Home
These configuration parameters control the Lightweight Directory
Access Protocol (LDAP) feature in IHS.
Deprecated feature: If we are using the mod_ibm_ldap
module for your LDAP configuration, consider migrating your mod_ibm_ldap directives
to use the mod_ldap module. The mod_ibm_ldap module is provided with this
release of IBM HTTP
Server for compatibility with previous releases, however, migrate
existing configurations to use the mod_authnz_ldap and mod_ldap modules to
ensure future support for your LDAP configuration.depfeat
LdapCodepageDir directive
Codepages
are now automatically installed in the IHS installation and are
referenced relative to the IHS installation directory, as opposed to the configured
server root as in previous versions.
LdapConfigfile directive
The
LdapConfigFile directive indicates the name of the LDAP properties file associated
with a group of LDAP parameters.
| Syntax
| LdapConfigFile <Fully qualified path to configuration file>
|
| Scope
| Single instance per stanza
|
| Default
| c:\program files\ibm http server\conf\ldap.prop.sample
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| Fully qualified path to a single configuration file. Use this directive
in the httpd.conf file.
|
LDAPRequire directive
The LDAPRequire
directive is used to restrict access to a resource that is controlled by LDAP
authentication to a specified collection of users. It can either use groups
defined in LDAP by using the group type, or it can use an LDAP filter
type to designate a collection of users with a similar set of attribute values.
| Syntax
| LDAPRequire filter <filter name> or LDAPRequire
group <group1 [group2.group3....]>
|
| Scope
| Single instance per stanza
|
| Default
| None
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| LDAPRequire filter "(&(objectclass=person)(cn=*)(ou=IHS)(o=IBM))",
or LDAPRequire group "sample group".
Use this directive in
the httpd.conf file.
|
If the group type is used, and multiple group values
are specified, the group validation is a logical AND of the groups. A user
must be a member of sample Group1 and sample Group2 if a logical
OR of groups is required. For example, if a user is a member of sample
Group1 or sample Group2, then a new LDAP group, our department
group, should be created on the LDAP server that has sample Group1 and sample
Group2 as its members. You would then use the directive: LDAPRequire group our
Department Group .
Ldap.application.authType directive
The
Ldap.application.authType directive specifies the method for authenticating
the Web server to the LDAP server.
| Syntax
| ldap.application.authType=None
|
| Scope
| Single instance per stanza
|
| Default
| None
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
|
- None: If the LDAP server does not require the Web server to authenticate.
- Basic: Uses the distinguished name (DN) of the Web server as the user
ID, and the password stored in the stash file, as the password.
|
Ldap.application.DN directive
The
Ldap.application.DN directive indicates the distinguished name (DN) of the
Web server. Use this name as the user name when accessing an LDAP server using
basic authentication. Use the entry specified in the LDAP server to access
the server.
| Syntax
| ldap.application.DN=cn=ldapadm,ou=ihs test,o=IBM,c=US
|
| Scope
| Single instance per stanza
|
| Default
| None
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| Distinguished name
|
Ldap.application.password.stashFile
directive
The Ldap.application.password.stashFile directive indicates
the name of the stash file containing the encrypted password for the application
to authenticate to the LDAP server when Server Authentication type is Basic.
| Syntax
| ldap.application.password.stashFile=c:\IHS\ldap.sth
|
| Scope
| Single instance per stanza
|
| Default
| None
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| Fully qualified path to the stash file. You can create this stash
file with the ldapstash command.
|
Ldap.cache.timeout directive
The
ldap.cache.timeout directive caches responses from the LDAP server. If we
configure the Web server to run as multiple processes, each process manages
its own copy of the cache.
| Syntax
| ldap.cache.timeout= <secs>
|
| Scope
| Single instance per stanza
|
| Default
| 600
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| The maximum length of time, in seconds, a response returned from
the LDAP server remains valid.
|
Ldap.group.attribute directive
The
ldap.group.attributes directive indicates the filter used to determine if
a distinguished name (DN) is an actual group through an LDAP search.
| Syntax
| ldap.group.memberattribute = <attribute>
|
| Scope
| Single instance per stanza
|
| Default
| uniquegroup
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| An ldap attribute - See the ldap.prop.sample directive for
more information on the use of this directive.
|
Ldap.group.dnattribute directive
The
ldap.group.dnattributes specifies the filter used to determine, through an
LDAP search, if a distinguished name (DN) is an actual group.
| Syntax
| ldap.group.memberattribute = <ldap filter>
|
| Scope
| Single instance per stanza
|
| Default
| groupofnames groupofuniquenames
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| An ldap filter - See the ldap.prop.sample directive for
more information on the use of this directive.
|
Ldap.group.memberattribute
directive
The ldap.group.memberattribute directive specifies the
attribute to retrieve unique groups from an existing group.
| Syntax
| ldap.group.memberattribute = <ldap filter>
|
| Scope
| Single instance per stanza
|
| Default
| groupofnames groupofuniquenames
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| An ldap filter - See the ldap.prop.sample directive for
more information on the use of this directive.
