Converting your directives from mod_ibm_ldap to mod_ldap

Convert directives that use the mod_ibm_ldap module to use the mod_ldap Apache module to ensure continued IBM® HTTP Server support for your LDAP configuration.


Before you begin

Determine which directives to convert.

Complete these steps to convert your directives.


Procedure

  1. Edit the LoadModule directive in the httpd.conf or ldap.prop configuration file to remove mod_ibm_ldap. 
    LoadModule ibm_ldap_module modules/mod_ibm_ldap.so

  2. Add the mod_ldap LoadModule directive to the httpd.conf configuration file. 
    LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so

  3. Convert one or more of the following directives. For more information about converting your directives, see the topic about mod_ibm_ldap migration.Note: A one to one correlation might not exist for some directives.
    Table 1. LDAP configuration directives conversion
    mod_ibm_ldap mod_ldap
    ldapCodePageDir None. The codepages directory cannot be moved from its installed location.
    LdapConfigFile include
    LdapRequire require
    ldap.application.authType None. If the mod_ldap directive, AuthLDAPBindDN, is specified, then you will get Basic auth. If no AuthLDAPBindDN is specified, then you get what would have been the None auth type (anonymous). If the mod_ldap configuration specifies an LDAPTrustedClientCert value then you will get the Cert auth type.
    ldap.application.DN AuthLDAPBindDN
    ldap.application.password AuthLDAPBindPassword
    ldap.application.password.stashFile None. The mod_ldap module does not provide a directive for using stashed passwords.
    ldap.cache.timeout LDAPCacheTTL
    ldap.group.dnattributes AuthLDAPSubGroupClass
    ldap.group.memberattribute AuthLDAPSubGroupAttribute
    ldap.group.memberattributes AuthLDAPGroupAttribute
    ldap.group.name.filter None. The mod_ldap module uses the filter provided at the end of the AuthLDAPURL directive.
    ldap.group.search.depth AuthLDAPMaxSubGroupDepth
    ldap.group.URL AuthLDAPURL
    ldap.idleConnection.timeout None. The mod_ldap module does not provide a directive for connection timeouts.
    ldap.key.file.password.stashfile None. The mod_ldap module does not provide a directive for using stashed passwords. Specify the keyfile password, in clear text, at the end of the LDAPTrustedGlobalCert directive. Alternatively, omit the password on the LDAPTrustedGlobalCert directive and the mod_ldap module automatically looks for a /path/to/keyfile.sth file, assuming /path/to/keyfile.kdb was the specified value of the LDAPTrustedGlobalCert directive.
    ldap.key.fileName LDAPTrustedGlobalCert
    ldap.key.label LDAPTrustedClientCert
    ldap.ReferralHopLimit LDAPReferralHopLimit
    ldapReferrals LDAPReferrals
    ldap.realm None. The mod_ibm_ldap value of this directive was only used for logging purposes. No equivalent directive is required in mod_ldap.
    ldap.search.timeout

    LDAPTimeout Directive

    Description: Specifies the timeout for LDAP search and bind operations, in seconds

    Syntax: LDAPTimeout seconds

    Default: LDAPTimeout 60

    Context: server config

    Status: Extension

    Module: mod_ldap

    Compatibility: Apache HTTP Server 2.3.5 and later
    ldap.transport LDAPTrustedMode
    ldap.URL AuthLDAPURL
    ldap.user.authType None. The mod_ldap module authenticates users based on the user ID and password credentials provided.
    ldap.user.cert.filter None. The mod_ldap module does not work directly with client certificates. Authorization directives use the environment values set by the SSL module.
    ldap.user.name.fieldSep None. The mod_ldap module does not provide support for parsing the provided credentials into subcomponents.
    ldap.user.name.filter None. The mod_ldap module specifies the user name filter as part of the AuthLDAPURL directive.
    ldap.version None. The mod_ldap module uses only LDAP version 3.
    ldap.waitToRetryConnection.interval None. The mod_ldap module does not have a timed delay between connection retries when a connection attempt fails. The connection attempt is retried for a maximum of 10 times before request fails.

