Lightweight Directory Access Protocol (LDAP) directives
These configuration parameters control the Lightweight Directory Access Protocol (LDAP)
feature in IBM HTTP
Server.
Deprecated feature: If you are using the mod_ibm_ldap
module for your LDAP configuration, consider migrating your mod_ibm_ldap directives to use the
mod_ldap module. The mod_ibm_ldap module is provided with this release of IBM HTTP Server for compatibility with
previous releases, however, you must migrate existing configurations to use the mod_authnz_ldap and
mod_ldap modules to ensure future support for your LDAP configuration.
LdapCodepageDir directive
Codepages are now automatically installed in the IHS installation directory and are referenced
relative to the IHS installation directory, as opposed to the configured server root directory as in
previous versions.
LdapConfigfile directive
The LdapConfigFile directive indicates the name of the LDAP properties file associated with a
group of LDAP parameters.
| Directive |
Description |
| Syntax |
LdapConfigFile <Fully qualified path to configuration file> |
| Scope |
Single instance per directory stanza |
| Default |
c:\program files\ibm http server\conf\ldap.prop.sample |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
Fully qualified path to a single configuration file. Use this directive in the
httpd.conf file. |
LDAPRequire directive
The LDAPRequire directive is used to restrict access to a resource that is controlled by LDAP
authentication to a specified collection of users. It can either use groups that are defined in LDAP
by using the group type, or it can use an LDAP filter type to designate a collection of users with a
similar set of attribute values.
| Name |
Description |
| Syntax |
LDAPRequire filter <filter name> or LDAPRequire group <group1
[group2.group3....]> |
| Scope |
Single instance per directory stanza |
| Default |
None |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
LDAPRequire filter (&(objectclass=person)(cn=*)(ou=IHS)(o=IBM)), or
LDAPRequire group sample group. Use this directive in the
httpd.conf file.
|
If the group type is used, and multiple group values are specified, the group validation is a
logical AND of the groups. A user must be a member of sample Group1 and sample Group2
if a logical OR of groups is required. For example, if a user is a member of sample Group1
or sample Group2, then a new LDAP group, our department group, should be created on
the LDAP server that has sample Group1 and sample Group2 as its members. You would
then use the directive: LDAPRequire group our Department Group .
Ldap.application.authType directive
The Ldap.application.authType directive specifies the method for authenticating the Web server to
the LDAP server.
| Name |
Description |
| Syntax |
ldap.application.authType=None |
| Scope |
Single instance per directory stanza |
| Default |
None |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
- None: If the LDAP server does not require the Web server to authenticate.
- Basic: Uses the distinguished name (DN) of the Web server as the user ID, and the password
stored in the stash file, as the password.
|
Ldap.application.DN directive
The Ldap.application.DN directive indicates the distinguished name (DN) of the Web server. Use
this name as the user name when accessing an LDAP server using basic authentication. Use the entry
specified in the LDAP server to access the directory server.
| Name |
Description |
| Syntax |
ldap.application.DN=cn=ldapadm,ou=ihs test,o=IBM,c=US |
| Scope |
Single instance per directory stanza |
| Default |
None |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
Distinguished name |
Ldap.application.password.stashFile directive
The Ldap.application.password.stashFile directive indicates the name of the stash file containing
the encrypted password for the application to authenticate to the LDAP server when Server
Authentication type is Basic.
| Name |
Description |
| Syntax |
ldap.application.password.stashFile=c:\IHS\ldap.sth |
| Scope |
Single instance per directory stanza |
| Default |
None |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
Fully qualified path to the stash file. We can create this stash file with the
ldapstash command. |
Ldap.cache.timeout directive
The ldap.cache.timeout directive caches responses from the LDAP server. If you configure the Web
server to run as multiple processes, each process manages its own copy of the cache.