|
Ldap.group.memberAttributes
directive
The ldap.group.memberAttributes directive serves as a
means to extract group members, once the function finds a group entry in an
LDAP
| Syntax
| ldap.group.memberAttributes= attribute [attribute2....]
|
| Scope
| Single instance per stanza
|
| Default
| member and uniquemember
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| Must equal the distinguished names of the group members. You can
use more than one attribute to contain member information.
|
Ldap.group.name.filter directive
The
ldap.group.name.filter directive indicates the filter LDAP uses to search
for group names.
| Syntax
| ldap.group.name.filter = <group name filter>
|
| Scope
| Single instance per stanza
|
| Default
| (&(cn=%v1) (|(objectclass=groupOfNames) (objectclass=groupOfUniqueNames))
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| An LDAP filter. See Querying the LDAP server using LDAP search filters.
|
Ldap.group.search.depth directive
The
ldap.group.search.depth directive searches subgroups when specifying the LDAPRequire
group <group> directives. Groups can contain both individual members
and other groups.
| Syntax
| ldap.group.search.depth = <integer depth>
|
| Scope
| Single instance per stanza
|
| Default
| 1
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| An integer. When doing a search for a group, if a member in the process
of authentication is not a member of the required group, any subgroups of
the required group are also searched. For example:
group1 >group2 (group2 is a member of group1)
group2 >group3 (group3 is a member of group2)
group3 >jane (jane is a member of group3)
If we search for jane and require her as a member of group1,
the search fails with the default ldap.search.depth value of 1. If we specify ldap.group.search.depth>2,
the search succeeds.
Use ldap.group.search.depth=<depth to search
-- number> to limit the depth of subgroup searches. This type of search
can become very intensive on an LDAP server. Where group1 has group2 as a
member, and group2 has group1 as a member, this directive limits the depth
of the search. In the previous example, group1 has a depth of 1, group2 has
a depth of 2 and group3 has a depth of 3.
|
Ldap.group.URL directive
The
ldap.group.URL directive specifies a different location for a group on the
same LDAP server. You cannot use this directive to specify a different LDAP
server from that specified in the ldap.URL directive.
| Syntax
| ldap.group.URL = ldap:
//<hostname:port>/<BaseDN>
|
| Scope
| Single instance per stanza
|
| Default
| None
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
|
- host name: Host name of the LDAP server.
- port number: Optional port number on which the LDAP server listens. The
default for TCP connections is 389. If we use SSL, specify the port
number.
- BaseDN: Provides the root of the LDAP tree in which to perform the search
for groups.
|
Attention:
This property becomes required
if the LDAP URL for groups differs from the URL specified by the ldap.URL
property.
Ldap.idleConnection.timeout
directive
The ldap.idleConnection.timeout directive caches connections
to the LDAP server for performance.
| Syntax
| ldap.idleConection.timeout = <secs>
|
| Scope
| Single instance per stanza
|
| Default
| 600
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| Length of time, in seconds, before an idle LDAP server connection
closes due to inactivity.
|
Ldap.key.file.password.stashfile
directive
The ldap.key.file.password.stashfile directive indicates
the stash file containing the encrypted keyfile password; use the ldapstash
command to create this stash file.
| Syntax
| ldap.key.file.password.stashfile =d:\ <Key password file
name>
|
| Scope
| Single instance per stanza
|
| Default
| None
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| Fully qualified path to the stash file.
|
Ldap.key.fileName directive
The
ldap.key.fileName directive indicates the file name of the key file database.
This option becomes required when you use SSL (SSL).
| Syntax
| ldap.key.fileName=d:\<Key file name>
|
| Scope
| Single instance per stanza
|
| Default
| None
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| Fully qualified path to the key file.
|
Ldap.key.label directive
The
ldap.key.file.password.stashfile directive indicates the certificate label
name the Web server uses to authenticate to the LDAP server.
| Syntax
| My Server Certificate
|
| Scope
| Single instance per stanza
|
| Default
| None
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| A valid label used in the key database file. This label becomes required
only when using SSL (SSL) and the LDAP server requests client
authentication from the Web server.
|
LdapReferralhoplimit directive
The
LdapReferralHopLimit directive indicates the maximum number of referrals to
follow. LDAP authentication will fail if the specified limit is exceeded.
| Syntax
| LdapReferralHopLimit = <number_of_hops>
|
| Scope
| Single instance per stanza
|
| Default
| 10
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| 0 to 10
|
Set the LdapReferrals directive on to use the
LdapReferralhoplimit directive. An LdapReferralhoplimit
value of 0 will cause authentication to fail if any referrals are encountered.
The
LdapReferralhoplimit directive is not meaningful when the LdapReferrals directive
is off (default).
