMLISTING"
+-> # --------------------------------------------
+- # usermap.txt -- map for rewriting user names
+- # --------------------------------------------
+-
+- Dave.Admin dave # The Uber-admin
+- root anonymous # no one should be logging in as root anyway
+- </PRE
+-></DIV
+-><P
+-> And, to configure this map to be used:
+- </P
+-><PRE
+-CLASS="PROGRAMLISTING"
+-> RewriteMap real-to-user txt:/path/to/file/usermap.txt
+- </PRE
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->FIFO/Named Pipe</B
+-></SPAN
+-></P
+-><P
+-> map-type: fifo, map-src: Unix filesystem path
+- to valid FIFO.
+- </P
+-><P
+-> For this rewriting map, map-src is a FIFO (a.k.a. named pipe).
+- To create it, you can use the mkfifo(1) command. An
+- external program that opens the FIFO for reading and
+- writing <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->must</B
+-></SPAN
+-> be started
+- before proftpd is started. This program can communicate
+- with the rewriting engine via the FIFO. For each mapping
+- lookup, it can read the key to lookup as a newline-terminated
+- string from the FIFO. It then has to write back to the FIFO
+- the looked-up value as a newline-terminated string, or just
+- simply newline character (denoting an empty string) if there
+- is no corresponding value for the given key).
+- </P
+-><P
+-> An example program which will implement a 1:1 mapping
+- (i.e., key == value) could be:
+- </P
+-><DIV
+-CLASS="EXAMPLE"
+-><A
+-NAME="EXAMPLE-FIFONAMEDPIPE"
+-></A
+-><P
+-><B
+->Example 1-2. Example FIFO/Named Pipe 1:1 mapping</B
+-></P
+-><PRE
+-CLASS="PROGRAMLISTING"
+->#!/usr/bin/perl
+- use strict;
+-
+- use File::Basename qw(basename);
+- use Getopt::Long;
+- use IO::Handle;
+- use IO::Select;
+-
+- my $default_delay = 0.5;
+- my $program = basename($0);
+- my %opts = ();
+-
+- GetOptions(\%opts, 'delay=f', 'fifo=s', 'help', 'verbose');
+-
+- usage() if $opts{'help'};
+-
+- my $delay = $opts{'delay'} ? $opts{'delay'} : $default_delay;
+-
+- die "$program: missing required --fifo parameter\n" unless $opts{'fifo'};
+- my $fifo = $opts{'fifo'};
+-
+- my $verbose = $opts{'verbose'} ? 1 : 0;
+-
+- open(my $fifo_fh, "+> $fifo") or die "$program: unable to open $fifo: $!\n";
+-
+- # Instantiate a Select object for knowing when to read from and write to
+- # the FIFO.
+- my $sel = IO::Select->new();
+-
+- while (1) {
+-
+- # Blocking select() for reading.
+- $sel->add($fifo_fh);
+-
+- print STDERR "$program: selecting for reading\n" if $verbose;
+- my ($rfh) = $sel->can_read();
+-
+- my $key = <$rfh>;
+- print STDERR "$program: read '$key'\n" if $verbose;
+-
+- # Lookup a value for the given key.
+- my $value = lookup_value($key);
+-
+- # Clear the Select object's filehandles.
+- $sel->remove();
+-
+- print $fifo_fh "$value\n" if $verbose;
+- $fifo_fh->flush();
+-
+- print STDERR "$program: wrote '$value'\n" if $verbose;
+-
+- # Wait for the buffer's byte to be cleared before reading again.
+- wait_fifo($fifo_fh);
+- }
+-
+- close($fifo_fh);
+- print STDOUT "$program: done\n" if $verbose;
+-
+- exit 0;
+-
+- # --------------------------------------------------------------------------
+- sub lookup_value {
+- my ($key) = @_;
+-
+- # NOTE: do something to obtain a value for the given key here.
+- chomp(my $value = $key);
+-
+- return $value;
+- }
+-
+- # --------------------------------------------------------------------------
+- sub usage {
+- print STDOUT <<END_OF_USAGE;
+-
+- usage: $program [options]
+-
+- --delay Configure the buffer check delay.
+- The default is $default_delay seconds.
+-
+- --fifo Configure the path to the FIFO. Required.
+-
+- --help Displays this message.
+-
+- --verbose Enables verbose output while $program runs.
+-
+- END_OF_USAGE
+-
+- exit 0;
+- }
+-
+- # --------------------------------------------------------------------------
+- sub wait_fifo {
+- my ($fh) = @_;
+-
+- # Now we get tricky. Use ioctl(2) to poll the number of bytes to
+- # be read from the FIFO filehandle. When the number drops to zero,
+- # it means that the data we just wrote has been read from the buffer
+- # by some other process, so we can go back to the top of this loop.
+- # Otherwise, if this program loops faster than the reader/writer on
+- # the other end of the FIFO, we'd end up reading the data we just
+- # wrote. Quite annoying, actually.
+- #
+- # Note: this value must be manually extracted from the system header files
+- # using the following program:
+- #
+- # -------- fionread.c -------------------
+- # #include <sys/ioctl.h>
+- #
+- # int main(int argc, char *argv[]) {
+- # printf("%#08x\n", FIONREAD);
+- # return 0;
+- # }
+- # ---------------------------------------
+- #
+- # > cc -o fionread fionread.c
+- # > ./fionread
+-
+- my $FIONREAD = 0x00541b;
+-
+- my $size = pack('L', 0);
+- ioctl($fh, $FIONREAD, $size) or die "$program: unable to use ioctl: $!\n";
+- $size = unpack('L', $size);
+-
+- while ($size != 0) {
+- print STDERR "$program: waiting for buffer to be read\n" if $verbose;
+- select(undef, undef, undef, $delay);
+-
+- $size = pack('L', 0);
+- ioctl($fh, $FIONREAD, $size) or die "$program: unable to use ioctl: $!\n";
+- $size = unpack('L', $size);
+- }
+- }
+-
+- </PRE
+-></DIV
+-><P
+-> To make use of this example script, simply implement your
+- lookup code in the lookup_value() subroutine. Be very
+- careful with such scripts, though:
+- </P
+-><P
+-></P
+-><OL
+-TYPE="1"
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-> "Keep it simple, stupid" (KISS), because if
+- this program hangs it will hang proftpd when
+- the rule occurs. Well, keep it as simple as
+- possible...
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-> Avoid one common mistake: avoid buffered I/O
+- if possible. This can cause a deadloop. If
+- necessary, be sure to flush the filehandle
+- before reading, and after writing.
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-> Use the RewriteLock directive to define a
+- lockfile mod_rewrite can use to synchronize
+- the communication to the FIFO program. By
+- default no such synchronization takes place.
+- </P
+-></LI
+-></OL
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->Internal Function</B
+-></SPAN
+-></P
+-><P
+-> map-type: int, map-src: Internal mod_rewrite function.
+- </P
+-><P
+-> Here the map-src is a mod_rewrite built-in function.
+- Currently you cannot create your own, but the following
+- functions already exist:
+- </P
+-><P
+-></P
+-><UL
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->toupper</B
+-></SPAN
+-></P
+-><P
+-> Converts the looked up key to all upper case.
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->tolower</B
+-></SPAN
+-></P
+-><P
+-> Converts the looked up key to all lower case.
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->unescape</B
+-></SPAN
+-></P
+-><P
+-> Translates hex-encodings in the looked up key back
+- to special characters.
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->utf8trans</B
+-></SPAN
+-></P
+-><P
+-> Translates UTF-8 encodings in the lookup up key into
+- Latin-1 characters.
+- </P
+-></LI
+-></UL
+-></LI
+-></UL
+-><P
+->The RewriteMap directive can occur more than once. For each mapping-function
+-use one RewriteMap directive to declare its rewriting map name.</P
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->Note:</B
+-></SPAN
+-> For plain text files the looked-up
+-keys are cached in-core until the mtime of the text map file changes or
+-the server does a restart. This way you can have map-functions in rules
+-which are used for <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->every</B
+-></SPAN
+-> request. This
+-is no problem, because the parsing of the text files only happens once!</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7575"
+-></A
+-><H2
+->See also</H2
+-><P
+-><A
+-HREF="#REWRITECONDITION"
+->RewriteCondition</A
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="REWRITERULE"
+-></A
+->
+-RewriteRule</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN7587"
+-></A
+-><H2
+->Name</H2
+->RewriteRule -- Define a rewrite rule</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN7590"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->RewriteRule</B
+-> [ <CODE
+-CLASS="OPTION"
+->pattern substitution</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost>, <Anonymous>, <Directory></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_rewrite</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.6rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7617"
+-></A
+-><H2
+->Description</H2
+-><P
+->The RewriteRule directive is the real rewriting workhorse. The configuration
+-directive can occur more than once. Each directive defines a single
+-rewriting rule. The order of definition of these rules is important,
+-because this order is used when applying the rules at run-time.</P
+-><P
+->Pattern can be POSIX regular expression which gets applied to the current
+-FTP command argument(s).</P
+-><P
+->Some hints about the syntax of regular expressions:</P
+-><P
+-></P
+-><UL
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->Text:</B
+-></SPAN
+-></P
+-><PRE
+-CLASS="PROGRAMLISTING"
+-> . Any single character
+- [chars] Character class: one of chars
+- [^chars] Character class: none of chars
+- text1|text2 Alternative: text1 or text2
+- </PRE
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->Quantifiers:</B
+-></SPAN
+-></P
+-><PRE
+-CLASS="PROGRAMLISTING"
+-> ? 0 or 1 of the preceding text
+- * 0 or N of the preceding text (N > 0)
+- + 1 or N of the preceding text (N > 1)
+- </PRE
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->Grouping:</B
+-></SPAN
+-></P
+-><PRE
+-CLASS="PROGRAMLISTING"
+-> (text) Grouping of text
+- (either to set the borders of an alternative or
+- for making backreferences where the Nth group can
+- be used on the RHS of a RewriteRule with $N)
+- </PRE
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->Anchors:</B
+-></SPAN
+-></P
+-><PRE
+-CLASS="PROGRAMLISTING"
+-> ^ Start of line anchor
+- $ End of line anchor
+- </PRE
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->Escaping:</B
+-></SPAN
+-></P
+-><PRE
+-CLASS="PROGRAMLISTING"
+-> \char Escape that particular char
+- (for instance to specify the chars ".[]()" etc.)
+- </PRE
+-></LI
+-></UL
+-><P
+->For more information about regular expressions have a look at your local
+-regex(3) manpage. If you are interested in more detailed information about
+-regular expressions and their variants (POSIX regex, Perl regex, etc.) have
+-a look at the following dedicated book on this topic:</P
+-><P
+->Mastering Regular Expressions
+-Jeffrey E.F. Friedl
+-Nutshell Handbook Series
+-O'Reilly & Associates, Inc. 1997
+-ISBN 1-56592-257-3</P
+-><P
+->Additionally in mod_rewrite the NOT character ('!') is a possible pattern
+-prefix. This gives you the ability to negate a pattern; to say, for instance:
+-"if the current argument(s) does NOT match this pattern". This can be used
+-for exceptional cases, where it is easier to match the negative pattern,
+-or as a last default rule.</P
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->Notice:</B
+-></SPAN
+-> When using the NOT character to
+-negate a pattern you cannot have grouped wildcard parts in the pattern.
+-This is impossible because when the pattern does NOT match, there are no
+-contents for the groups. In consequence, if negated patterns are used,
+-you cannot use $N in the substitution string.</P
+-><P
+->Substitution of a rewriting rule is the string which is substituted for
+-(or replaces) the original argument(s) for which pattern matched. Beside
+-plain text you can use:</P
+-><P
+-></P
+-><OL
+-TYPE="1"
+-><LI
+-><P
+-> $N backreferences to the RewriteRule pattern
+- </P
+-></LI
+-><LI
+-><P
+-> %N backreferences to the last matched RewriteCondition pattern
+- </P
+-></LI
+-><LI
+-><P
+-> variables as in RewriteCondition test strings
+- </P
+-></LI
+-><LI
+-><P
+-> map function calls (${map-name:lookup-key|default-value})
+- </P
+-></LI
+-></OL
+-><P
+->Backreferences are $<SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->N</B
+-></SPAN
+->
+-(<SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->N</B
+-></SPAN
+->=0..9) identifiers which will be replaced
+-by the contents of the <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->N</B
+-></SPAN
+->th group of the
+-matched pattern. The variables are the same as for the condition of a
+-<A
+-HREF="#REWRITECONDITION"
+->RewriteCondition</A
+-> directive, with two
+-additions:</P
+-><P
+-></P
+-><UL
+-><LI
+-><P
+-> %<SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->P</B
+-></SPAN
+->
+- process ID
+- </P
+-></LI
+-><LI
+-><P
+-> %<SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->t</B
+-></SPAN
+->
+- Unix time since the epoch, in seconds
+- </P
+-></LI
+-></UL
+-><P
+->The map functions come from the <A
+-HREF="#REWRITEMAP"
+->RewriteMap</A
+->
+-directive and are explained there. These four types of variables are
+-expanded in the order of the above list.</P
+-><P
+->All of the rewriting rules are applied to substitution. The command
+-argument(s) is completely replaced by the substitution.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7673"
+-></A
+-><H2
+->See also</H2
+-><P
+-><A
+-HREF="#REWRITECONDITION"
+->RewriteCondition</A
+->
+-<A
+-HREF="#REWRITEMAP"
+->RewriteMap</A
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7678"
+-></A
+-><H2
+->Examples</H2
+-><P
+-CLASS="LITERALLAYOUT"
+-></P
+-></DIV
+-><H1
+-><A
+ NAME="RLIMITCPU"
+ ></A
+ >
+@@ -21815,115 +14077,6 @@
+ ></DIV
+ ><H1
+ ><A
+-NAME="SAVERATIOS"
+-></A
+->
+-SaveRatios</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN7924"
+-></A
+-><H2
+->Name</H2
+->SaveRatios -- FIXME FIXME</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN7927"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SaveRatios</B
+-> [ <CODE
+-CLASS="OPTION"
+->SaveRatios foo1 foo2 foo3</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None known</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ratio</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->at least 1.2.0 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7954"
+-></A
+-><H2
+->Description</H2
+-><P
+->The SaveRatios directive ....
+-Example:
+-SaveRatios</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7957"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN7960"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+ NAME="SCOREBOARDFILE"
+ ></A
+ >
+@@ -22585,7 +14738,7 @@
+ ></A
+ ><H2
+ >Name</H2
+->SetEnv -- (docs incomplete)</DIV
++>SetEnv -- Set environment variable</DIV
+ ><DIV
+ CLASS="REFSYNOPSISDIV"
+ ><A
+@@ -23038,3443 +15191,6 @@
+ ></DIV
+ ><H1
+ ><A
+-NAME="SQLAUTHENTICATE"
+-></A
+->
+- SQLAuthenticate</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN8431"
+-></A
+-><H2
+->Name</H2
+->SQLAuthenticate -- Specify authentication methods and what to authenticate
+- </DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN8434"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLAuthenticate</B
+-> {on | off}</P
+-><P
+-> or</P
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLAuthenticate</B
+-> [ users
+- ] [ groups
+- ] [ userset [fast]
+- ] [ groupset [fast]
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> SQLAuthenticate <SAMP
+-CLASS="COMPUTEROUTPUT"
+->on</SAMP
+->
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <Global>, <VirtualHost>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+-> mod_sql
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> 1.2.5rc1 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8472"
+-></A
+-><H2
+->Description</H2
+-><P
+->The SQLAuthenticate directive configures mod_sql's authentication behavior,
+-controlling whether to provide user and/or group information during
+-authentication, and how that provisioning is performed. The parameters may
+-appear in any order.</P
+-><P
+->The available parameter values are:</P
+-><P
+-></P
+-><UL
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->on</B
+-></SPAN
+-></P
+-><P
+-> Shorthand for SQLAuthenticate users groups userset groupset.