| Name |
Description |
| Syntax |
ldap.cache.timeout= <secs> |
| Scope |
Single instance per directory stanza |
| Default |
600 |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
The maximum length of time, in seconds, a response returned from the LDAP server remains
valid. |
Ldap.group.attribute directive
The ldap.group.attributes directive indicates the filter used to determine if a distinguished
name (DN) is an actual group through an LDAP search.
| Name |
Description |
| Syntax |
ldap.group.memberattribute = <attribute> |
| Scope |
Single instance per directory stanza |
| Default |
uniquegroup |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
An ldap attribute - See the ldap.prop.sample directive for more information on the use of
this directive. |
Ldap.group.dnattribute directive
The ldap.group.dnattributes specifies the filter used to determine, through an LDAP search, if a
distinguished name (DN) is an actual group.
| Name |
Description |
| Syntax |
ldap.group.memberattribute = <ldap filter> |
| Scope |
Single instance per directory stanza |
| Default |
groupofnames groupofuniquenames |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
An ldap filter - See the ldap.prop.sample directive for more information on the use of this
directive. |
Ldap.group.memberattribute directive
The ldap.group.memberattribute directive specifies the attribute to retrieve unique groups from
an existing group.
| Name |
Description |
| Syntax |
ldap.group.memberattribute = <ldap filter> |
| Scope |
Single instance per directory stanza |
| Default |
groupofnames groupofuniquenames |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
An ldap filter - See the ldap.prop.sample directive for more information on the use of this
directive. |
Ldap.group.memberAttributes directive
The ldap.group.memberAttributes directive serves as a means to extract group members, once the
function finds a group entry in an LDAP directory.
| Name |
Description |
| Syntax |
ldap.group.memberAttributes= attribute [attribute2....] |
| Scope |
Single instance per directory stanza |
| Default |
member and uniquemember |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
Must equal the distinguished names of the group members. We can use more than one
attribute to contain member information. |
Ldap.group.name.filter directive
The ldap.group.name.filter directive indicates the filter LDAP uses to search for group names.
| Name |
Description |
| Syntax |
ldap.group.name.filter = <group name filter> |
| Scope |
Single instance per directory stanza |
| Default |
(&(cn=%v1) (|(objectclass=groupOfNames) (objectclass=groupOfUniqueNames)) |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
An LDAP filter. |
Ldap.group.search.depth directive
The ldap.group.search.depth directive searches subgroups when specifying the LDAPRequire group
<group> directives. Groups can contain both individual members and other groups.
| Name |
Description |
| Syntax |
ldap.group.search.depth = <integer depth> |
| Scope |
Single instance per directory stanza |
| Default |
1 |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
An integer. When doing a search for a group, if a member in the process of authentication
is not a member of the required group, any subgroups of the required group are also searched. For
example:
group1 >group2 (group2 is a member of group1)
group2 >group3 (group3 is a member of group2)
group3 >jane (jane is a member of group3)
If
you search for jane and require her as a member of group1, the search fails with the default
ldap.search.depth value of 1. If you specify ldap.group.search.depth>2, the search succeeds.
Use ldap.group.search.depth=<depth to search -- number> to limit the depth of subgroup
searches. This type of search can become very intensive on an LDAP server. Where group1 has group2
as a member, and group2 has group1 as a member, this directive limits the depth of the search. In
the previous example, group1 has a depth of 1, group2 has a depth of 2 and group3 has a depth of
3.
|
Ldap.group.URL directive
The ldap.group.URL directive specifies a different location for a group on the same LDAP server.
We cannot use this directive to specify a different LDAP server from that specified in the ldap.URL
directive.
| Name |
Description |
| Syntax |
ldap.group.URL = ldap://<hostname:port>/<BaseDN> |
| Scope |
Single instance per directory stanza |
| Default |
None |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
- host name: Host name of the LDAP server.
- port number: Optional port number on which the LDAP server listens. The default for TCP
connections is 389. If you use SSL, you must specify the port number.