  4. Run the Apache control with the verify flag to verify the configuration. 
    <ihsinst>bin/apachectl -t

    Attention: This configuration check confirms that the syntax is correct, but you must verify any configuration changes for a directive using the documentation for that directive to ensure an optimal configuration. Attention: All mod_ibm_ldap directives that use the form ldap.* used to optionally display in the LDAPConfigFile configuration file without the ldap prefix.


A mod_ldap SSL configuration

The following configuration directives show a sample SSL-enabled LDAP configuration. Some of the directives specify default values and would not typically need to be specified, but are retained to provide context. Those directives are included, but are commented out with '##" symbols.

##LDAPReferrals On
##LDAPReferralHopLimit 5

LDAPTrustedGlobalCert CMS_KEYFILE /full/path/to/ldap_client.kdb clientkdbPassword
#default cert in this kdb is my_cert1

# Alternatively, we can specify a SAF-based keyring, on systems that support it, as follows:
#LDAPTrustedGlobalCert SAF saf_keyring

<VirtualHost *>
	ServerAdmin admin@my.address.com
	DocumentRoot /path/to/htdocs

	# Ignored because LDAP URLs use ldaps:, where needed
  ##LDAPTrustedMode SSL

  <Directory /minimal_ldap_config>
	  AuthBasicProvider ldap
    AuthLDAPURL ldap://our_ldap.server.org/o=OurOrg,c=US
    AuthName "Private root access"
    require valid-user
  </Directory>

	<Directory /path/to/htdocs>
		##AuthzLDAPAuthoritative on
		AuthBasicProvider ldap
		# This LDAPTrustedClientCert is required to use a different certificate
    # than the default
    LDAPTrustedClientCert CMS_LABEL my_cert2
		AuthLDAPURL ldaps://our_ldap.server.org:636/o=OurOrg,c=US?cn?sub? (objectclass=person)
		AuthLDAPBindDN "cn=ldapadm,ou=OurDirectory,o=OurCompany,c=US"
		AuthLDAPBindPassword mypassword
		AuthName "Private root access"
		require ldap-group cn=OurDepartment,o=OurOrg,c=us
	</Directory>

	<Directory "/path/to/htdocs/employee_of_the_month">
		##AuthzLDAPAuthoritative on
		AuthBasicProvider ldap
		#Uses default cert (my_cert1)
		##LDAPTrustedClientCert CMS_LABEL my_cert1
    AuthLDAPURL ldaps://our_ldap.server.org:636/o=OurOrg,c=US?cn?sub?(objectclass=person)
		AuthLDAPBindDN "cn=ldapadm,ou=OurDirectory,o=OurCompany,c=US"
		AuthLDAPBindPassword mypassword
		AuthName "Employee of the month login"
 		require ldap-attribute description="Employee of the Month."
	</Directory>

	<Directory "/path/to/htdocs/development_groups">

		#These are the default values for the subgroup-related directives and only need to be 
		#specified when the LDAP structure differs.
		##AuthzLDAPAuthoritative on
		AuthBasicProvider ldap
    # This LDAPTrustedClientCert is required to use a different certificate
		# than the default	 LDAPTrustedClientCert CMS_LABEL my_cert3
		AuthLDAPURL ldaps://groups_ldap.server.org:636/o=OurOrg,c=US?cn?sub?
			(|(objectclass=groupofnames)(object class=groupo1 funiquenames))
		AuthLDAPBindDN "cn=ldapadm,ou=OurDirectory,o=OurCompany,c=US"
 		AuthLDAPBindPassword mypassword
		AuthName "Developer Access"
		AuthLDAPGroupAttribute member
 		AuthLDAPMaxSubGroupDepth 2
		AuthLDAPSubGroupClass groupOfUniqueNames
		##AuthLDAPSubGroupClass groupOfNames
		##AuthLDAPSubGroupAttribute uniqueMember
		##AuthLDAPSubGroupAttribute member
		require ldap-group cn=Developers_group,o=OurOrg,c=us
	</Directory>
	</VirtualHost>

LDAPTrustedMode None

  • LDAP directive migration
    This article contains information to help with migration from existing directives that use the mod_ibm_ldap module to the use of the open source LDAP modules (mod_authnz_ldap and mod_ldap). Migration will ensure future support for your LDAP configuration.


Related reference