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->off</B
+-></SPAN
+-></P
+-><P
+-> Disables all mod_sql authentication functions.
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->users</B
+-></SPAN
+-></P
+-><P
+-> If present, mod_sql will do user lookups. If not present,
+- mod_sql will do no user lookups at all, including the
+- {set|get|end}pwent() calls (see below).
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->groups</B
+-></SPAN
+-></P
+-><P
+-> If present, mod_sql will do group lookups. If not present,
+- mod_sql will do no group lookups at all, including the
+- {set|get|end}grent() calls (see below).
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->userset[fast]</B
+-></SPAN
+-></P
+-><P
+-> If present, mod_sql will process the potentially expensive
+- {set|get|end}pwent() calls. If not present, mod_sql will
+- not process these calls. Adding the suffix "fast" tells
+- mod_sql to process the users as a single large query, rather
+- than making a query per user. This may significantly reduce
+- the number of queries against the database at the expense
+- of increased memory use. This parameter will have no effect
+- if "users" is not specified.
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->groupset[fast]</B
+-></SPAN
+-></P
+-><P
+-> If present, mod_sql will process the potentially expensive
+- {set|get|end}grent() calls. If not present, mod_sql will
+- not process these calls. Adding the suffix "fast" tells
+- mod_sql to process the groups as a single large query,
+- rather than making a query per group. This may significantly
+- reduce the number of queries against the database at the
+- expense of increased memory use. This parameter will have no
+- effect if "groups" is not specified.
+- </P
+-></LI
+-></UL
+-><P
+->The SQLLog and SQLShowInfo directives will always be processed by mod_sql.
+-The SQLAuthenticate directive only affects the user and group
+-lookup/authentication portions of the module.</P
+-><P
+->Turning off (i.e. by not including) the userset or groupset parameters
+-affects the functionality of mod_sql. Not allowing these lookups may remove
+-the ability to control access or control functionality by group membership,
+-depending on your other authentication handlers and the data available to
+-them. At the same time, choosing not to do these lookups may dramatically
+-speed login for many large sites.</P
+-><P
+->The "fast" suffix is not appropriate for every site. Normally, mod_sql will
+-retrieve a list of users and groups, and get information from the database
+-on a per-user or per-group basis. This is query intensive: it requires
+-(nn + 1) queries, where n is the number of users or groups to lookup. By
+-choosing "fast" lookups, mod_sql will make a single SELECT query to get
+-information from the database.</P
+-><P
+->In exchange for the radical reduction in the number of queries, the single
+-query will increase the memory consumption of the process; all group or user
+-information will be read at once rather than in discrete chunks.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT2"
+-><A
+-NAME="AEN8505"
+-></A
+-><H3
+->Group Table Structure</H3
+-><P
+->Normally <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->mod_sql</B
+-></SPAN
+-> allows multiple group
+-members per row, and multiple rows per group. If you use the "fast"
+-option for groupset, you <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->must</B
+-></SPAN
+-> use only one
+-row per group. For example, normally mod_sql treats the following three
+-tables in exactly the same way:</P
+-><P
+-CLASS="LITERALLAYOUT"
+->|--------------------------------------------------|<br>
+-| GROUPNAME | GID | MEMBERS |<br>
+-|--------------------------------------------------|<br>
+-| group1 | 1000 | naomi |<br>
+-| group1 | 1000 | priscilla |<br>
+-| group1 | 1000 | gertrude |<br>
+-|--------------------------------------------------|<br>
+-<br>
+-|--------------------------------------------------|<br>
+-| GROUPNAME | GID | MEMBERS |<br>
+-|--------------------------------------------------|<br>
+-| group1 | 1000 | naomi, priscilla |<br>
+-| group1 | 1000 | gertrude |<br>
+-|--------------------------------------------------|<br>
+-<br>
+-|--------------------------------------------------|<br>
+-| GROUPNAME | GID | MEMBERS |<br>
+-|--------------------------------------------------|<br>
+-| group1 | 1000 | naomi, priscilla, gertrude |<br>
+-|--------------------------------------------------|</P
+-><P
+->If you use the "fast" option, mod_sql assumes that all entries are
+-structured like the last example.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8512"
+-></A
+-><H2
+->See also</H2
+-><P
+-> <A
+-HREF="#SQLUSERINFO"
+->SQLUserInfo</A
+->
+- <A
+-HREF="#SQLGROUPINFO"
+->SQLGroupInfo</A
+->
+- </P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8517"
+-></A
+-><H2
+->Examples</H2
+-></DIV
+-><H1
+-><A
+-NAME="SQLAUTHTYPES"
+-></A
+->
+-SQLAuthTypes</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN8527"
+-></A
+-><H2
+->Name</H2
+->SQLAuthTypes -- Specify the allowed authentication types and their check order</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN8530"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLAuthTypes</B
+-> [ <CODE
+-CLASS="OPTION"
+->[OpenSSL]</CODE
+->] [ <CODE
+-CLASS="OPTION"
+->[Crypt]</CODE
+->] [ <CODE
+-CLASS="OPTION"
+->[Backend]</CODE
+->] [ <CODE
+-CLASS="OPTION"
+->[Plaintext]</CODE
+->] [ <CODE
+-CLASS="OPTION"
+->[Empty]</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->none</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.0 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8565"
+-></A
+-><H2
+->Description</H2
+-><P
+->This directive deprecates 'SQLEmptyPasswords',
+-'SQLScrambledPasswords', 'SQLSSLHashedPasswords',
+-'SQLPlaintextPasswords', and 'SQLEncryptedPasswords'.</P
+-><P
+->The SQLAuthTypes directive specifies which authentication method
+-are to be allowed, and their order of use.
+-<SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->You must specify at least one authentication
+-method.</B
+-></SPAN
+-></P
+-><P
+->The current supported authentication methods are:</P
+-><P
+-></P
+-><UL
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->Backend</B
+-></SPAN
+-></P
+-><P
+-> Allows database-specific backend passwords. Not all
+- backend databases support this option. For example,
+- MySQL datatabases use this option to authenticate MySQL
+- 'PASSWORD()' encrypted passwords. The Postgres backend,
+- however, does nothing.<SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->Caveat
+- </B
+-></SPAN
+->: if your MySQL activity log is world-readable,
+- the user password <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->will be visible
+- </B
+-></SPAN
+->. You have been warned.
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->Crypt</B
+-></SPAN
+-></P
+-><P
+-> Allows passwords in the database to be of Unix crypt(3) form.
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->Empty</B
+-></SPAN
+-></P
+-><P
+-> Allows empty passwords in the database, which match
+- against <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->any</B
+-></SPAN
+-> password
+- the user may give. The database field must be a truly
+- empty string; NULL values are not acceptable as empty
+- passwords. <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->Be very careful if using
+- this authentication method.</B
+-></SPAN
+->
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->OpenSSL</B
+-></SPAN
+-></P
+-><P
+-> Allows passwords in the database to be of the form
+- '{digest-name}hashed-value', where hashed-value
+- is the base64-encoded digest of the passsword.
+- Only available if you define HAVE_OPENSSL when you
+- compile proftpd and you link with OpenSSL's libcrypto
+- library.
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->Plaintext</B
+-></SPAN
+-></P
+-><P
+-> Allows passwords in the database to be in plaintext.
+- </P
+-></LI
+-></UL
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8596"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8599"
+-></A
+-><H2
+->Examples</H2
+-><P
+-CLASS="LITERALLAYOUT"
+-> SQLAuthTypes Crypt Empty</P
+-><P
+->configures mod_sql to first attempt to verify the password using the
+-Unix crypt(3) function, then, if that fails, determine if the password
+-in the database is empty (thus matching any given password). If all of
+-the configured authentication methods fail, mod_sql will fail to
+-authenticate the user.</P
+-></DIV
+-><H1
+-><A
+-NAME="SQLBACKEND"
+-></A
+->
+-SQLBackend</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN8611"
+-></A
+-><H2
+->Name</H2
+->SQLBackend -- Set the SQL backend module</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN8614"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLBackend</B
+-> [ <CODE
+-CLASS="OPTION"
+->backend</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->Depends</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.3.0rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8641"
+-></A
+-><H2
+->Description</H2
+-><P
+->In 1.3.0rc1, the mod_sql module gained the ability to be compiled with multiple
+-backend modules supported, e.g. to have both mod_sql_mysql and mod_sql_postgres
+-usable in the same proftpd daemon. The SQLBackend directive configures which of
+-these different database backends should be used.</P
+-><P
+->If there is only one backend module compiled in, the SQLBackend directive is not
+-needed. If there are multiple backend modules compiled and no SQLBackend directive
+-is specified, then mod_sql will default to using the first backend module listed.
+-For instance, if you configured proftpd using a configure command such as:
+-
+- ./configure --with-modules=mod_sql:mod_sql_postgres:mod_sql_mysql ...
+-
+-then mod_sql would default to using mod_sql_postgres as the backend module to use.</P
+-><P
+->You might have multiple <VirtualHost> sections which use different SQL backends.
+-Use "mysql" for the mod_sql_mysql module, and "postgres" for the mod_sql_postgres
+-module.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8646"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8649"
+-></A
+-><H2
+->Examples</H2
+-><P
+-CLASS="LITERALLAYOUT"
+-> <VirtualHost 1.2.3.4><br>
+- SQLBackend mysql<br>
+- ...<br>
+- </VirtualHost><br>
+-<br>
+- <VirtualHost 5.6.7.8><br>
+- SQLBackend postgres<br>
+- ...<br>
+- </VirtualHost></P
+-></DIV
+-><H1
+-><A
+-NAME="SQLCONNECTINFO"
+-></A
+->
+-SQLConnectInfo</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN8660"
+-></A
+-><H2
+->Name</H2
+->SQLConnectInfo -- Specify connection information for the backend</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN8663"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLConnectInfo</B
+-> [ <CODE
+-CLASS="OPTION"
+->connection-info</CODE
+->] [ <CODE
+-CLASS="OPTION"
+->[username]</CODE
+->] [ <CODE
+-CLASS="OPTION"
+->[password]</CODE
+->] [ <CODE
+-CLASS="OPTION"
+->[policy]</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.0 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8696"
+-></A
+-><H2
+->Description</H2
+-><P
+->This directive deprecates 'MySQLInfo', 'PostgresInfo', and
+-'PostgresPort'.</P
+-><P
+->The SQLConnectInfo directive configures the information necessary to
+-connect to the backend database. The connection-info parameter specifies
+-the database, host, port, and other backend-specific information. The
+-optional username and password parameters specify a username and password
+-to use when connecting to the database. Both default to NULL, which the
+-backend will treat in some backend-specific manner. If you specify a
+-password, you <SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->must</B
+-></SPAN
+-> specify a username.
+-If no SQLConnectInfo directive is specified, mod_sql will disable itself.</P
+-><P
+->Any given database backend has the opportunity, though not necessarily
+-the responsibility, to check for syntax errors in the connection-info
+-field at server startup, but you should not expect semantic errors
+-(i.e., cannot connect to the database) to be caught until mod_sql
+-attempts to connect for a given host.</P
+-><P
+->A given database connection is governed by a connection policy that
+-specifies when a connection should be opened and when it should be
+-closed. There are three options:</P
+-><P
+-></P
+-><UL
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+-><SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->PERSESSION</B
+-></SPAN
+-></P
+-><P
+-> Open a database connection at the start of the session
+- and close the database connection at the end of the session.
+- </P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+->number (<SPAN
+-CLASS="bold"
+-><B
+-CLASS="EMPHASIS"
+->TIMED</B
+-></SPAN
+->)</P
+-><P
+-> Timed database connections that close themselves
+- after number seconds of inactivity.
+- </P
+-></LI
+-></UL
+-><P
+->If a connection policy is not specified, if the policy is not a number or
+-is a number less than 1, or if the policy is the string "PERSESSION",
+-the PERSESSION policy will be used.</P
+-><P
+->If the connection policy is any number greater than 0, it specifies the
+-number of seconds that a connection will be held open without activity.
+-After that many seconds of database inactivity, the connection to the
+-database will be closed. As soon as database activity starts again,
+-the connection will be opened and the timer will restart.</P
+-><P
+->The MySQL and Postgres backends' connection-info is expected to be of the form:</P
+-><P
+->database[@hostname][:port]</P
+-><P
+->hostname will default to a backend-specific hostname (which happens to be
+-'localhost' for both the MySQL and Postgres backends), and port will default
+-to a backend-specific default port (3306 for the MySQL backend, 5432 for
+-the Postgres backend).</P
+-><P
+->From the MySQL documentation:</P
+-><P
+->the value of host may be either a hostname or an IP address. If host is
+-NULL or the string "localhost", a connection to the local host is assumed.