- BaseDN: Provides the root of the LDAP tree in which to perform the search for groups.
|
Attention:
This property becomes required if the LDAP URL for groups differs from
the URL specified by the ldap.URL property.
Ldap.idleConnection.timeout directive
The ldap.idleConnection.timeout directive caches connections to the LDAP server for performance.
| Name |
Description |
| Syntax |
ldap.idleConection.timeout = <secs> |
| Scope |
Single instance per directory stanza |
| Default |
600 |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
Length of time, in seconds, before an idle LDAP server connection closes due to inactivity.
|
Ldap.key.file.password.stashfile directive
The ldap.key.file.password.stashfile directive indicates the stash file containing the encrypted
keyfile password; use the ldapstash command to create this stash file.
| Name |
Description |
| Syntax |
ldap.key.file.password.stashfile =d:\ <Key password file name> |
| Scope |
Single instance per directory stanza |
| Default |
None |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
Fully qualified path to the stash file. |
Ldap.key.fileName directive
The ldap.key.fileName directive indicates the file name of the key file database. This option
becomes required when you use Secure Sockets Layer (SSL).
| Name |
Description |
| Syntax |
ldap.key.fileName=d:\<Key file name> |
| Scope |
Single instance per directory stanza |
| Default |
None |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
Fully qualified path to the key file. |
Ldap.key.label directive
The ldap.key.file.password.stashfile directive indicates the certificate label name the Web
server uses to authenticate to the LDAP server.
| Name |
Description |
| Syntax |
My Server Certificate |
| Scope |
Single instance per directory stanza |
| Default |
None |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
A valid label used in the key database file. This label becomes required only when using
Secure Sockets Layer (SSL) and the LDAP server requests client authentication from the Web
server. |
LdapReferralhoplimit directive
The LdapReferralHopLimit directive indicates the maximum number of referrals to follow. LDAP
authentication will fail if the specified limit is exceeded.
| Name |
Description |
| Syntax |
LdapReferralHopLimit = <number_of_hops> |
| Scope |
Single instance per directory stanza |
| Default |
10 |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
0 to 10 |
Set the LdapReferrals directive on to use the LdapReferralhoplimit directive.
Important: An LdapReferralhoplimit value of 0 will cause authentication to fail if any
referrals are encountered.
The LdapReferralhoplimit directive is not meaningful when the LdapReferrals directive is
off (default).
LdapReferrals directive
The LdapReferrals directive indicates whether referrals (which redirect a client request to
another LDAP server) will be chased for searches while performing LDAP queries.
| Name |
Description |
| Syntax |
LdapReferrals = off | on |
| Scope |
Single instance per directory stanza |
| Default |
off |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
On or off |
Ldap.realm directive
he ldap.key.realm directive indicates the name of the protected area, as seen by the requesting
client.
| Name |
Description |
| Syntax |
ldap.realm=<Protection Realm> |
| Scope |
Single instance per directory stanza |
| Default |
None |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
A description describing the protected page. |
Ldap.search.timeout directive
The ldap.search.timeout directive indicates the maximum time, in seconds, to wait for an LDAP
server to complete a search operation.
| Name |
Description |
| Syntax |
ldap.search.timeout = <secs> |
| Scope |
Single instance per directory stanza |
| Default |
10 |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
Length of time, in seconds. |
Ldap.transport directive
The ldap.transport directive indicates the transport method used to communicate with the LDAP
server.
| Name |
Description |
| Syntax |
ldap.transport = TCP |
| Scope |
Single instance per directory stanza |
| Default |
TCP |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
TCP or SSL |
Ldap.url directive
The ldap.url directive indicates the URL of the LDAP server to authenticate against.
| Name |
Description |
| Syntax |
ldap.url = ldap://<hostname:port>/<BaseDN>where:
|
| Scope |
Single instance per directory stanza |
| Default |
None |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
Ldap.user.authType directive
The ldap.usr.authType directive indicates the method for authenticating the user requesting a Web
server. Use this name as the user name when accessing an LDAP server.
