Authenticating with LDAP on IBM HTTP Server using mod_ldap
We can configure Lightweight Directory Access Protocol (LDAP) to authenticate and protect files on IBM® HTTP Server.
Before you begin
Best Practice: If you are using the mod_ibm_ldap module for your LDAP configuration, consider migrating your mod_ibm_ldap directives to use the mod_ldap module. The mod_ibm_ldap module is provided with this release of IBM HTTP Server for compatibility with previous releases, however, you must migrate existing configurations to use the mod_authnz_ldap and mod_ldap modules to ensure future support for your LDAP configuration.The LoadModule directive for LDAP does not load into IBM HTTP Server by default. Without the LoadModule directive, the LDAP features are not available for use.
In order to enable the LDAP function, add a LoadModule directive to the IBM HTTP Server httpd.conf file as follows:LoadModule ldap_module modules/mod_ldap.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
About this task
LDAP authentication is provided by the mod_ldap and mod_authnz_ldap Apache modules.- The mod_ldap module provides LDAP connection pooling and caching.
- The mod_authnz_ldap makes use of the LDAP connection pooling and caching services to provide Web client authentication.
See the following Web sites to obtain detailed descriptions of the LDAP (ldap_module and authnz_ldap_module) directives:
- http://publib.boulder.ibm.com/httpserv/manual70/mod/mod_ldap.html
- http://publib.boulder.ibm.com/httpserv/manual70/mod/mod_authnz_ldap.html
Procedure
- Edit the httpd.conf IBM HTTP Server configuration file.
- Determine the resource for which you want to limit access. For example: <Directory "/secure_info">
-
Add the LDAPTrustedGlobalCert directive to httpd.conf if the IBM HTTP Server connection
to the LDAP server is an SSL connection.
The LDAPTrustedGlobalCert directive specifies the directory path and file name of the trusted certificate authority (CA) that mod_ldap uses when establishing an SSL connection to an LDAP server.
Certificates can be stored in a .kdb file or a SAF key ring. If a .kdb file is used, a .sth file must be located in the same directory path and have the same filename, but the extension must be .sth instead of .kdb.
The LDAPTrustedGlobalCert directive must be a CMS_KEYFILE value type. Use this value if the certificates indicated by the LDAPTrustedGlobalCert directive are stored in a .kdb file.
The LDAPTrustedGlobalCert directive must be a SAF_KEYRING value type. Use this value if the certificates indicated by the LDAPTrustedGlobalCert directive are stored in a SAF key ring. Example when the certificate is stored in a .kdb file:
LDAPTrustedGlobalCert CMS_KEYFILE /path/to/keyfile.kdb myKDBpassword
Example when the certificate is stored in a SAF key ring.
LDAPTrustedGlobalCert SAF saf_keyring
Important: The user ID that you use to start IBM HTTP Server must have access to the SAF key ring that you name in this directive. If the user ID does not have access to the SAF key ring, SSL initialization fails. See Perform required z/OS system configurations for information on accessing SAF key rings defined in RACF®.
-
Add the AuthLDAPUrl directive, which specifies the LDAP search parameters to use.
The syntax of the URL
is:
ldap://host:port/basedn?attribute?scope?filter
-
Add directives in httpd.conf to the directory location (container) to be
protected with values specific to your environment, such as:
- AuthName Title of your protected Realm
- AuthType Basic
- AuthBasicProvider ldap
- AuthLDAPURL your_ldap_url
- Require valid-user
- AuthLDAPBindDN "cn=Directory Manager"
- AuthLDAPBindPassword auth_password
In addition to allowing any user present in the LDAP repository, mod_authnz_ldap provides Require ldap-user, Require ldap-group, and Require ldap-filter. When you use multiple Require directives, authorization succeeds if any, but not all, Require directives match the current user.
- Require ldap-user user1
Looks up "user1" based on AuthLDAPURL and makes sure their DN matches the DN of the authenticated user
- Require ldap-group cn=group1,o=example,c=US
Searches for the currently authenticated user in the listed LDAP group
- Require ldap-filter "|(someAttr=val1)(someVal=val2)"
Searches for the authenticated user under the provided LDAP filter. If the filter returns 1 result, authorization passes.
For each combination of LDAP server, protection setup, and protect directive, code a Location container similar to the following example:
<Location /ldapdir> AuthName "whatever_LDAP" AuthType Basic AuthBasicProvider ldap AuthLDAPURL ldap://9.27.163.182:389/o=abc.xyz.com?cn?sub? Require valid-user AuthLDAPBindDN "cn=Directory Manager" AuthLDAPBindPassword d44radar </Location>
http://publib.boulder.ibm.com/httpserv/manual70/mod/mod_authnz_ldap.html
- Converting your directives from mod_ibm_ldap to mod_ldap
Convert directives that use the mod_ibm_ldap module to use the mod_ldap Apache module to ensure continued IBM HTTP Server support for your LDAP configuration.
Related concepts
- IBM HTTP Server certificate management
- SSL Certificate revocation list and Online Certificate Status Protocol
Related tasks
- Secure IBM HTTP Server
- Configure SSL between the IBM HTTP Server Administration Server and the deployment manager
- Secure with SSL communications
- Set advanced SSL options
- Manage keys with the IKEYMAN graphical interface (Distributed systems)
- Manage keys from the command line (Distributed systems)
- Manage keys with the native key database gskkyman (z/OS systems)
- Getting started with the cryptographic hardware for SSL (Distributed systems)
- Authenticating with SAF on IBM HTTP Server (z/OS systems)
- Converting your directives from mod_ibm_ldap to mod_ldap
Related