+-If the OS supports sockets (Unix) or named pipes (Windows), they are used
+-instead of TCP/IP to connect to the server.</P
+-><P
+->From the PostgreSQL documentation:</P
+-><P
+->If [the hostname] begins with a slash, it specifies Unix-domain
+-communication rather than TCP/IP communication; the value is the
+-name of the directory in which the socket file is stored. The default
+-is to connect to a Unix-domain socket in /tmp.</P
+-><P
+->If you plan to use the TIMED connection policy, consider the effect of
+-directives such as DefaultRoot on local socket communication: once a user
+-has been chroot()ed, the local socket file will probably not be available
+-within the chroot directory tree, and attempts to reopen communication will
+-fail. One way around this may be to use hardlinks within the user's
+-directory tree. PERSESSION connections are not affected by this because
+-the database will be opened prior to the chroot() call, and held open
+-for the life of the session. Network communications are not affected by
+-this problem. For example, while localhost would not work for MySQL since
+-the MySQL client library will try to use socket communications for that
+-host, 127.0.0.1 will work (as long as your database is setup to accept
+-these connections).</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8722"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8725"
+-></A
+-><H2
+->Examples</H2
+-><P
+-CLASS="LITERALLAYOUT"
+-> # Connect to the database 'ftpusers' via the default port at host<br>
+- # 'foo.com'. Use a NULL username and NULL password when connecting.<br>
+- # A connection policy of PERSESSION is used.<br>
+- SQLConnectInfo [email protected]<br>
+-<br>
+- # Connect to the database 'ftpusers' via port 3000 at host 'localhost'.<br>
+- # Use the username 'admin' and a NULL password when connecting.<br>
+- # A connection policy of PERSESSION is used.<br>
+- SQLConnectInfo ftpusers:3000 admin<br>
+-<br>
+- # Connect to the database 'ftpusers' via port 3000 at host 'foo.com'.<br>
+- # Use the username 'admin' and password 'mypassword' when connecting.<br>
+- # A connection policy of PERSESSION is used.<br>
+- SQLConnectInfo [email protected]:3000 admin mypassword<br>
+-<br>
+- # Connect to the database 'ftpusers' via port 3000 at host 'foo.com'.<br>
+- # Use a username of 'admin' and a password of 'mypassword' when<br>
+- # connecting. A 30 second timer of connection inactivity is activated.<br>
+- SQLConnectInfo [email protected]:3000 admin mypassword 30</P
+-><P
+->Backends may require different information in the connection-info field;
+-check your backend module for more detailed information.</P
+-></DIV
+-><H1
+-><A
+-NAME="SQLDEFAULTGID"
+-></A
+->
+-SQLDefaultGID</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN8737"
+-></A
+-><H2
+->Name</H2
+->SQLDefaultGID -- Configure the default GID for users</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN8740"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLDefaultGID</B
+-> [ <CODE
+-CLASS="OPTION"
+->defaultgid</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->65533</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.0 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8767"
+-></A
+-><H2
+->Description</H2
+-><P
+->Sets the default GID for users. Must be greater than SQLMinID.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8770"
+-></A
+-><H2
+->See also</H2
+-><P
+-><A
+-HREF="#SQLMINID"
+->SQLMinID</A
+->
+-<A
+-HREF="#SQLMINUSERGID"
+->SQLMinUserGID</A
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="SQLDEFAULTHOMEDIR"
+-></A
+->
+-SQLDefaultHomedir</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN8783"
+-></A
+-><H2
+->Name</H2
+->SQLDefaultHomedir -- Configure the default homedir</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN8786"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLDefaultHomedir</B
+-> [ <CODE
+-CLASS="OPTION"
+->path</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.5rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8813"
+-></A
+-><H2
+->Description</H2
+-><P
+->The SQLDefaultHomedir directive configures a default home directory for all
+-users authenticated with this module, overriding any (deprecated)
+-SQLHomedirField directive. If no home directory is set with either directive,
+-authentication fails. This directive does not change the data retrieved from
+-the database: if you specify a home directory field to SQLUserInfo, that
+-field's data will be returned as the user's home directory, whether that
+-data is a legal directory, or an empty string, or NULL.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8816"
+-></A
+-><H2
+->See also</H2
+-><P
+-><A
+-HREF="#SQLUSERINFO"
+->SQLUserInfo</A
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8820"
+-></A
+-><H2
+->Examples</H2
+-><P
+-CLASS="LITERALLAYOUT"
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="SQLDEFAULTUID"
+-></A
+->
+-SQLDefaultUID</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN8831"
+-></A
+-><H2
+->Name</H2
+->SQLDefaultUID -- Configure the default UID for users</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN8834"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLDefaultUID</B
+-> [ <CODE
+-CLASS="OPTION"
+->defaultuid</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->65533</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.0 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8861"
+-></A
+-><H2
+->Description</H2
+-><P
+->Sets the default UID for users. Must be greater than SQLMinID.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8864"
+-></A
+-><H2
+->See also</H2
+-><P
+-><A
+-HREF="#SQLMINID"
+->SQLMinID</A
+->
+-<A
+-HREF="#SQLMINUSERUID"
+->SQLMinUserUID</A
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="SQLENGINE"
+-></A
+->
+-SQLEngine</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN8877"
+-></A
+-><H2
+->Name</H2
+->SQLEngine -- Configure how mod_sql will operate</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN8880"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLEngine</B
+-> [ <CODE
+-CLASS="OPTION"
+->on|off|auth|log</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->SQLEngine on</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost>, <Anonymous></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.3.0rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8907"
+-></A
+-><H2
+->Description</H2
+-><P
+->The SQLEngine directive is used to specify how mod_sql will operate. By
+-default, SQLEngine is on, and mod_sql will operate as normal. Setting
+-SQLEngine to off will effectively disable the module.</P
+-><P
+->In addition to on and off, SQLEngine accepts two other values: auth and
+-log. If you wish to use mod_sql for authentication and not for logging
+-(via SQLLog), use auth. Conversely, to do only SQLLog-type logging, and
+-no authentication, use log.</P
+-><P
+->This directive can be used to have <Anonymous> sections that do not use
+-mod_sql (see the example below).</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8912"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8915"
+-></A
+-><H2
+->Examples</H2
+-><P
+-CLASS="LITERALLAYOUT"
+-> <Anonymous ~ftp><br>
+- ...<br>
+- SQLEngine off<br>
+- ...<br>
+- </Anonymous></P
+-></DIV
+-><H1
+-><A
+-NAME="SQLGROUPINFO"
+-></A
+->
+-SQLGroupInfo</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN8926"
+-></A
+-><H2
+->Name</H2
+->SQLGroupInfo -- Configure the group table and fields that hold group information</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN8929"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLGroupInfo</B
+-> [ <CODE
+-CLASS="OPTION"
+->group-table group-name gid members</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->"groups groupname gid members"</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.5rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8956"
+-></A
+-><H2
+->Description</H2
+-><P
+->The SQLGroupInfo directive configures the group table and fields that hold group information. The parameters for this directive are described below:</P
+-><P
+-></P
+-><UL
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+->grouptable</P
+-><P
+-> Specifies the name of the table that holds group information.</P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+->groupname</P
+-><P
+-> Specifies the field in the group table that holds the group name.</P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+->gid</P
+-><P
+-> Specifies the field in the group table that holds the group's GID.</P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+->members</P
+-><P
+-> Specifies the field in the group table that holds the group members.</P
+-></LI
+-></UL
+-><P
+->If you need to change any of these field names from the default, you need
+-to specify all of them.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8973"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN8976"
+-></A
+-><H2
+->Examples</H2
+-><P
+-CLASS="LITERALLAYOUT"
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="SQLGROUPWHERECLAUSE"
+-></A
+->
+-SQLGroupWhereClause</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN8987"
+-></A
+-><H2
+->Name</H2
+->SQLGroupWhereClause -- Configure a WHERE clause for every group query</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN8990"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLGroupWhereClause</B
+-> [ <CODE
+-CLASS="OPTION"
+->where-clause</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->off</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.5rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9017"
+-></A
+-><H2
+->Description</H2
+-><P
+->The directive is used to configure a WHERE clause that is added to every
+-group query. The WHERE clause must contain all relevant punctuation, and
+-must not contain a leading "and".</P
+-><P
+->Starting with ProFTPD 1.3.1rc1 the SQLGroupWhereClause also supports the
+-variables supported by <A
+-HREF="#SQLNAMEDQUERY"
+->SQLNamedQuery</A
+->
+-except for the "%{n}" variable</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9022"
+-></A
+-><H2
+->See also</H2
+-><P
+-><A
+-HREF="#SQLNAMEDQUERY"
+->SQLNamedQuery</A
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9026"
+-></A
+-><H2
+->Examples</H2
+-><P
+->As an example of a possible use for this directive, imagine if your group
+-table included a "LoginAllowed" field:</P
+-><P
+-CLASS="LITERALLAYOUT"
+-> SQLGroupWhereClause "LoginAllowed = 'true'"</P
+-><P
+->would be appended to every group-related query as the string:</P
+-><P
+-CLASS="LITERALLAYOUT"
+-> " WHERE (LoginAllowed = 'true')"</P
+-></DIV
+-><H1
+-><A
+-NAME="SQLHOMEDIRONDEMAND"
+-></A
+->
+-SQLHomedirOnDemand</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN9040"
+-></A
+-><H2
+->Name</H2
+->SQLHomedirOnDemand -- Have mod_sql create home directories as needed [deprecated]</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN9043"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLHomedirOnDemand</B
+-> [ <CODE
+-CLASS="OPTION"
+->on|off</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->off</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.0 up to 1.3.1rc1</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9070"
+-></A
+-><H2
+->Description</H2
+-><P
+->This directive has been deprecated with ProFTPD 1.3.1rc1.
+-Please use <A
+-HREF="#CREATEHOME"
+->CreateHome</A
+-> instead.</P
+-><P
+->The SQLHomedirOnDemand directive configures mod_sql to automatically
+-create a user's home directory if that directory does not exist during
+-the login process.</P
+-></DIV
+-><H1
+-><A
+-NAME="SQLLOG"
+-></A
+->
+-SQLLog</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN9083"
+-></A
+-><H2
+->Name</H2
+->SQLLog -- Log information to a database table</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN9086"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLLog</B
+-> [ <CODE
+-CLASS="OPTION"
+->cmd-set query-name ["IGNORE_ERRORS"</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.5rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9113"
+-></A
+-><H2
+->Description</H2
+-><P
+->This directive is used to log information to a database table. Multiple
+-SQLLog directives can be in effect for any command; for example, a user
+-changing directories can trigger multiple logging statements.</P
+-><P
+->The first parameter to SQLLog, the cmd-set, is a comma-separated (no spaces)
+-list of FTP commands for which this log command will trigger. The list of
+-commands is too long to list in entirety; commands include CWD, DELE, HELP,
+-LIST, MKD, MODE, NLST, PASS, PASV, PORT and many more. For the complete list
+-check the FTP RFCs. Normally mod_sql will log events after they have
+-completed successfully; in the case of the QUIT command, mod_sql logs prior
+-to the server's processing of the command. (Note, however, that the client
+-may not issue a QUIT before logging out; in this case, use a command of EXIT
+-rather than QUIT. EXIT is not a real FTP command, but it is used here to
+-provide a means for having SQLLog work whenever a session ends.)</P
+-><P
+->FTP commands in the command set will only be logged if they complete
+-successfully. Prefixing any command with "ERR_" will cause logging to occur
+-only if there was an error in the command's processing. To log both errors
+-and successful completion of a given command X, therefore, you'll need both
+-"X" and "ERR_X" in your cmd-set.</P
+-><P
+->The special command "*" matches all FTP commands, while "ERR_*" matches all
+-errors.</P
+-><P
+->The second parameter is the name of a query defined by a SQLNamedQuery
+-directive. The query must be an UPDATE, INSERT, or FREEFORM type query;
+-explicit SELECT queries will not be processed.</P
+-><P
+->The third parameter is optional. If you add "IGNORE_ERRORS" as the third
+-parameter, SQLLog will not check for errors in the processing of the named
+-query. Any value for this parameter other than the string "IGNORE_ERRORS"
+-(case-insensitive) will not cause errors to be ignored.</P
+-><P
+->Normally, SQLLog directives are considered important enough that errors in
+-their processing will cause mod_sql to abort the client session. References
+-to non-existent named queries will not abort the client session, but may
+-result in database corruption (in the sense that the expected database
+-UPDATE or INSERT will not occur). Check your directives carefully.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9122"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9125"
+-></A
+-><H2
+->Examples</H2
+-><P
+-CLASS="LITERALLAYOUT"
+-> SQLLog PASS updatecount<br>
+- SQLNamedQuery updatecount UPDATE "count=count+1 WHERE userid='%u'" users</P
+-><P
+->together, these replicate the deprecated "SQLLoginCountField count" directive;
+-if the current user was "joe", this would translate into the query "UPDATE
+-users SET count=count+1 WHERE userid='joe'". This query would run whenever a
+-user was first authenticated.</P
+-><P
+-CLASS="LITERALLAYOUT"
+-> SQLLog CWD updatedir<br>
+- SQLNamedQuery updatedir UPDATE "cwd='%d' where userid='%u'" users</P
+-><P
+->together these replicate the logging side of the deprecated "SQLLogDirs cwd"
+-directive; if the current user was "joe" and the current working directory
+-were /tmp, this would translate into the query "UPDATE users SET cwd='/tmp'
+-WHERE userid='joe'". This query would run whenever a user changed directories.</P
+-><P
+-CLASS="LITERALLAYOUT"
+-> SQLLog RETR,STOR insertfileinfo<br>
+- SQLNamedQuery insertfileinfo INSERT "'%f', %b, '%u@%v', now()" filehistory</P
+-><P
+->would log the name of any file stored or retrieved, the number of bytes
+-transferred, the user and host doing the transfer, and the time of transfer
+-(at least in MySQL). This would translate into a query like: "INSERT INTO
+-filehistory VALUES ('somefile', 12345, '[email protected]', '21-05-2001 20:01:00')"</P
+-></DIV
+-><H1
+-><A
+-NAME="SQLLOGFILE"
+-></A
+->
+-SQLLogFile</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN9141"
+-></A
+-><H2
+->Name</H2
+->SQLLogFile -- Specify a log file for mod_sql reporting and debugging</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN9144"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLLogFile</B
+-> [ <CODE
+-CLASS="OPTION"
+->file</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.8rc2 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9171"
+-></A
+-><H2
+->Description</H2
+-><P
+->The SQLLogFile directive is used to a specify a log file for mod_sql
+-reporting and debugging, and can be done a per-server basis. The file
+-parameter must be the full path to the file to use for logging. Note
+-that this path must not be to a world-writeable directory and, unless
+-AllowLogSymlinks is explicitly set to on (generally a bad idea), the
+-path must not be a symbolic link.</P
+-><P
+->If file is "none", no logging will be done at all; this setting can be
+-used to override a SQLLogFile setting inherited from a ;ltgt& context. </P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9175"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9178"
+-></A
+-><H2
+->Examples</H2
+-><P
+-CLASS="LITERALLAYOUT"
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="SQLMINID"
+-></A
+->
+-SQLMinID</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN9189"
+-></A
+-><H2
+->Name</H2
+->SQLMinID -- Set SQLMinUserGID and SQLMinUserID in one place</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN9192"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLMinID</B
+-> [ <CODE
+-CLASS="OPTION"
+->minimum-id</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->999</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.0 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9219"
+-></A
+-><H2
+->Description</H2
+-><P
+->SQLMinID is a quick way of setting both SQLMinUserGID and SQLMinUserUID.