LdapReferrals directive
The
LdapReferrals directive indicates whether referrals (which redirect a client
request to another LDAP server) will be chased for searches while performing
LDAP queries.
| Syntax
| LdapReferrals = off | on
|
| Scope
| Single instance per stanza
|
| Default
| off
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| On or off
|
Ldap.realm directive
he ldap.key.realm
directive indicates the name of the protected area, as seen by the requesting
client.
| Syntax
| ldap.realm=<Protection Realm>
|
| Scope
| Single instance per stanza
|
| Default
| None
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| A description describing the protected page.
|
Ldap.search.timeout directive
The
ldap.search.timeout directive indicates the maximum time, in seconds, to wait
for an LDAP server to complete a search operation.
| Syntax
| ldap.search.timeout = <secs>
|
| Scope
| Single instance per stanza
|
| Default
| 10
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| Length of time, in seconds.
|
Ldap.transport directive
The
ldap.transport directive indicates the transport method used to communicate
with the LDAP server.
| Syntax
| ldap.transport = TCP
|
| Scope
| Single instance per stanza
|
| Default
| TCP
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| TCP or SSL
|
Ldap.url directive
The ldap.url directive
indicates the URL of the LDAP server to authenticate against.
| Syntax
| ldap.url = ldap:
//<hostname:port>/<BaseDN>where:
|
| Scope
| Single instance per stanza
|
| Default
| None
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
Ldap.user.authType directive
The
ldap.usr.authType directive indicates the method for authenticating the user
requesting a Web server. Use this name as the user name when accessing an
LDAP server.
| Syntax
| ldap.user.authType = BasicIfNoCert
|
| Scope
| Single instance per stanza
|
| Default
| Basic
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| Basic, Cert, BasicIfNoCert
|
Ldap.user.cert.filter directive
The
ldap.usr.cert.filter directive indicates the filter used to convert the information
in the client certificate passed over SSL (SSL) to a search
filter for and LDAP entry.
| Syntax
| ldap.user.cert.filter=(&(objectclass=person)(cn=%v1))
|
| Scope
| Single instance per stanza
|
| Default
| "(&(objectclass=person) (cn=%v1, ou=%v2, o=%v3,c=%v4))"
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| An LDAP filter. See Querying the LDAP server using LDAP search filters.
|
Secure Socket Layer (SSL) certificates include the following
fields, all of which you can convert to a search filter:
| Certificate field
| Variable
|
| common name
| %v1
|
| organizational unit
| %v2
|
| organization
| %v3
|
| country
| %v4
|
| locality
| %v5
|
| state or country
| %v6
|
| serial number
| %v7
|
When you generate the search filter, you can find the field values
in the matching variable fields (%v1, %v2). The following table shows the
conversion:
| User certificate
| Filter conversion
|
| Certificate
| cn=Road Runner, o=Acme Inc, c=US
|
| Filter
| (cn=%v1, o=%v3, c=%v4)
|
| Resulting query
| (cn=RoadRunner, o=Acme, Inc, c=US)
|
Ldap.user.name.fieldSep directive
The
ldap.usr.name.fieldSep directive indicates characters as valid field separator
characters when parsing the user name into fields.
| Syntax
| ldap.user.name.fieldSep=/
|
| Scope
| Single instance per stanza
|
| Default
| The space, comma, and the tab (/t) character.
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| Characters. If '/' represents the only field separator character
and the user enters "Joe Smith/Acme", then '%v2' equals
"Acme".
|
Ldap.user.name.filter directive
The
ldap.usr.name.filter directive indicates the filter used to convert the user
name entered in a search filter for an LDAP entry.
| Syntax
| ldap.user.name.filter=<user name filter>
|
| Scope
| Single instance per stanza
|
| Default
| "((objectclass=person) (cn=%v1 %v2))", where %v1 and %v2 represent
characters entered by the user.
For example, if the user enters "Paul
Kelsey", the resulting search filter becomes "((objectclass=person)(cn=Paul
Kelsey))". You can find search filter syntax described in Querying the
LDAP server using LDAP search filters.
However, because the Web server
cannot differentiate between multiple returned entries, authentication fails
when the LDAP server returns more than one entry. For example, if the user
makes the ldap.user.name.filter= "((objectclass=person)(cn=%v1* %v2*))"
and enters Pa Kel, the resulting search filter becomes "(cn=Pa*
Kel*)". The filter finds multiple entries such as (cn=Paul Kelsey) and
(cn=Paula Kelly) and authentication fails. You must modify your search filter.
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| An LDAP filter. See Querying the LDAP server using LDAP search filters.
|
Ldap.version directive
The ldap.version
directive indicates the version of the LDAP protocol used to connect to the
LDAP server. the protocol version used by the LDAP server determines the LDAP
version.
Attention: This directive is optional.
| Syntax
| ldap.version=3
|
| Scope
| Single instance per stanza
|
| Default
| ldap.version=3
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| 2 or 3
|
Ldap.waitToRetryConnection.interval
directive
The ldap.waitToRetryConnection.interval directive indicates
the time the Web server waits between failed attempts to connect.
If
an LDAP server goes down, the Web server continues to try to connect.
| Syntax
| ldap.waitToRetryConnection.interval=<secs>
|
| Scope
| Single instance per stanza
|
| Default
| 300
|
| Module
| mod_ibm_ldap
|
| Multiple instances in the configuration file
| yes
|
| Values
| Time (in seconds)
|
Related tasks
Authenticate with LDAP on IHS using mod_ibm_ldap (Distributed systems)
Related reference
z/OS: mod_ibm_ldap directives migration