| Name |
Description |
| Syntax |
ldap.user.authType = BasicIfNoCert |
| Scope |
Single instance per directory stanza |
| Default |
Basic |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
Basic, Cert, BasicIfNoCert |
Ldap.user.cert.filter directive
The ldap.usr.cert.filter directive indicates the filter used to convert the information in the
client certificate passed over Secure Sockets Layer (SSL) to a search filter for and LDAP
entry.
| Name |
Description |
| Syntax |
ldap.user.cert.filter=(&(objectclass=person)(cn=%v1)) |
| Scope |
Single instance per directory stanza |
| Default |
(&(objectclass=person) (cn=%v1, ou=%v2, o=%v3,c=%v4)) |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
An LDAP filter. |
Secure Socket Layer (SSL) certificates include the following fields, all of which we can convert
to a search filter:
| Certificate field |
Variable |
| common name |
%v1 |
| organizational unit |
%v2 |
| organization |
%v3 |
| country |
%v4 |
| locality |
%v5 |
| state or country |
%v6 |
| serial number |
%v7 |
When you generate the search filter, we can find the field values in the matching variable
fields (%v1, %v2). The following table shows the conversion:
| User certificate |
Filter conversion |
| Certificate |
cn=Road Runner, o=Acme Inc, c=US |
| Filter |
(cn=%v1, o=%v3, c=%v4) |
| Resulting query |
(cn=RoadRunner, o=Acme, Inc, c=US) |
Ldap.user.name.fieldSep directive
The ldap.usr.name.fieldSep directive indicates characters as valid field separator characters
when parsing the user name into fields.
| Name |
Description |
| Syntax |
ldap.user.name.fieldSep=/ |
| Scope |
Single instance per directory stanza |
| Default |
The space, comma, and the tab (/t) character. |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
Characters. If '/' represents the only field separator character and the user enters
Joe Smith/Acme, then '%v2' equals Acme. |
Ldap.user.name.filter directive
The ldap.usr.name.filter directive indicates the filter used to convert the user name entered in
a search filter for an LDAP entry.
| Name |
Description |
| Syntax |
ldap.user.name.filter=<user name filter> |
| Scope |
Single instance per directory stanza |
| Default |
The ((objectclass=person) (cn=%v1 %v2)) string, where the
%v1 variable and the %v2 variable represent characters that
are entered by the user. For example, if the user enters Paul Kelsey, the
result is the ((objectclass=person)(cn=Paul Kelsey)) search filter.
However,
because the web server cannot differentiate among multiple returned entries, authentication fails
when the LDAP server returns more than one entry. For example, if the user creates the
ldap.user.name.filter=((objectclass=person)(cn=%v1* %v2*)) filter and enters
Pa Kel, the result is the (cn=Pa* Kel*) search filter . The
filter finds multiple entries such as (cn=Paul Kelsey) and (cn=Paula
Kelly) and authentication fails. You must modify your search filter.
|
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
An LDAP filter. |
Ldap.version directive
The ldap.version directive indicates the version of the LDAP protocol used to connect to the LDAP
server. the protocol version used by the LDAP server determines the LDAP version.
Attention: This directive is optional.
| Name |
Description |
| Syntax |
ldap.version=3 |
| Scope |
Single instance per directory stanza |
| Default |
ldap.version=3 |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
2 or 3 |
Ldap.waitToRetryConnection.interval directive
The ldap.waitToRetryConnection.interval directive indicates the time the Web server waits between
failed attempts to connect.
If an LDAP server goes down, the Web server continues to try to connect.
| Name |
Description |
| Syntax |
ldap.waitToRetryConnection.interval=<secs> |
| Scope |
Single instance per directory stanza |
| Default |
300 |
| Module |
mod_ibm_ldap |
| Multiple instances in the configuration file |
yes |
| Values |
Time (in seconds) |
Related