+-These values are checked whenever retrieving a user's GID or UID.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9222"
+-></A
+-><H2
+->See also</H2
+-><P
+-><A
+-HREF="#SQLMINUSERGID"
+->SQLMinUserGID</A
+->
+-<A
+-HREF="#SQLMINUSERUID"
+->SQLMinUserUID</A
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="SQLMINUSERGID"
+-></A
+->
+-SQLMinUserGID</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN9235"
+-></A
+-><H2
+->Name</H2
+->SQLMinUserGID -- Set a minimum GID</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN9238"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLMinUserGID</B
+-> [ <CODE
+-CLASS="OPTION"
+->minimum-gid</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->999</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.5rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9265"
+-></A
+-><H2
+->Description</H2
+-><P
+->SQLMinUserGID is checked whenever retrieving a user's GID. If the retrieved
+-value for GID is less than the value of SQLMinUserGID, it is reported as the
+-value of SQLDefaultGID.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9268"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9271"
+-></A
+-><H2
+->Examples</H2
+-><P
+-CLASS="LITERALLAYOUT"
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="SQLMINUSERUID"
+-></A
+->
+-SQLMinUserUID</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN9282"
+-></A
+-><H2
+->Name</H2
+->SQLMinUserUID -- Set a minimum UID</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN9285"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLMinUserUID</B
+-> [ <CODE
+-CLASS="OPTION"
+->minimum-uid</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->999</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.5rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9312"
+-></A
+-><H2
+->Description</H2
+-><P
+->SQLMinUserUID is checked whenever retrieving a user's UID. If the retrieved
+-value for UID is less than the value of SQLMinUserUID, it is reported as the
+-value of SQLDefaultUID.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9315"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9318"
+-></A
+-><H2
+->Examples</H2
+-><P
+-CLASS="LITERALLAYOUT"
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="SQLNAMEDQUERY"
+-></A
+->
+-SQLNamedQuery</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN9329"
+-></A
+-><H2
+->Name</H2
+->SQLNamedQuery -- Specify a query and an identifier for SQLShowInfo and SQLLog</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN9332"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLNamedQuery</B
+-> [ <CODE
+-CLASS="OPTION"
+->"name" limit|regex|ip value</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->(docs incomplete)</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost>, <Anonymous>, <Limit>, .ftpaccess</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.5rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9359"
+-></A
+-><H2
+->Description</H2
+-><P
+->SQLNamedQuery specifies a query and an identifier (name) for later use by
+-SQLShowInfo and SQLLog.</P
+-><P
+->It is strongly recommended that you read documentation on the LogFormat
+-and ExtendedLog directives, as the meta-sequences available to SQLNamedQuery
+-are largely equivalent.</P
+-><P
+->The first parameter, name, should be unique across all named queries and
+-must not contain spaces. The result of re-using a name is undefined.</P
+-><P
+->The second parameter, type, is the type of query, either "SELECT", "UPDATE",
+-"INSERT", or "FREEFORM". See the note below for information on FREEFORM type
+-queries.</P
+-><P
+->The third parameter is the substance of the database query itself; this
+-should match the form of the second parameter. The meta-sequences accepted
+-are exactly equivalent to the LogFormat directive except the following are
+-not accepted:</P
+-><P
+-></P
+-><UL
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+->%{FOOBAR}e</P
+-><P
+->For LogFormat, this logs the content of environment variable "FOOBAR". This
+-is not bavailable in mod_sql.</P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+->%{format}t and %t</P
+-><P
+->These two meta-sequences logged the local server time; they are not available
+-in mod_sql. Your database undoubtedly provides another way to get the time;
+-for example, MySQL provides the now() function.</P
+-></LI
+-></UL
+-><P
+->and the following is in addition to the LogFormat meta-sequences:</P
+-><P
+-> <P
+-></P
+-><UL
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+->%d</P
+-><P
+->The current working directory or "-" if none.</P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+->%{n}</P
+-><P
+->This meta-sequence is used internally by mod_sql and other third-party
+-modules and patches to pass information to the database. Using this
+-meta-sequence in anything other than an INSERT or UPDATE query is an
+-error, and using this meta-sequence unless directed to by a third-party
+-module or patch is also an error.</P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+->%{env:VAR}</P
+-><P
+->Starting with ProFTPD 1.3.1rc1 the SQLNamedQuery directive is able to make
+-use of environment variables in the format "%{env:VAR}". The value
+-of the environment variable VAR will be substituted into the SQL statement.</P
+-></LI
+-></UL
+-> </P
+-><P
+->The correct form of a query will be built from the directive arguments,
+-except in the case of FREEFORM queries which will be sent directly to the
+-database. The examples below show the way queries are built from the arguments.</P
+-><P
+->The fourth parameter, table, is only necessary for UPDATE or INSERT type
+-queries, but is required for those types.</P
+-><P
+->Note: FREEFORM queries are a necessary evil; the simplistic query semantics
+-of the UPDATE, INSERT, and SELECT type queries do not sufficiently expose
+-the capabilities of most backend databases. At the same time, using a
+-FREEFORM query makes it impossible for mod_sql to check whether the query
+-type is appropriate, making sure that a SELECT query is not used in a SQLLog
+-directive, for instance. Wherever possible, it is recommended that a specific
+-query type be used.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9388"
+-></A
+-><H2
+->See also</H2
+-><P
+-><A
+-HREF="#SQLSHOWINFO"
+->SQLShowInfo</A
+->
+-<A
+-HREF="#SQLLOG"
+->SQLLog</A
+->
+-<A
+-HREF="#LOGFORMAT"
+->LogFormat</A
+->
+-<A
+-HREF="#EXTENDEDLOG"
+->ExtendedLog</A
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9395"
+-></A
+-><H2
+->Examples</H2
+-><P
+-CLASS="LITERALLAYOUT"
+->SQLNamedQuery count SELECT "count from users where userid='%u'"</P
+-><P
+->creates a query named "count" which could be used by SQLShowInfo to inform
+-a user of their login count. The actual query would look something like
+-"SELECT count FROM users WHERE userid='matilda'" for user "matilda".</P
+-><P
+-CLASS="LITERALLAYOUT"
+->SQLNamedQuery updatecount UPDATE "count=count+1 WHERE userid='%u'" users</P
+-><P
+->creates a query named "updatecount" which could be used by SQLLog to update
+-a user login counter in the table users. The actual query would look something
+-like "UPDATE users SET count=count+1 WHERE userid='persephone'" for user
+-"persephone".</P
+-><P
+-CLASS="LITERALLAYOUT"
+->SQLNamedQuery accesslog INSERT "now(), '%u'" accesslog</P
+-><P
+->creates a query named "accesslog" which could be used by SQLLog to track
+-access times by clients. The actual query would look something like "INSERT
+-INTO accesslog VALUES (now(), 'pandora')" for user "pandora". Note that this
+-may be too simplistic for your table structure, since most databases require
+-data for all columns to be provided in an INSERT statement of this form. See
+-the following FREEFORM query for an example of something which may suit your
+-needs better.</P
+-><P
+-CLASS="LITERALLAYOUT"
+->SQLNamedQuery accesslog FREEFORM "INSERT INTO accesslog(date, user) VALUES (now(), '%u')"</P
+-><P
+->creates a query named "accesslog" which could be used by SQLLog to track
+-access times by clients. The actual query would look something like "INSERT
+-INTO accesslog(date, user) VALUES (now(), 'tilda')" for user "tilda".</P
+-></DIV
+-><H1
+-><A
+-NAME="SQLNEGATIVECACHE"
+-></A
+->
+- SQLNegativeCache</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN9413"
+-></A
+-><H2
+->Name</H2
+->SQLNegativeCache -- Enable negative caching for SQL lookups</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN9416"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLNegativeCache</B
+-> [ <CODE
+-CLASS="OPTION"
+->on</CODE
+->
+- <CODE
+-CLASS="OPTION"
+->off</CODE
+->
+- ]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+-> SQLNegativeCache off
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-> server config, <VirtualHost>, <Global>
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql
+- </P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+-> mod_sql v4.10 and later
+- </P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9444"
+-></A
+-><H2
+->Description</H2
+-><P
+->SQLNegativeCache specifies whether or not to cache negative
+- responses from SQL lookups when using SQL for UID/GID lookups.
+- Depending on your SQL tables, there can be a significant delay
+- when a directory listing is performed as the UIDs not in the
+- SQL database are repeatedly looked up in an attempt to present
+- usernames instead of UIDs in directory listings. With
+- SQLNegativeCache set to on, negative ("not found") responses from
+- SQL queries will be cached and speed will improve on directory
+- listings that contain many users not present in the SQL
+- database.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9447"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9450"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="SQLRATIOS"
+-></A
+->
+-SQLRatios</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN9461"
+-></A
+-><H2
+->Name</H2
+->SQLRatios -- (docs incomplete)</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN9464"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLRatios</B
+-> [ <CODE
+-CLASS="OPTION"
+->"name" limit|regex|ip value</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.5rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9491"
+-></A
+-><H2
+->Description</H2
+-><P
+->mod_ratio is currently lacking a module maintainer. This directive is
+-left over and not officially supported.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9494"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9497"
+-></A
+-><H2
+->Examples</H2
+-><P
+-CLASS="LITERALLAYOUT"
+->(docs incomplete)</P
+-></DIV
+-><H1
+-><A
+-NAME="SQLRATIOSTATS"
+-></A
+->
+-SQLRatioStats</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN9508"
+-></A
+-><H2
+->Name</H2
+->SQLRatioStats -- (docs incomplete)</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN9511"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLRatioStats</B
+-> [ <CODE
+-CLASS="OPTION"
+->"name" limit|regex|ip value</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.5rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9538"
+-></A
+-><H2
+->Description</H2
+-><P
+->mod_ratio is currently lacking a module maintainer. This directive is
+-left over and not officially supported.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9541"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9544"
+-></A
+-><H2
+->Examples</H2
+-><P
+-CLASS="LITERALLAYOUT"
+->(docs incomplete)</P
+-></DIV
+-><H1
+-><A
+-NAME="SQLSHOWINFO"
+-></A
+->
+-SQLShowInfo</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN9555"
+-></A
+-><H2
+->Name</H2
+->SQLShowInfo -- Create a message to be sent to the user after any successful command</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN9558"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLShowInfo</B
+-> [ <CODE
+-CLASS="OPTION"
+->cmd-set numeric query-string</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.5rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9585"
+-></A
+-><H2
+->Description</H2
+-><P
+->This directive creates a message to be sent to the user after any successful
+-command.</P
+-><P
+->The first parameter, the cmd-set, is a comma separated (no spaces) list of
+-FTP commands for which this log command will trigger. The list of commands
+-is too long to list in entirety; commands include: CWD, DELE, HELP, LIST,
+-MKD, MODE, NLST, PASS, PASV, PORT and many more. For the complete list check
+-the FTP RFCs.</P
+-><P
+->FTP commands in the command set will only be triggered if they complete
+-successfully. Prefixing any command with "ERR_" will show information only
+-if there was an error in command processing. To send a message on both
+-errors and successfull completion of a given command X, therefore, you'll
+-need both "X" and "ERR_X" in your cmd-set.</P
+-><P
+->The special command "*" matches all FTP commands, while "ERR_*" matches
+-all errors.</P
+-><P
+->The second parameter, numeric, specifies the numeric value of the message
+-returned to the FTP client. Do not choose a number blindly: message numbers
+-may be parsed by clients. In most cases you will want to use 214, the "Help
+-message" numeric. It specifies that the information is only meant to be human
+-readable.</P
+-><P
+->The third parameter, query-string, is exactly equivalent to the query-string
+-parameter to the SQLLog directive, with one addition:</P
+-><P
+-></P
+-><UL
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+->%{name}</P
+-><P
+->The first return value from the SQLNamedQuery identified by "name". There
+-is currently no way to retrieve more than one value from the database at
+-a time.</P
+-></LI
+-></UL
+-><P
+->Any references to non-existent named queries, non-SELECT or -FREEFORM type
+-queries, or references to queries which return a NULL first value, will be
+-replaced with the string "{null}".</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9598"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9601"
+-></A
+-><H2
+->Examples</H2
+-><P
+-CLASS="LITERALLAYOUT"
+-> SQLNamedQuery count SELECT "count from users where userid='%u'"<br>
+- SQLShowInfo PASS "230" "You've logged on %{count} times, %u"</P
+-><P
+->As long as the information is in the database, these two directives specify
+-that the user will be greeted with their login count each time they
+-successfully login. Note the use of the "230" numeric, which means "User
+-logged in, proceed". "230" is appropriate in this case because the message
+-will be sent immediately after their password has been accepted and the
+-session has started.</P
+-></DIV
+-><H1
+-><A
+-NAME="SQLUSERINFO"
+-></A
+->
+-SQLUserInfo</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN9613"
+-></A
+-><H2
+->Name</H2
+->SQLUserInfo -- Configure the user table and fields that hold user information</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN9616"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLUserInfo</B
+-> [ <CODE
+-CLASS="OPTION"
+->user-table user-name passwd uid gid home-dir shell</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->"users userid passwd uid gid homedir shell"</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.5rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9643"
+-></A
+-><H2
+->Description</H2
+-><P
+->The SQLUserInfo directive configures the user table and fields that hold
+-user information. If you need to change any of these field names from the
+-default, you must specify all of them, whether NULL or not. The parameters
+-are described below:</P
+-><P
+-></P
+-><UL
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+->usertable</P
+-><P
+->Specifies the name of the table that holds user information.</P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+->username</P
+-><P
+->Specifies the field in the user table that holds the username.</P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+->passwd</P
+-><P
+->Specifies the field in the user table that holds the user's password.</P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+->uid</P
+-><P
+->Specifies the field in the user table that holds the user's UID. When a
+-UID is retrieved from the database it is checked against the value of
+-SQLMinUserUID. If the field name is specified as "NULL" the database will
+-not be queried for this value and the user's UID will be set to the value
+-of SQLDefaultUID.</P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+->gid</P
+-><P
+->Specifies the field in the user table that holds the user's GID. When a GID
+-is retrieved from the database it is checked against the value of
+-SQLMinUserGID. If the field name is specified as "NULL" the database will
+-not be queried for this value and the user's GID will be set to the value
+-of SQLDefaultGID.</P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+->homedir</P
+-><P
+->Specifies the field in the user table that holds the user's home directory.
+-If the fieldname is specified as "NULL" the database will not be queried for
+-this value and the user's home directory will be set to the value of
+-SQLDefaultHomedir. If no home directory is set with either directive, user
+-authentication will be automatically turned off.</P
+-></LI
+-><LI
+-STYLE="list-style-type: disc"
+-><P
+->shell</P
+-><P
+->Specifies the field in the user table that holds the user's shell. If the
+-fieldname is specified as "NULL" the database will not be queried and the
+-shell will be reported as an empty string ("").</P
+-></LI
+-></UL
+-><P
+->As of 1.2.9rc1, the SQLUserInfo directive accepts an alternate syntax:</P
+-><P
+-CLASS="LITERALLAYOUT"
+-> SQLUserInfo custom:/name</P
+-><P
+->where name refers to a configured SELECT SQLNamedQuery. This named query
+-must return one row, and return the following columns, in this order:
+-username, passwd, uid, gid, homedir, shell. The configured query may make use
+-of the variables mentioned in the SQLLog description. This syntax allows the
+-administrator a flexible way of constructing queries as needed. Note that if
+-you want use the given USER name, you should use the %U variable, not %u; the
+-latter requires the locally authenticated user name, which is exactly what
+-SQLUserInfo is meant to provide.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9671"
+-></A
+-><H2
+->See also</H2
+-><P
+-><A
+-HREF="#SQLLOG"
+->SQLLog</A
+->
+-<A
+-HREF="#SQLNAMEDQUERY"
+->SQLNamedQuery</A
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9676"
+-></A
+-><H2
+->Examples</H2
+-><P
+-CLASS="LITERALLAYOUT"
+-></P
+-></DIV
+-><H1
+-><A
+-NAME="SQLUSERWHERECLAUSE"
+-></A
+->
+-SQLUserWhereClause</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN9687"
+-></A
+-><H2
+->Name</H2
+->SQLUserWhereClause -- Configure a WHERE clause for every user query<</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN9690"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->SQLUserWhereClause</B
+-> [ <CODE
+-CLASS="OPTION"
+->where-clause</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+->server config, <Global>, <VirtualHost></P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_sql</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->1.2.5rc1 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9717"
+-></A
+-><H2
+->Description</H2
+-><P
+->The directive is used to configure a WHERE clause that is added to every
+-user query. The WHERE clause must contain all relevant punctuation, and
+-must not contain a leading "and".</P
+-><P
+->Starting with ProFTPD 1.3.1rc1 the SQLUserWhereClause also supports the
+-variables supported by <A
+-HREF="#SQLNAMEDQUERY"
+->SQLNamedQuery</A
+->
+-except for the "%{n}" variable</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9722"
+-></A
+-><H2
+->See also</H2
+-><P
+-><A
+-HREF="#SQLNAMEDQUERY"
+->SQLNamedQuery</A
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN9726"
+-></A
+-><H2
+->Examples</H2
+-><P
+->As an example of a possible use for this directive, imagine if your user
+-table included a "LoginAllowed" field:</P
+-><P
+-CLASS="LITERALLAYOUT"
+-> SQLUserWhereClause "LoginAllowed = 'true'"</P
+-><P
+->would be appended to every user-related query as the string:</P
+-><P
+-CLASS="LITERALLAYOUT"
+-> " WHERE (LoginAllowed = 'true')"</P
+-></DIV
+-><H1
+-><A
+ NAME="STOREUNIQUEPREFIX"
+ ></A
+ >
+@@ -30450,7 +19166,7 @@
+ ></A
+ ><H2
+ >Name</H2
+->TLSPassPhraseProvider -- FIXFIXFIX</DIV
++>TLSPassPhraseProvider -- Configure external provider for key</DIV
+ ><DIV
+ CLASS="REFSYNOPSISDIV"
+ ><A
+@@ -31916,7 +20632,7 @@
+ ></A
+ ><H2
+ >Name</H2
+->UnsetEnv -- (docs incomplete)</DIV
++>UnsetEnv -- Unset environment variable</DIV
+ ><DIV
+ CLASS="REFSYNOPSISDIV"
+ ><A
+@@ -33037,115 +21753,6 @@
+ ></DIV
+ ><H1
+ ><A
+-NAME="USERRATIO"
+-></A
+->
+-UserRatio</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN12397"
+-></A
+-><H2
+->Name</H2
+->UserRatio -- Ratio directive</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN12400"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->UserRatio</B
+-> [ <CODE
+-CLASS="OPTION"
+->UserRatio foo1 foo2 foo3</CODE
+->]</P
+-><P
+-></P
+-><DIV
+-CLASS="VARIABLELIST"
+-><P
+-><B
+-></B
+-></P
+-><DL
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Default</PRE
+-></DT
+-><DD
+-><P
+->None known</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Context</PRE
+-></DT
+-><DD
+-><P
+-><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Module</PRE
+-></DT
+-><DD
+-><P
+->mod_ratio</P
+-></DD
+-><DT
+-><PRE
+-CLASS="SYNOPSIS"
+->Compatibility</PRE
+-></DT
+-><DD
+-><P
+->at least 1.2.0 and later</P
+-></DD
+-></DL
+-></DIV
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN12427"
+-></A
+-><H2
+->Description</H2
+-><P
+->The UserRatio directive ....
