+

Search Tips   |   Advanced Search

Home Operating Systems: AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

 

Authenticate with LDAP on IHS using mod_ldap

You can configure Lightweight Directory Access Protocol (LDAP) to authenticate and protect files on IHS.

Best Practice: If we are using the mod_ibm_ldap module for your LDAP configuration, consider migrating your mod_ibm_ldap directives to use the mod_ldap module. The mod_ibm_ldap module is provided with this release of IHS for compatibility with previous releases, however, migrate existing configurations to use the mod_authnz_ldap and mod_ldap modules to ensure future support for your LDAP configuration.

The LoadModule directive for LDAP does not load into IHS by default. Without the LoadModule directive, the LDAP features are not available for use. In order to enable the LDAP function, add a LoadModule directive to the IHS httpd.conf file as follows:

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

LDAP authentication is provided by the mod_ldap and mod_authnz_ldap Apache modules.

See the following Web sites to obtain detailed descriptions of the LDAP (ldap_module and authnz_ldap_module) directives:

  1. Edit the httpd.conf IHS configuration file.

  2. Determine the resource for which you want to limit access.

    For example: <Directory "/secure_info">

  3. Add the LDAPTrustedGlobalCert directive to httpd.conf if the IBM HTTP Server connection to the LDAP server is an SSL connection.

    The LDAPTrustedGlobalCert directive specifies the path and file name of the trusted certificate authority (CA) that mod_ldap uses when establishing an SSL connection to an LDAP server.

    Certificates can be stored in a .kdb file or a SAF key ring. If a .kdb file is used, a .sth file must be located in the same path and have the same filename, but the extension must be .sth instead of .kdb.

    The LDAPTrustedGlobalCert directive must be a CMS_KEYFILE value type. Use this value if the certificates indicated by the LDAPTrustedGlobalCert directive are stored in a .kdb file.

    LDAPTrustedGlobalCert CMS_KEYFILE /path/to/keyfile.kdb myKDBpassword
    
    Example when the certificate is stored in a SAF key ring.z/OS:

    LDAPTrustedGlobalCert SAF saf_keyring
    

    The user ID that you use to start IHS must have access to the SAF key ring that you name in this directive. If the user ID does not have access to the SAF key ring, SSL initialization fails. See Performing required z/OS system configurations for information on accessing SAF key rings defined in RACF.

  4. Add the AuthLDAPUrl directive, which specifies the LDAP search parameters to use. The syntax of the URL is:

    ldap:
    //host:port/basedn?attribute?scope?filter
    

  5. Add directives in httpd.conf to the location (container) to be protected with values specific to your environment, such as:

    • Order deny,allow

    • Allow from all

    • AuthName "Title of your protected Realm"

    • AuthType Basic

    • AuthBasicProvider ldap

    • AuthLDAPURL my_ldap_url

    • Require valid-user

    • AuthLDAPBindDN "cn=Directory Manager"

    • AuthLDAPBindPassword auth_password
    For each combination of LDAP server, protection setup, and protect directive, code a Location container similar to the following example:

    <Location /ldapdir>
      AuthName "whatever_LDAP"
      AuthType Basic
      AuthBasicProvider ldap
      AuthLDAPURL ldap:
    //9.27.163.182:389/o=abc.abc.com?cn?sub?
      Require valid-user
      AuthLDAPBindDN "cn=Directory Manager"
      AuthLDAPBindPassword d44radar
    </Location>
    http://publib.boulder.ibm.com/httpserv/manual70/mod/mod_authnz_ldap.html


 

Related concepts

Lightweight Directory Access Protocol

SSL certificate revocation list

 

Related tasks

Converting your directives from mod_ibm_ldap to mod_ldap

 

Related information

AuthLDAPURL directive