+-Example:
+-UserRatio</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN12430"
+-></A
+-><H2
+->See also</H2
+-><P
+-></P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN12433"
+-></A
+-><H2
+->Examples</H2
+-><P
+-></P
+-></DIV
+-><H1
+-><A
+ NAME="USESENDFILE"
+ ></A
+ >
+@@ -34223,7 +22830,7 @@
+ ></A
+ ><H2
+ >Name</H2
+->mod_tls -- Prevent information leak through timing attacks</DIV
++>mod_delay -- Prevent information leak through timing attacks</DIV
+ ><DIV
+ CLASS="REFSYNOPSISDIV"
+ ><A
+@@ -34301,167 +22908,6 @@
+ ></DIV
+ ><H1
+ ><A
+-NAME="MOD-LDAP"
+-></A
+->
+- mod_ldap</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN12810"
+-></A
+-><H2
+->Name</H2
+->mod_ldap -- LDAP authentication support</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN12813"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->mod_ldap</B
+-> </P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN12816"
+-></A
+-><H2
+->Description</H2
+-><P
+-> mod_ldap provides LDAP authentication support for ProFTPD. It
+- supports many features useful in "toaster" environments such as
+- default UID/GID and autocreation/autogeneration of home directories.
+- </P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN12819"
+-></A
+-><H2
+->See also</H2
+-><P
+-><A
+-HREF="#LDAPALIASDEREFERENCE"
+->LDAPAliasDereference</A
+->
+-<A
+-HREF="#LDAPATTR"
+->LDAPAttr</A
+->
+-<A
+-HREF="#LDAPAUTHBINDS"
+->LDAPAuthBinds</A
+->
+-<A
+-HREF="#LDAPDEFAULTAUTHSCHEME"
+->LDAPDefaultAuthScheme</A
+->
+-<A
+-HREF="#LDAPDEFAULTGID"
+->LDAPDefaultGID</A
+->
+-<A
+-HREF="#LDAPDEFAULTUID"
+->LDAPDefaultUID</A
+->
+-<A
+-HREF="#LDAPDNINFO"
+->LDAPDNInfo</A
+->
+-<A
+-HREF="#LDAPDOAUTH"
+->LDAPDoAuth</A
+->
+-<A
+-HREF="#LDAPDOGIDLOOKUPS"
+->LDAPDoGIDLookups</A
+->
+-<A
+-HREF="#LDAPDOQUOTALOOKUPS"
+->LDAPDoQuotaLookups</A
+->
+-<A
+-HREF="#LDAPDOUIDLOOKUPS"
+->LDAPDoUIDLookups</A
+->
+-<A
+-HREF="#LDAPFORCEDEFAULTGID"
+->LDAPForceDefaultGID</A
+->
+-<A
+-HREF="#LDAPFORCEDEFAULTUID"
+->LDAPForceDefaultUID</A
+->
+-<A
+-HREF="#LDAPFORCEGENERATEDHOMEDIR"
+->LDAPForceGeneratedHomedir</A
+->
+-<A
+-HREF="#LDAPFORCEHOMEDIRONDEMAND"
+->LDAPForceHomedirOnDemand</A
+->
+-<A
+-HREF="#LDAPGENERATEHOMEDIR"
+->LDAPGenerateHomedir</A
+->
+-<A
+-HREF="#LDAPGENERATEHOMEDIRPREFIX"
+->LDAPGenerateHomedirPrefix</A
+->
+-<A
+-HREF="#LDAPGENERATEHOMEDIRPREFIXNOUSERNAME"
+->LDAPGenerateHomedirPrefixNoUsername</A
+->
+-<A
+-HREF="#LDAPHOMEDIRONDEMAND"
+->LDAPHomedirOnDemand</A
+->
+-<A
+-HREF="#LDAPHOMEDIRONDEMANDPREFIX"
+->LDAPHomedirOnDemandPrefix</A
+->
+-<A
+-HREF="#LDAPHOMEDIRONDEMANDPREFIXNOUSERNAME"
+->LDAPHomedirOnDemandPrefixNoUsername</A
+->
+-<A
+-HREF="#LDAPHOMEDIRONDEMANDSUFFIX"
+->LDAPHomedirOnDemandSuffix</A
+->
+-<A
+-HREF="#LDAPNEGATIVECACHE"
+->LDAPNegativeCache</A
+->
+-<A
+-HREF="#LDAPPROTOCOLVERSION"
+->LDAPProtocolVersion</A
+->
+-<A
+-HREF="#LDAPQUERYTIMEOUT"
+->LDAPQueryTimeout</A
+->
+-<A
+-HREF="#LDAPSEARCHSCOPE"
+->LDAPSearchScope</A
+->
+-<A
+-HREF="#LDAPSERVER"
+->LDAPServer</A
+->
+-<A
+-HREF="#LDAPUSETLS"
+->LDAPUseTLS</A
+-> </P
+-></DIV
+-><H1
+-><A
+ NAME="MOD-LOG"
+ ></A
+ >
+@@ -34600,427 +23046,6 @@
+ ></DIV
+ ><H1
+ ><A
+-NAME="MOD-RADIUS"
+-></A
+->
+-mod_radius</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN12900"
+-></A
+-><H2
+->Name</H2
+->mod_radius -- RADIUS based authentication support</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN12903"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->mod_radius</B
+-> </P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN12906"
+-></A
+-><H2
+->Description</H2
+-><P
+->This module provides RADIUS authentication and accounting support.</P
+-><P
+->Strong authentication is in demand for Internet services. For many, this means using the RADIUS (Remote Authentication Dial-In User Service) protocol.</P
+-><P
+->However, there are caveats to using RADIUS for authentication. RADIUS packets are sent in the clear, which means that they can easily be sniffed. First, do not have your authenticating RADIUS servers exposed to the Internet; keep them protected within your LAN. Second, it is highly recommended to use separate RADIUS servers for each of your services.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN12911"
+-></A
+-><H2
+->RADIUS Authentication</H2
+-><P
+->The RADIUS protocol can be used for answering the question "Should this user be allowed to login?" However, the "yes/no" answer is not everything that proftpd needs to log a user in; the server also requires the UID and GID to use for the authenticated user, home directory, and shell. This information is usually not available from the RADIUS servers, which means that using RADIUS to provide all the necessary login information can be problematic. The RadiusUserInfo directive is meant to be used to address this issue, to provide the missing information.</P
+-><P
+->In those cases where the RADIUS servers can provide that additional login information, via custom attributes, the RadiusUserInfo directive can also be used obtain that information as well.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN12915"
+-></A
+-><H2
+->RADIUS Accounting</H2
+-><P
+->While RADIUS is primarily used for authentication, the protocol also allows for accounting of user activities. The mod_radius module makes use of this ability, using RADIUS accounting packets to transmit the following data:</P
+-><P
+-> * Acct-Authentic: How the user was authenticated (e.g. locally, or via RADIUS)
+- * Acct-Session-Id: The process ID of the FTP session
+- * Acct-Session-Time: The duration of the FTP session, in seconds
+- * Acct-Input-Octets: The number of bytes uploaded (includes appending to files)
+- * Acct-Output-Octets: The number of bytes downloaded
+- Merely configuring a RadiusAcctServer enables the module's accounting capabilities.
+- Common Attributes
+- The following RADIUS attributes are sent with every RADIUS packet generated by mod_radius:
+- * User-Name: The name of the logging-in user
+- * NAS-Identifier: Always "ftp"
+- * NAS-IP-Address: IP address of FTP server
+- * NAS-Port: Port of FTP server
+- * NAS-Port-Type: Always Virtual.
+- * Calling-Station-Id: IP address of connecting FTP client</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN12919"
+-></A
+-><H2
+->See also</H2
+-><P
+-><A
+-HREF="#RADIUSACCTSERVER"
+->RadiusAcctServer</A
+->
+-<A
+-HREF="#RADIUSAUTHSERVER"
+->RadiusAuthServer</A
+->
+-<A
+-HREF="#RADIUSENGINE"
+->RadiusEngine</A
+->
+-<A
+-HREF="#RADIUSLOG"
+->RadiusLog</A
+->
+-<A
+-HREF="#RADIUSREALM"
+->RadiusRealm</A
+->
+-<A
+-HREF="#RADIUSUSERINFO"
+->RadiusUserInfo</A
+-> </P
+-></DIV
+-><H1
+-><A
+-NAME="MOD-RATIO"
+-></A
+->
+-mod_ratio</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN12933"
+-></A
+-><H2
+->Name</H2
+->mod_ratio -- FIX ME FIX ME</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN12936"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->mod_ratio</B
+-> </P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN12939"
+-></A
+-><H2
+->Description</H2
+-><P
+->FIXME
+-FIXME
+-FIXME</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN12942"
+-></A
+-><H2
+->See also</H2
+-><P
+-><A
+-HREF="#ANONRATIO"
+->AnonRatio</A
+->
+-<A
+-HREF="#BYTERATIOERRMSG"
+->ByteRatioErrMsg</A
+->
+-<A
+-HREF="#CWDRATIOMSG"
+->CwdRatioMsg</A
+->
+-<A
+-HREF="#FILERATIOERRMSG"
+->FileRatioErrMsg</A
+->
+-<A
+-HREF="#GROUPRATIO"
+->GroupRatio</A
+->
+-<A
+-HREF="#HOSTRATIO"
+->HostRatio</A
+->
+-<A
+-HREF="#LEECHRATIOMSG"
+->LeechRatioMsg</A
+->
+-<A
+-HREF="#RATIOFILE"
+->RatioFile</A
+->
+-<A
+-HREF="#RATIOS"
+->Ratios</A
+->
+-<A
+-HREF="#RATIOTEMPFILE"
+->RatioTempFile</A
+->
+-<A
+-HREF="#SAVERATIOS"
+->SaveRatios</A
+->
+-<A
+-HREF="#USERRATIO"
+->UserRatio</A
+-> </P
+-></DIV
+-><H1
+-><A
+-NAME="MOD-README"
+-></A
+->
+-mod_readme</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN12962"
+-></A
+-><H2
+->Name</H2
+->mod_readme -- "README" file support</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN12965"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->mod_readme</B
+-> </P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN12968"
+-></A
+-><H2
+->Description</H2
+-><P
+->FIXME
+-FIXME
+-FIXME</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN12971"
+-></A
+-><H2
+->See also</H2
+-><P
+-><A
+-HREF="#DISPLAYREADME"
+->DisplayReadme</A
+-> </P
+-></DIV
+-><H1
+-><A
+-NAME="AEN12975"
+-></A
+-></H1
+-><A
+-HREF="#REWRITECONDITION"
+->RewriteCondition</A
+-><A
+-HREF="#REWRITEENGINE"
+->RewriteEngine</A
+-><A
+-HREF="#REWRITELOCK"
+->RewriteLock</A
+-><A
+-HREF="#REWRITELOG"
+->RewriteLog</A
+-><A
+-HREF="#REWRITEMAP"
+->RewriteMap</A
+-><A
+-HREF="#REWRITERULE"
+->RewriteRule</A
+-><H1
+-><A
+-NAME="MOD-SQL"
+-></A
+->
+-mod_sql</H1
+-><DIV
+-CLASS="REFNAMEDIV"
+-><A
+-NAME="AEN12987"
+-></A
+-><H2
+->Name</H2
+->mod_sql -- SQL support module</DIV
+-><DIV
+-CLASS="REFSYNOPSISDIV"
+-><A
+-NAME="AEN12990"
+-></A
+-><H2
+->Synopsis</H2
+-><P
+-><B
+-CLASS="COMMAND"
+->mod_sql</B
+-> </P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN12993"
+-></A
+-><H2
+->Description</H2
+-><P
+->This module provides the necessary support for SQL based authentication, logging and other features as required.
+-It replaces the SQL modules which were shipped with 1.2.0rc2 and earlier.</P
+-></DIV
+-><DIV
+-CLASS="REFSECT1"
+-><A
+-NAME="AEN12996"
+-></A
+-><H2
+->See also</H2
+-><P
+-><A
+-HREF="#SQLAUTHENTICATE"
+->SQLAuthenticate</A
+->
+-<A
+-HREF="#SQLAUTHTYPES"
+->SQLAuthTypes</A
+->
+-<A
+-HREF="#SQLBACKEND"
+->SQLBackend</A
+->
+-<A
+-HREF="#SQLCONNECTINFO"
+->SQLConnectInfo</A
+->
+-<A
+-HREF="#SQLDEFAULTGID"
+->SQLDefaultGID</A
+->
+-<A
+-HREF="#SQLDEFAULTHOMEDIR"
+->SQLDefaultHomedir</A
+->
+-<A
+-HREF="#SQLDEFAULTUID"
+->SQLDefaultUID</A
+->
+-<A
+-HREF="#SQLENGINE"
+->SQLEngine</A
+->
+-<A
+-HREF="#SQLGROUPINFO"
+->SQLGroupInfo</A
+->
+-<A
+-HREF="#SQLGROUPWHERECLAUSE"
+->SQLGroupWhereClause</A
+->
+-<A
+-HREF="#SQLHOMEDIRONDEMAND"
+->SQLHomedirOnDemand</A
+->
+-<A
+-HREF="#SQLLOG"
+->SQLLog</A
+->
+-<A
+-HREF="#SQLLOGFILE"
+->SQLLogFile</A
+->
+-<A
+-HREF="#SQLMINID"
+->SQLMinID</A
+->
+-<A
+-HREF="#SQLMINUSERGID"
+->SQLMinUserGID</A
+->
+-<A
+-HREF="#SQLMINUSERUID"
+->SQLMinUserUID</A
+->
+-<A
+-HREF="#SQLNAMEDQUERY"
+->SQLNamedQuery</A
+->
+-<A
+-HREF="#SQLNEGATIVECACHE"
+->SQLNegativeCache</A
+->
+-<A
+-HREF="#SQLRATIOS"
+->SQLRatios</A
+->
+-<A
+-HREF="#SQLRATIOSTATS"
+->SQLRatioStats</A
+->
+-<A
+-HREF="#SQLSHOWINFO"
+->SQLShowInfo</A
+->
+-<A
+-HREF="#SQLUSERINFO"
+->SQLUserInfo</A
+->
+-<A
+-HREF="#SQLUSERWHERECLAUSE"
+->SQLUserWhereClause</A
+-> </P
+-></DIV
+-><H1
+-><A
+ NAME="MOD-TLS"
+ ></A
+ >
+@@ -35263,7 +23288,7 @@
+ ></A
+ ><H2
+ >Name</H2
+->mod_xfer -- FIX ME FIX ME</DIV
++>mod_xfer -- control transfer</DIV
+ ><DIV
+ CLASS="REFSYNOPSISDIV"
+ ><A
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/proftpd/patches/proftpd-error_code.patch Wed Jun 15 01:09:08 2011 -0700
@@ -0,0 +1,409 @@
+--- proftpd-1.3.3e/modules/mod_core.c Sun Feb 20 18:36:38 2011
++++ proftpd-1.3.3e/modules/mod_core.c Tue Jun 7 02:34:09 2011
+@@ -3974,11 +3974,13 @@
+ dir = dir_canonical_path(cmd->tmp_pool, dir);
+
+ if (!dir) {
++ cmd->error_code = EINVAL;
+ pr_response_add_err(R_550, "%s: %s", cmd->arg, strerror(EINVAL));
+ return PR_ERROR(cmd);
+ }
+
+ if (!dir_check_canon(cmd->tmp_pool, cmd, cmd->group, dir, NULL)) {
++ cmd->error_code = EACCES;
+ pr_response_add_err(R_550, "%s: %s", cmd->arg, strerror(EACCES));
+ return PR_ERROR(cmd);
+ }
+@@ -3985,6 +3987,7 @@
+
+ if (pr_fsio_rmdir(dir) < 0) {
+ int xerrno = errno;
++ cmd->error_code = errno;
+
+ (void) pr_trace_msg("fileperms", 1, "%s, user '%s' (UID %lu, GID %lu): "
+ "error removing directory '%s': %s", cmd->argv[0], session.user,
+@@ -4033,11 +4036,13 @@
+
+ dir = dir_canonical_path(cmd->tmp_pool, dir);
+ if (!dir) {
++ cmd->error_code = EINVAL;
+ pr_response_add_err(R_550, "%s: %s", cmd->arg, strerror(EINVAL));
+ return PR_ERROR(cmd);
+ }
+
+ if (!dir_check_canon(cmd->tmp_pool, cmd, cmd->group, dir, NULL)) {
++ cmd->error_code = EACCES;
+ pr_log_debug(DEBUG8, "%s command denied by <Limit> config", cmd->argv[0]);
+ pr_response_add_err(R_550, "%s: %s", cmd->arg, strerror(EACCES));
+ return PR_ERROR(cmd);
+@@ -4045,6 +4050,7 @@
+
+ if (pr_fsio_mkdir(dir, 0777) < 0) {
+ int xerrno = errno;
++ cmd->error_code = errno;
+
+ (void) pr_trace_msg("fileperms", 1, "%s, user '%s' (UID %lu, GID %lu): "
+ "error making directory '%s': %s", cmd->argv[0], session.user,
+@@ -4067,6 +4073,7 @@
+ if (pr_fsio_chown(dir, session.fsuid, session.fsgid) == -1) {
+ iserr++;
+ err = errno;
++ cmd->error_code = errno;
+ }
+ PRIVS_RELINQUISH
+
+@@ -4111,6 +4118,7 @@
+ }
+
+ if (res == -1) {
++ cmd->error_code = errno;
+ pr_log_pri(PR_LOG_WARNING, "%schown() failed: %s",
+ use_root_privs ? "root " : "", strerror(errno));
+
+@@ -4153,6 +4161,7 @@
+ if (!path ||
+ !dir_check(cmd->tmp_pool, cmd, cmd->group, path, NULL) ||
+ pr_fsio_stat(path, &st) == -1) {
++ cmd->error_code = errno;
+ pr_response_add_err(R_550, "%s: %s", cmd->arg, strerror(errno));
+ return PR_ERROR(cmd);
+
+@@ -4251,11 +4260,13 @@
+ /* If told to delete a symlink, don't delete the file it points to! */
+ path = dir_canonical_path(cmd->tmp_pool, path);
+ if (!path) {
++ cmd->error_code = ENOENT;
+ pr_response_add_err(R_550, "%s: %s", cmd->arg, strerror(ENOENT));
+ return PR_ERROR(cmd);
+ }
+
+ if (!dir_check_canon(cmd->tmp_pool, cmd, cmd->group, path, NULL)) {
++ cmd->error_code = errno;
+ pr_log_debug(DEBUG7, "deleting '%s' denied by <Limit> configuration", path);
+ pr_response_add_err(R_550, "%s: %s", cmd->arg, strerror(errno));
+ return PR_ERROR(cmd);
+@@ -4268,6 +4279,7 @@
+ memset(&st, 0, sizeof(st));
+ pr_fs_clear_cache();
+ if (pr_fsio_lstat(path, &st) < 0) {
++ cmd->error_code = errno;
+ pr_log_debug(DEBUG3, "unable to lstat '%s': %s", path, strerror(errno));
+ pr_response_add_err(R_550, "%s: %s", cmd->arg, strerror(errno));
+ return PR_ERROR(cmd);
+@@ -4278,6 +4290,7 @@
+ * EISDIR).
+ */
+ if (S_ISDIR(st.st_mode)) {
++ cmd->error_code = EISDIR;
+ (void) pr_trace_msg("fileperms", 1, "%s, user '%s' (UID %lu, GID %lu): "
+ "error deleting '%s': %s", cmd->argv[0], session.user,
+ (unsigned long) session.uid, (unsigned long) session.gid, path,
+@@ -4291,6 +4304,7 @@
+
+ if (pr_fsio_unlink(path) < 0) {
+ int xerrno = errno;
++ cmd->error_code = errno;
+
+ (void) pr_trace_msg("fileperms", 1, "%s, user '%s' (UID %lu, GID %lu): "
+ "error deleting '%s': %s", cmd->argv[0], session.user,
+@@ -4375,6 +4389,7 @@
+ !dir_check_canon(cmd->tmp_pool, cmd, cmd->group, path, NULL) ||
+ pr_fsio_rename(session.xfer.path, path) == -1) {
+ int xerrno = errno;
++ cmd->error_code = errno;
+
+ if (xerrno != EXDEV) {
+ (void) pr_trace_msg("fileperms", 1, "%s, user '%s' (UID %lu, GID %lu): "
+@@ -4391,6 +4406,7 @@
+ */
+ if (pr_fs_copy_file(session.xfer.path, path) < 0) {
+ xerrno = errno;
++ cmd->error_code = errno;
+
+ (void) pr_trace_msg("fileperms", 1, "%s, user '%s' (UID %lu, GID %lu): "
+ "error copying '%s' to '%s': %s", cmd->argv[0], session.user,
+@@ -4404,6 +4420,8 @@
+
+ /* Once copied, unlink the original file. */
+ if (pr_fsio_unlink(session.xfer.path) < 0) {
++ cmd->error_code = errno;
++
+ pr_log_debug(DEBUG0, "error unlinking '%s': %s", session.xfer.path,
+ strerror(errno));
+ }
+@@ -4458,6 +4476,7 @@
+ if (!path ||
+ !dir_check_canon(cmd->tmp_pool, cmd, cmd->group, path, NULL) ||
+ !exists(path)) {
++ cmd->error_code = errno;
+ pr_response_add_err(R_550, "%s: %s", cmd->arg, strerror(errno));
+ return PR_ERROR(cmd);
+ }
+--- proftpd-1.3.3e/modules/mod_xfer.c Fri Feb 25 18:46:45 2011
++++ x/proftpd-1.3.3e/modules/mod_xfer.c Tue Jun 7 03:45:03 2011
+@@ -1180,6 +1180,7 @@
+
+ if (cmd->argc < 2) {
+ pr_response_add_err(R_500, _("'%s' not understood"), get_full_cmd(cmd));
++ cmd->error_code = EINVAL;
+ errno = EINVAL;
+ return PR_ERROR(cmd);
+ }
+@@ -1190,6 +1191,7 @@
+ if (!path ||
+ !dir_check(cmd->tmp_pool, cmd, cmd->group, path, NULL)) {
+ int xerrno = errno;
++ cmd->error_code = errno;
+
+ pr_response_add_err(R_550, "%s: %s", cmd->arg, strerror(xerrno));
+
+@@ -1200,6 +1202,7 @@
+ if (xfer_check_limit(cmd) < 0) {
+ pr_response_add_err(R_451, _("%s: Too many transfers"), cmd->arg);
+ errno = EPERM;
++ cmd->error_code = EPERM;
+ return PR_ERROR(cmd);
+ }
+
+@@ -1212,6 +1215,7 @@
+ pr_log_debug(DEBUG6, "AllowOverwrite denied permission for %s", cmd->arg);
+ pr_response_add_err(R_550, _("%s: Overwrite permission denied"), cmd->arg);
+ errno = EACCES;
++ cmd->error_code = EACCES;
+ return PR_ERROR(cmd);
+ }
+
+@@ -1233,6 +1237,7 @@
+ ) {
+ pr_response_add_err(R_550, _("%s: Not a regular file"), cmd->arg);
+ errno = EPERM;
++ cmd->error_code = EPERM;
+ return PR_ERROR(cmd);
+ }
+ }
+@@ -1250,6 +1255,7 @@
+ cmd->arg);
+ session.restart_pos = 0L;
+ session.xfer.xfer_type = STOR_DEFAULT;
++ cmd->error_code = EPERM;
+ errno = EPERM;
+ return PR_ERROR(cmd);
+ }
+@@ -1256,9 +1262,11 @@
+
+ /* Otherwise everthing is good */
+ if (pr_table_add(cmd->notes, "mod_xfer.store-path",
+- pstrdup(cmd->pool, path), 0) < 0)
++ pstrdup(cmd->pool, path), 0) < 0) {
++ cmd->error_code = errno;
+ pr_log_pri(PR_LOG_NOTICE, "notice: error adding 'mod_xfer.store-path': %s",
+ strerror(errno));
++ }
+
+ c = find_config(CURRENT_CONF, CONF_PARAM, "HiddenStores", FALSE);
+ if (c &&
+@@ -1269,6 +1277,7 @@
+ if (session.restart_pos) {
+ pr_response_add_err(R_501,
+ _("REST not compatible with server configuration"));
++ cmd->error_code = EINVAL;
+ errno = EINVAL;
+ return PR_ERROR(cmd);
+ }
+@@ -1333,6 +1342,7 @@
+
+ tmpfd = mkstemp(filename);
+ if (tmpfd < 0) {
++ cmd->error_code = errno;
+ pr_log_pri(PR_LOG_ERR, "error: unable to use mkstemp(): %s",
+ strerror(errno));
+
+@@ -1357,6 +1367,7 @@
+
+ if (!filename ||
+ !dir_check(cmd->tmp_pool, cmd, cmd->group, filename, NULL)) {
++ cmd->error_code = errno;
+ int xerrno = errno;
+
+ /* Do not forget to delete the file created by mkstemp(3) if there is
+@@ -1434,6 +1445,7 @@
+ if (xfer_check_limit(cmd) < 0) {
+ pr_response_add_err(R_451, _("%s: Too many transfers"), cmd->arg);
+ errno = EPERM;
++ cmd->error_code = EPERM;
+ return PR_ERROR(cmd);
+ }
+
+@@ -1487,6 +1499,7 @@
+ O_WRONLY|(session.restart_pos ? 0 : O_CREAT|O_EXCL));
+ if (stor_fh == NULL) {
+ ferrno = errno;
++ cmd->error_code = errno;
+
+ (void) pr_trace_msg("fileperms", 1, "%s, user '%s' (UID %lu, GID %lu): "
+ "error opening '%s': %s", cmd->argv[0], session.user,
+@@ -1499,6 +1512,7 @@
+
+ if (stor_fh) {
+ if (pr_fsio_lseek(stor_fh, 0, SEEK_END) == (off_t) -1) {
++ cmd->error_code = errno;
+ pr_log_debug(DEBUG4, "unable to seek to end of '%s' for appending: %s",
+ cmd->arg, strerror(errno));
+ (void) pr_fsio_close(stor_fh);
+@@ -1507,6 +1521,7 @@
+
+ } else {
+ ferrno = errno;
++ cmd->error_code = errno;
+
+ (void) pr_trace_msg("fileperms", 1, "%s, user '%s' (UID %lu, GID %lu): "
+ "error opening '%s': %s", cmd->argv[0], session.user,
+@@ -1520,6 +1535,7 @@
+ O_WRONLY|(session.restart_pos ? 0 : O_TRUNC|O_CREAT));
+ if (stor_fh == NULL) {
+ ferrno = errno;
++ cmd->error_code = errno;
+
+ (void) pr_trace_msg("fileperms", 1, "%s, user '%s' (UID %lu, GID %lu): "
+ "error opening '%s': %s", cmd->argv[0], session.user,
+@@ -1533,11 +1549,13 @@
+ int xerrno = 0;
+
+ if (pr_fsio_lseek(stor_fh, session.restart_pos, SEEK_SET) == -1) {
++ cmd->error_code = errno;
+ pr_log_debug(DEBUG4, "unable to seek to position %" PR_LU " of '%s': %s",
+ (pr_off_t) session.restart_pos, cmd->arg, strerror(errno));
+ xerrno = errno;
+
+ } else if (pr_fsio_stat(path, &st) == -1) {
++ cmd->error_code = errno;
+ pr_log_debug(DEBUG4, "unable to stat '%s': %s", cmd->arg,
+ strerror(errno));
+ xerrno = errno;
+@@ -1665,6 +1683,7 @@
+ res = pr_fsio_write(stor_fh, lbuf, len);
+ if (res != len) {
+ int xerrno = EIO;
++ cmd->error_code = errno;
+
+ if (res < 0)
+ xerrno = errno;
+@@ -1716,16 +1735,19 @@
+ */
+ #if defined(EDQUOT)
+ if (errno == EDQUOT) {
++ cmd->error_code = EDQUOT;
+ pr_response_add_err(R_552, "%s: %s", cmd->arg, strerror(errno));
+ return PR_ERROR(cmd);
+ }
+ #elif defined(EFBIG)
+ if (errno == EFBIG) {
++ cmd->error_code = EFBIG;
+ pr_response_add_err(R_552, "%s: %s", cmd->arg, strerror(errno));
+ return PR_ERROR(cmd);
+ }
+ #endif
+
++ cmd->error_code = errno;
+ pr_response_add_err(R_550, "%s: %s", cmd->arg, strerror(errno));
+ return PR_ERROR(cmd);
+ }
+@@ -1733,6 +1755,7 @@
+ if (session.xfer.path &&
+ session.xfer.path_hidden) {
+ if (pr_fsio_rename(session.xfer.path_hidden, session.xfer.path) != 0) {
++ cmd->error_code = errno;
+
+ /* This should only fail on a race condition with a chmod/chown
+ * or if STOR_APPEND is on and the permissions are squirrely.
+@@ -1830,6 +1853,7 @@
+ if (cmd->argc < 2) {
+ pr_response_add_err(R_500, _("'%s' not understood"), get_full_cmd(cmd));
+ errno = EINVAL;
++ cmd->error_code = EINVAL;
+ return PR_ERROR(cmd);
+ }
+
+@@ -1839,6 +1863,7 @@
+ if (!dir ||
+ !dir_check(cmd->tmp_pool, cmd, cmd->group, dir, NULL)) {
+ int xerrno = errno;
++ cmd->error_code = errno;
+
+ pr_response_add_err(R_550, "%s: %s", cmd->arg, strerror(xerrno));
+
+@@ -1849,6 +1874,7 @@
+ if (xfer_check_limit(cmd) < 0) {
+ pr_response_add_err(R_451, _("%s: Too many transfers"), cmd->arg);
+ errno = EPERM;
++ cmd->error_code = EPERM;
+ return PR_ERROR(cmd);
+ }
+
+@@ -1865,6 +1891,7 @@
+ ) {
+ pr_response_add_err(R_550, _("%s: Not a regular file"), cmd->arg);
+ errno = EPERM;
++ cmd->error_code = EPERM;
+ return PR_ERROR(cmd);
+ }
+
+@@ -1879,6 +1906,7 @@
+ cmd->arg);
+ session.restart_pos = 0L;
+ errno = EPERM;
++ cmd->error_code = EPERM;
+ return PR_ERROR(cmd);
+ }
+
+@@ -1908,6 +1936,7 @@
+ retr_fh = pr_fsio_open(dir, O_RDONLY);
+ if (retr_fh == NULL) {
+ int xerrno = errno;
++ cmd->error_code = errno;
+
+ (void) pr_trace_msg("fileperms", 1, "%s, user '%s' (UID %lu, GID %lu): "
+ "error opening '%s': %s", cmd->argv[0], session.user,
+@@ -1921,6 +1950,7 @@
+ if (pr_fsio_stat(dir, &st) < 0) {
+ /* Error stat'ing the file. */
+ int xerrno = errno;
++ cmd->error_code = errno;
+ pr_fsio_close(retr_fh);
+ errno = xerrno;
+
+@@ -1945,6 +1975,7 @@
+ if (pr_fsio_lseek(retr_fh, session.restart_pos,
+ SEEK_SET) == (off_t) -1) {
+ int xerrno = errno;
++ cmd->error_code = errno;
+ pr_fsio_close(retr_fh);
+ errno = xerrno;
+ retr_fh = NULL;
+@@ -2003,6 +2034,7 @@
+ retr_abort();
+
+ /* Set errno to EPERM ("Operation not permitted") */
++ cmd->error_code = EPERM;
+ pr_data_abort(EPERM, FALSE);
+ return PR_ERROR(cmd);
+ }
+@@ -2034,6 +2066,7 @@
+ * is preserved; errno itself might be overwritten in retr_abort().
+ */
+ int xerrno = errno;
++ cmd->error_code = errno;
+
+ retr_abort();
+
+--- proftpd-1.3.3e/include/dirtree.h Fri Mar 25 17:49:04 2011
++++ x/proftpd-1.3.3e/include/dirtree.h Tue Jun 7 02:07:51 2011
+@@ -113,6 +113,8 @@
+ int class; /* The command class */
+ int stash_index; /* hack to speed up symbol hashing in modules.c */
+ pr_table_t *notes; /* Private data for passing/retaining between handlers */
++
++ int error_code; /* stores errno of failed file transfer commands*/
+ } cmd_rec;
+
+ struct config_struc {
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/proftpd/patches/proftpd-pam.patch Wed Jun 15 01:09:08 2011 -0700
@@ -0,0 +1,157 @@
+--- proftpd-1.3.3e/include/auth.h Tue Sep 8 22:34:03 2009
++++ proftpd-1.3.3e-pam/include/auth.h Tue May 24 10:37:40 2011
+@@ -59,6 +59,35 @@
+ /* Account has been disabled */
+ #define PR_AUTH_DISABLEDPWD -5
+
++/* Insufficient credentials */
++#define PR_AUTH_CRED_INSUFF -6
++
++/* Unavailable user credentials */
++#define PR_AUTH_CRED_UNAVAIL -7
++
++/* Failure setting user credentials */
++#define PR_AUTH_CRED_ERR -8
++
++/* Unavailable authentication service */
++#define PR_AUTH_UNAVAIL -9
++
++/* Max retries reached */
++#define PR_AUTH_MAXTRIES -10
++
++/* Initialization of authentization failed */
++#define PR_AUTH_INIT_FAIL -11
++
++/* New auth token needed */
++#define PR_AUTH_NEWTOK -12
++
++#define PR_AUTH_OPEN_ERR -15
++#define PR_AUTH_SYMBOL_ERR -16
++#define PR_AUTH_SERVICE_ERR -17
++#define PR_AUTH_SYSTEM_ERR -18
++#define PR_AUTH_BUF_ERR -19
++#define PR_AUTH_CONV_ERR -20
++#define PR_AUTH_PERM_DENIED -21
++
+ void pr_auth_setpwent(pool *);
+ void pr_auth_endpwent(pool *);
+ void pr_auth_setgrent(pool *);
+--- proftpd-1.3.3e/modules/mod_auth.c Mon Feb 21 03:36:38 2011
++++ proftpd-1.3.3e-pam/modules/mod_auth.c Tue May 24 11:32:55 2011
+@@ -898,6 +898,44 @@
+ user);
+ goto auth_failure;
+
++ case PR_AUTH_CRED_INSUFF:
++ pr_log_auth(PR_LOG_NOTICE,
++ "USER %s (Login failed): Insufficient credentials.", origuser);
++ goto auth_failure;
++
++ case PR_AUTH_CRED_UNAVAIL:
++ pr_log_auth(PR_LOG_NOTICE,
++ "USER %s (Login failed): Unavailable credentials.", origuser);
++ goto auth_failure;
++
++
++ case PR_AUTH_CRED_ERR:
++ pr_log_auth(PR_LOG_NOTICE,
++ "USER %s (Login failed): Failure setting user credentials.",
++ origuser);
++ goto auth_failure;
++
++ case PR_AUTH_UNAVAIL:
++ pr_log_auth(PR_LOG_NOTICE,
++ "USER %s (Login failed): Unavailable authentication service.", user);
++ goto auth_failure;
++
++ case PR_AUTH_MAXTRIES:
++ pr_log_auth(PR_LOG_NOTICE,
++ "USER %s (Login failed): Max retries reached.", user);
++ goto auth_failure;
++
++ case PR_AUTH_INIT_FAIL:
++ pr_log_auth(PR_LOG_NOTICE,
++ "USER %s (Login failed): Authentization initialization failed.",
++ origuser);
++ goto auth_failure;
++
++ case PR_AUTH_NEWTOK:
++ pr_log_auth(PR_LOG_NOTICE,
++ "USER %s (Login failed): New authentication token needed.", user);
++ goto auth_failure;
++
+ default:
+ break;
+ };
+--- proftpd-1.3.3e/modules/mod_auth_pam.c Thu Mar 5 06:24:06 2009
++++ proftpd-1.3.3e-pam/modules/mod_auth_pam.c Tue May 24 10:28:58 2011
+@@ -349,6 +349,24 @@
+
+ if (pam_error != PAM_SUCCESS) {
+ switch (pam_error) {
++#ifdef PAM_CRED_INSUFFICIENT
++ case PAM_CRED_INSUFFICIENT:
++ retval = PR_AUTH_CRED_INSUFF;
++ break;
++#endif /* PAM_CRED_INSUFFICIENT */
++
++#ifdef PAM_AUTHINFO_UNAVAIL
++ case PAM_AUTHINFO_UNAVAIL:
++ retval = PR_AUTH_UNAVAIL;
++ break;
++#endif /* PAM_AUTHINFO_UNAVAIL */
++
++#ifdef PAM_MAXTRIES
++ case PAM_MAXTRIES:
++ retval = PR_AUTH_MAXTRIES;
++ break;
++#endif /* PAM_MAXTRIES */
++
+ case PAM_USER_UNKNOWN:
+ retval = PR_AUTH_NOPWD;
+ break;
+@@ -373,6 +391,14 @@
+
+ if (pam_error != PAM_SUCCESS) {
+ switch (pam_error) {
++#ifdef PAM_NEW_AUTHTOK_REQD
++ case PAM_NEW_AUTHTOK_REQD:
++ pr_trace_msg(trace_channel, 8,
++ "account mgmt error: PAM_NEW_AUTH_REQD");
++ retval = PR_AUTH_NEWTOK;
++ break;
++#endif /* PAM_NEW_AUTHTOK_REQD */
++
+ #ifdef PAM_AUTHTOKEN_REQD
+ case PAM_AUTHTOKEN_REQD:
+ pr_trace_msg(trace_channel, 8,
+@@ -417,7 +443,7 @@
+ switch (pam_error) {
+ case PAM_SESSION_ERR:
+ default:
+- retval = PR_AUTH_DISABLEDPWD;
++ retval = PR_AUTH_INIT_FAIL;
+ break;
+ }
+
+@@ -435,6 +461,20 @@
+
+ if (pam_error != PAM_SUCCESS) {
+ switch (pam_error) {
++#ifdef PAM_CRED_UNAVAIL
++ case PAM_CRED_UNAVAIL:
++ pr_trace_msg(trace_channel, 8, "credentials error: PAM_CRED_UNAVAIL");
++ retval = PR_AUTH_CRED_UNAVAIL;
++ break;
++#endif /* PAM_CRED_UNAVAIL */
++
++#ifdef PAM_CRED_ERR
++ case PAM_CRED_ERR:
++ pr_trace_msg(trace_channel, 8, "credentials error: PAM_CRED_ERR");
++ retval = PR_AUTH_CRED_ERR;
++ break;
++#endif /* PAM_CRED_ERR */
++
+ case PAM_CRED_EXPIRED:
+ pr_trace_msg(trace_channel, 8, "credentials error: PAM_CRED_EXPIRED");
+ retval = PR_AUTH_AGEPWD;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/proftpd/prof_service-network-ftpd Wed Jun 15 01:09:08 2011 -0700
@@ -0,0 +1,2 @@
+FTP Server Management:::Manage FTP service:
+Network Management::::profiles=FTP Server Management
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/proftpd/proftpd.conf Wed Jun 15 01:09:08 2011 -0700
@@ -0,0 +1,34 @@
+ServerName "FTP server"
+ServerIdent off
+ServerType standalone
+DefaultServer on
+Port 21
+
+Umask 022
+
+# To prevent DoS attacks, set the maximum number of child processes
+# to 30. If you need to allow more than 30 concurrent connections
+# at once, simply increase this value. Note that this ONLY works
+# in standalone mode, in inetd mode you should use an inetd server
+# that allows you to limit maximum number of processes per service
+# (such as xinetd).
+MaxInstances 30
+
+# Set the user and group under which the server will run.
+User ftp
+Group ftp
+
+# Normally, we want files to be overwriteable.
+AllowOverwrite on
+
+# Bar use of SITE CHMOD by default
+<Limit SITE_CHMOD>
+ DenyAll
+</Limit>
+
+# Make PAM the final authority on what gets authenticated.
+AuthOrder mod_auth_pam.c* mod_auth_unix.c
+
+# Use system libraries for user lookups
+PersistentPasswd off
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/proftpd/proftpd.license Wed Jun 15 01:09:08 2011 -0700
@@ -0,0 +1,349 @@
+Oracle elects to use only the GNU Lesser General Public License version
+2.1 (LGPL)/GNU General Public License version 2 (GPL) for any software
+where a choice of LGPL/GPL license versions are made available with the
+language indicating that LGPLv2.1/GPLv2 or any later version may be
+used, or where a choice of which version of the LGPL/GPL is applied is
+unspecified. Unless specifically stated otherwise, where a choice
+exists between another license and either the GPL or the LGPL, Oracle
+chooses the other license.
+-----------------------------------------------------------------------
+
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+�
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+�
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+�
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+�
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+�
+ Appendix: How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) 19yy <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) 19yy name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/proftpd/proftpd.p5m Wed Jun 15 01:09:08 2011 -0700
@@ -0,0 +1,202 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+#
+
+# PSARC/2011/088
+<transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
+set name=pkg.fmri \
+ value=pkg:/service/network/ftp@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
+set name=pkg.summary value="FTP Server and Utilities"
+set name=info.classification value="org.opensolaris.category.2008:System/Core"
+set name=info.source_url value=$(COMPONENT_ARCHIVE_URL)
+set name=info.upstream_url value="http://www.proftpd.org/"
+set name=opensolaris.arc_url \
+ value=http://arc.opensolaris.org/caselog/PSARC/2011/088
+set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
+
+dir path=etc
+dir path=etc/security
+dir path=etc/security/auth_attr.d
+dir path=etc/security/prof_attr.d
+dir path=lib
+dir path=lib/svc
+dir path=lib/svc/manifest
+dir path=lib/svc/manifest/network
+dir path=lib/svc/method
+dir path=usr
+dir path=usr/bin
+dir path=usr/include
+dir path=usr/include/proftpd
+dir path=usr/lib
+dir path=usr/lib/help
+dir path=usr/lib/help/auths
+dir path=usr/lib/help/auths/locale
+dir path=usr/lib/help/auths/locale/C
+dir path=usr/lib/inet
+dir path=usr/lib/pkgconfig
+dir path=usr/lib/proftpd
+dir path=usr/sbin
+dir path=usr/share
+dir path=usr/share/doc
+dir path=usr/share/doc/proftpd
+dir path=usr/share/doc/proftpd/modules
+dir path=usr/share/locale
+dir path=usr/share/locale/bg_BG
+dir path=usr/share/locale/bg_BG/LC_MESSAGES
+dir path=usr/share/locale/en_US
+dir path=usr/share/locale/en_US/LC_MESSAGES
+dir path=usr/share/locale/fr
+dir path=usr/share/locale/fr/LC_MESSAGES
+dir path=usr/share/locale/it
+dir path=usr/share/locale/it/LC_MESSAGES
+dir path=usr/share/locale/ja
+dir path=usr/share/locale/ja/LC_MESSAGES
+dir path=usr/share/locale/ko
+dir path=usr/share/locale/ko/LC_MESSAGES
+dir path=usr/share/locale/ru
+dir path=usr/share/locale/ru/LC_MESSAGES
+dir path=usr/share/locale/zh_CN
+dir path=usr/share/locale/zh_CN/LC_MESSAGES
+dir path=usr/share/locale/zh_TW
+dir path=usr/share/locale/zh_TW/LC_MESSAGES
+dir path=usr/share/man
+dir path=usr/share/man/man1
+dir path=usr/share/man/man5
+dir path=usr/share/man/man8
+file proftpd.conf path=etc/proftpd.conf mode=0644 preserve=true
+file auth_service-network-ftpd path=etc/security/auth_attr.d/service-network-ftpd
+file prof_service-network-ftpd path=etc/security/prof_attr.d/service-network-ftpd
+file ftp.xml path=lib/svc/manifest/network/ftp.xml
+file svc-ftp path=lib/svc/method/svc-ftp
+file path=usr/bin/ftpcount
+file path=usr/bin/ftpdctl
+file path=usr/bin/ftptop
+file path=usr/bin/ftpwho
+file path=usr/bin/prxs
+file path=usr/include/proftpd/auth.h
+file path=usr/include/proftpd/bindings.h
+file path=usr/include/proftpd/buildstamp.h
+file path=usr/include/proftpd/child.h
+file path=usr/include/proftpd/class.h
+file path=usr/include/proftpd/cmd.h
+file path=usr/include/proftpd/compat.h
+file path=usr/include/proftpd/conf.h
+file path=usr/include/proftpd/config.h
+file path=usr/include/proftpd/ctrls.h
+file path=usr/include/proftpd/data.h
+file path=usr/include/proftpd/default_paths.h
+file path=usr/include/proftpd/dirtree.h
+file path=usr/include/proftpd/display.h
+file path=usr/include/proftpd/encode.h
+file path=usr/include/proftpd/env.h
+file path=usr/include/proftpd/event.h
+file path=usr/include/proftpd/expr.h
+file path=usr/include/proftpd/feat.h
+file path=usr/include/proftpd/filter.h
+file path=usr/include/proftpd/fsio.h
+file path=usr/include/proftpd/ftp.h
+file path=usr/include/proftpd/glibc-glob.h
+file path=usr/include/proftpd/help.h
+file path=usr/include/proftpd/inet.h
+file path=usr/include/proftpd/libsupp.h
+file path=usr/include/proftpd/log.h
+file path=usr/include/proftpd/mkhome.h
+file path=usr/include/proftpd/mod_ctrls.h
+file path=usr/include/proftpd/mod_gss.h
+file path=usr/include/proftpd/mod_tls.h
+file path=usr/include/proftpd/modules.h
+file path=usr/include/proftpd/netacl.h
+file path=usr/include/proftpd/netaddr.h
+file path=usr/include/proftpd/netio.h
+file path=usr/include/proftpd/options.h
+file path=usr/include/proftpd/parser.h
+file path=usr/include/proftpd/pidfile.h
+file path=usr/include/proftpd/pool.h
+file path=usr/include/proftpd/pr-syslog.h
+file path=usr/include/proftpd/privs.h
+file path=usr/include/proftpd/proctitle.h
+file path=usr/include/proftpd/proftpd.h
+file path=usr/include/proftpd/regexp.h
+file path=usr/include/proftpd/response.h
+file path=usr/include/proftpd/scoreboard.h
+file path=usr/include/proftpd/session.h
+file path=usr/include/proftpd/sets.h
+file path=usr/include/proftpd/str.h
+file path=usr/include/proftpd/support.h
+file path=usr/include/proftpd/table.h
+file path=usr/include/proftpd/throttle.h
+file path=usr/include/proftpd/timers.h
+file path=usr/include/proftpd/trace.h
+file path=usr/include/proftpd/var.h
+file path=usr/include/proftpd/version.h
+file path=usr/include/proftpd/xferlog.h
+file ManageFTP.html path=usr/lib/help/auths/locale/C/ManageFTP.html
+file usr/sbin/proftpd path=usr/lib/inet/proftpd
+file path=usr/lib/pkgconfig/proftpd.pc
+file path=usr/lib/proftpd/mod_auth_gss.so
+file path=usr/lib/proftpd/mod_facl.so
+file path=usr/lib/proftpd/mod_gss.so
+file path=usr/lib/proftpd/mod_tls.so
+file ftprestart.sh path=usr/sbin/ftprestart
+file path=usr/sbin/ftpscrub
+file path=usr/sbin/ftpshut
+file proftpd_migration.txt path=usr/share/doc/proftpd/proftpd_migration.txt
+file doc/Configuration.html path=usr/share/doc/proftpd/Configuration.html
+file doc/modules/mod_auth_file.html path=usr/share/doc/proftpd/modules/mod_auth_file.html
+file doc/modules/mod_auth_pam.html path=usr/share/doc/proftpd/modules/mod_auth_pam.html
+file doc/modules/mod_ctrls.html path=usr/share/doc/proftpd/modules/mod_ctrls.html
+file doc/modules/mod_delay.html path=usr/share/doc/proftpd/modules/mod_delay.html
+file doc/modules/mod_dso.html path=usr/share/doc/proftpd/modules/mod_dso.html
+file doc/modules/mod_facl.html path=usr/share/doc/proftpd/modules/mod_facl.html
+file doc/modules/mod_facts.html path=usr/share/doc/proftpd/modules/mod_facts.html
+file doc/modules/mod_ident.html path=usr/share/doc/proftpd/modules/mod_ident.html
+file doc/modules/mod_lang.html path=usr/share/doc/proftpd/modules/mod_lang.html
+file doc/contrib/mod_gss.html path=usr/share/doc/proftpd/modules/mod_gss.html
+file doc/contrib/mod_tls.html path=usr/share/doc/proftpd/modules/mod_tls.html
+file doc/contrib/mod_wrap.html path=usr/share/doc/proftpd/modules/mod_wrap.html
+file path=usr/share/locale/bg_BG/LC_MESSAGES/proftpd.mo
+file path=usr/share/locale/en_US/LC_MESSAGES/proftpd.mo
+file usr/share/locale/fr_FR/LC_MESSAGES/proftpd.mo path=usr/share/locale/fr/LC_MESSAGES/proftpd.mo
+file usr/share/locale/it_IT/LC_MESSAGES/proftpd.mo path=usr/share/locale/it/LC_MESSAGES/proftpd.mo
+file usr/share/locale/ja_JP/LC_MESSAGES/proftpd.mo path=usr/share/locale/ja/LC_MESSAGES/proftpd.mo
+file usr/share/locale/ko_KR/LC_MESSAGES/proftpd.mo path=usr/share/locale/ko/LC_MESSAGES/proftpd.mo
+file usr/share/locale/ru_RU/LC_MESSAGES/proftpd.mo path=usr/share/locale/ru/LC_MESSAGES/proftpd.mo
+file path=usr/share/locale/zh_CN/LC_MESSAGES/proftpd.mo
+file path=usr/share/locale/zh_TW/LC_MESSAGES/proftpd.mo
+file path=usr/share/man/man1/ftpcount.1
+file path=usr/share/man/man1/ftptop.1
+file path=usr/share/man/man1/ftpwho.1
+file path=usr/share/man/man5/xferlog.5
+file path=usr/share/man/man8/ftpdctl.8
+file path=usr/share/man/man8/ftpscrub.8
+file path=usr/share/man/man8/ftpshut.8
+file path=usr/share/man/man8/proftpd.8
+
+group groupname="ftp" gid=21
+
+legacy pkg=SUNWftpu \
+ name="FTP Server, (Usr)" \
+ desc="FTP Server and Utilities"
+
+license proftpd.license license="GPLv2"
+
+user ftpuser=false gcos-field="FTPD Reserved UID" username="ftp" uid=21 group="ftp"
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/proftpd/proftpd_migration.txt Wed Jun 15 01:09:08 2011 -0700
@@ -0,0 +1,215 @@
+ Migration from Solaris WU-FTPD to ProFTPD
+
+
+Introduction
+------------
+
+This document provides an overview of migrating the Solaris WU-FTPD
+configuration to Solaris ProFTPD. ProFTPD replaces WU-FTPD in this
+Oracle Solaris release and has a different configuration system.
+
+Migration from the previous Solaris FTP server setup must be done
+manually.
+
+This document contains the following sections:
+
+ * Section 1 - basic overview of configuration
+ * Section 2 - managing access
+ * Section 3 - virtual host configuration
+ * Section 4 - other options
+
+1. Basic overview of configuration
+
+WU-FTPD uses several configuration files to manage the FTP server:
+
+ /etc/ftpd/ftpaccess
+ /etc/ftpd/ftpservers
+ /etc/ftpd/ftphosts
+ /etc/ftpd/ftpconversions
+ /etc/ftpd/ftpgroups
+
+These configuration files manage all aspects from general options to
+account management and virtual servers.
+
+Configuration of ProFTPD is contained in /etc/proftpd.conf. It is also
+possible to manage some options on per-directory basis with .ftpaccess
+files.
+
+ProFTPD consists of a core server and a series of "modules".
+Configuration of ProFTPD is separated into "contexts" containing
+"directives".
+
+2. Managing access
+
+WU-FTPD uses several files to manage access to system:
+
+ /etc/ftpd/ftpaccess
+ /etc/ftpd/ftphosts
+ /etc/ftpd/ftpgroups
+
+ProFTPD uses the "Limit" context to configure access.
+
+For backward compatibility /etc/ftpd/ftpusers is provided and
+/etc/ftpusers is symlink to /etc/ftpd/ftpusers. It is used if
+UseFtpUsers is set to "on" which is the default setting.
+
+2.1. Anonymous access
+
+In WU-FTPD anonymous access is enabled by the ftpconfig(1M) command
+which also created the necessary chroot(1M) environment. ProFTPD does
+not need chroot(1M) as all access management is handled as part of the
+"Anonymous" context.
+
+2.2. Allow/deny retrieve of files
+
+In ProFTPD it is possible to manage access to files on a per-directory
+basis with .ftpaccess files.
+
+2.3. Control of download/upload size
+
+Directives are provided for control of download and upload size:
+
+ MaxRetrieveFileSize - size of downloaded files
+ MaxStoreFileSize - size of uploaded files
+
+2.4. Maximum login failures before terminating the FTP connection
+
+MaxLoginAttempts controls the maximum number of login failures. The
+default is 3.
+
+3. Virtual host configuration
+
+ProFTPD provides a comprehensive set of directives to manage virtual
+FTP servers. Refer to the VirtualHost documentation for details.
+
+4. Other options
+
+Other common WU-FTPD /etc/ftpd/ftpaccess options are configured in
+ProFTPD as follows:
+
+4.1. Connection management
+
+4.1.1. Limit IP address on which FTP server listens
+
+For a standalone FTP server DefaultAddress configures the listener
+address. For virtual servers the IP addresses are part of the
+VirtualHost context.
+
+4.1.2. IP Class of Service setup
+
+ProFTPD does not support manipulation of IP Class of Service within FTP
+server implementation.
+
+4.1.3. Keepalive
+
+ProFTPD always sets the SO_KEEPALIVE socket option.
+
+4.1.4. TCP window size
+
+Directives are provided for control of socket options:
+
+ SocketOptions - tune socket-level options, including
+ TCP send/receive window sizes.
+
+4.1.5. Enable/disable reverse remote host lookup
+
+Reverse DNS lookup is configured using UseReverseDNS, the default is
+"on".
+
+4.2. Session management
+
+4.2.1. Timeouts management
+
+ProFTPD provides the following set of timeouts:
+
+ TimeoutIdle - the idle connection timeout
+ TimeoutLinger - the timeout used for lingering closes
+ TimeoutLogin - the login timeout
+ TimeoutNoTransfer - the connection without data transfer timeout
+ TimeoutSession - the timeout for the whole session
+ TimeoutStalled - the timeout on stalled downloads
+
+4.2.2. banner option
+
+The DisplayConnect directive configures an ASCII text filename which
+will be displayed to the user when they initially connect but before
+they login.
+
+4.2.3. message option
+
+Two directives are provided:
+
+ DisplayLogin - for message file after login
+ DisplayChdir - for message file after every chdir
+
+4.2.4. Control of list options
+
+ProFTPD does not allow the use of an external command to generate
+directory listings. Listing output is controlled by ListOptions.
+
+4.3. Process management
+
+4.3.1. Setting nice(1)
+
+ProFTPD does not provide an interface for changing the nice value. The
+nice value needs to managed outside of ProFTPD for example using the
+nice(1) command.
+
+4.3.2. Setting umask
+
+Use the Umask directive.
+
+4.3.3. E-mail notification for uploads
+
+ProFTPD provides /usr/sbin/ftpmail script which reads TranferLog
+entries and sends e-mail notifications when uploads occur.
+
+4.3.4. Shutdown management
+
+ftpshut(1M) and ftprestart(1M) commands are provided. The file
+monitored by FTP server is set to /etc/shutmsg and it is not possible
+to configure the path.
+
+4.4. Log options
+
+The ProFTPD mod_log module handles logging. By default it uses
+syslogd(1M). Control of the log format is provided by the LogFormat
+directive.
+
+4.5. Kerberos support
+
+ProFTPD supports Kerberos authentication through the mod_gss module.
+
+4.6. Miscellaneous options
+
+4.6.1. cdpath
+
+Provided by the CDPath directive.
+
+4.7. Removed options
+
+4.7.1 alias
+
+Aliasing of directory paths is not provided by ProFTPD.
+
+4.7.2 ftpconversion and compress
+
+ftpconversion is not supported by ProFTPD. For compression external
+modules mod_deflate and mod_gzipfs can be used but they are not
+provided in the Solaris default installation.
+
+4.7.3. SITE EXEC
+
+SITE EXEC is not provided by ProFTPD. Consider using other more secure
+methods for command execution.
+
+4.7.4. quota-info
+
+quota-info option replacement is not provided by ProFTPD.
+
+4.7.5. passive address
+
+passive address option replacement is not provided by ProFTPD.
+
+-- end --
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/proftpd/svc-ftp Wed Jun 15 01:09:08 2011 -0700
@@ -0,0 +1,61 @@
+#!/usr/sbin/sh
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved.
+#
+
+. /lib/svc/share/ipf_include.sh
+
+create_ipf_rules()
+{
+ FMRI=$1
+ ipf_file=`fmri_to_file ${FMRI} $IPF_SUFFIX`
+ nat_file=`fmri_to_file ${FMRI} $NAT_SUFFIX`
+ policy=`get_policy ${FMRI}`
+
+ #
+ # Ftp uses two ports, ftp and ftp-data, see /etc/services which
+ # is why it's necessary to have this custom method.
+ #
+ conn_port=`$SERVINFO -p -t -s ftp 2>/dev/null`
+ data_port=`$SERVINFO -p -t -s ftp-data 2>/dev/null`
+
+ echo "# $FMRI" >$ipf_file
+ generate_rules $FMRI $policy "tcp" "any" $conn_port $ipf_file
+ generate_rules $FMRI $policy "tcp" "any" $data_port $ipf_file
+
+ # Generate a custom NAT rule here to use the ftp-proxy
+ #
+ echo "# $FMRI" >$nat_file
+ echo "rdr * any -> 0/32 proxy port ftp ftp/tcp" >>$nat_file
+}
+
+case "$1" in
+'ipfilter')
+ create_ipf_rules $2
+ ;;
+
+*)
+ echo "Usage: $0 ipfilter"
+ ;;
+esac
+exit 0