These configuration parameters control the Lightweight Directory Access Protocol (LDAP) feature in IBM® HTTP Server.
Codepages are now automatically installed in the IHS installation directory and are referenced relative to the IHS installation directory, as opposed to the configured server root directory as in previous versions.
Syntax | LdapConfigFile <Fully qualified path to configuration file> |
Scope | Single instance per directory stanza |
Default | c:\program files\ibm http server\conf\ldap.prop.sample |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | Fully qualified path to a single configuration file. Use this directive in the httpd.conf file. |
Syntax | LDAPRequire filter <filter name> or LDAPRequire group <group1 [group2.group3....]> |
Scope | Single instance per directory stanza |
Default | None |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | LDAPRequire filter "(&(objectclass=person)(cn=*)(ou=IHS)(o=IBM))",
or LDAPRequire group "sample group". Use this directive in the httpd.conf file. |
If the group type is used, and multiple group values are specified, the group validation is a logical AND of the groups. A user must be a member of sample Group1 and sample Group2 if a logical OR of groups is required. For example, if a user is a member of sample Group1 or sample Group2, then a new LDAP group, our department group, should be created on the LDAP server that has sample Group1 and sample Group2 as its members. You would then use the directive: LDAPRequire group our Department Group .
Syntax | ldap.application.authType=None |
Scope | Single instance per directory stanza |
Default | None |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values |
|
Syntax | ldap.application.DN=cn=ldapadm,ou=ihs test,o=IBM,c=US |
Scope | Single instance per directory stanza |
Default | None |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | Distinguished name |
Syntax | ldap.application.password.stashFile=c:\IHS\ldap.sth |
Scope | Single instance per directory stanza |
Default | None |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | Fully qualified path to the stash file. You can create this stash file with the ldapstash command. |
Syntax | ldap.cache.timeout= <secs> |
Scope | Single instance per directory stanza |
Default | 600 |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | The maximum length of time, in seconds, a response returned from the LDAP server remains valid. |
Syntax | ldap.group.memberattribute = <attribute> |
Scope | Single instance per directory stanza |
Default | uniquegroup |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | An ldap attribute - See the ldap.prop.sample directive for more information on the use of this directive. |
Syntax | ldap.group.memberattribute = <ldap filter> |
Scope | Single instance per directory stanza |
Default | groupofnames groupofuniquenames |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | An ldap filter - See the ldap.prop.sample directive for more information on the use of this directive. |
Syntax | ldap.group.memberattribute = <ldap filter> |
Scope | Single instance per directory stanza |
Default | groupofnames groupofuniquenames |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | An ldap filter - See the ldap.prop.sample directive for more information on the use of this directive. |
Syntax | ldap.group.memberAttributes= attribute [attribute2....] |
Scope | Single instance per directory stanza |
Default | member and uniquemember |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | Must equal the distinguished names of the group members. You can use more than one attribute to contain member information. |
Syntax | ldap.group.name.filter = <group name filter> |
Scope | Single instance per directory stanza |
Default | (&(cn=%v1) (|(objectclass=groupOfNames) (objectclass=groupOfUniqueNames)) |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | An LDAP filter. See Querying the LDAP server using LDAP search filters. |
Syntax | ldap.group.search.depth = <integer depth> |
Scope | Single instance per directory stanza |
Default | 1 |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | An integer. When doing a search for a group, if a member in the process
of authentication is not a member of the required group, any subgroups of
the required group are also searched. For example: group1 >group2 (group2 is a member of group1) group2 >group3 (group3 is a member of group2) group3 >jane (jane is a member of group3) If you search for jane and require her as a member of group1, the search fails with the default ldap.search.depth value of 1. If you specify ldap.group.search.depth>2, the search succeeds. Use ldap.group.search.depth=<depth to search -- number> to limit the depth of subgroup searches. This type of search can become very intensive on an LDAP server. Where group1 has group2 as a member, and group2 has group1 as a member, this directive limits the depth of the search. In the previous example, group1 has a depth of 1, group2 has a depth of 2 and group3 has a depth of 3. |
The ldap.group.URL directive specifies a different location for a group on the same LDAP server. You cannot use this directive to specify a different LDAP server from that specified in the ldap.URL directive.
Syntax | ldap.group.URL = ldap://<hostname:port>/<BaseDN> |
Scope | Single instance per directory stanza |
Default | None |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values |
|
Syntax | ldap.idleConection.timeout = <secs> |
Scope | Single instance per directory stanza |
Default | 600 |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | Length of time, in seconds, before an idle LDAP server connection closes due to inactivity. |
Syntax | ldap.key.file.password.stashfile =d:\ <Key password file name> |
Scope | Single instance per directory stanza |
Default | None |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | Fully qualified path to the stash file. |
Syntax | ldap.key.fileName=d:\<Key file name> |
Scope | Single instance per directory stanza |
Default | None |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | Fully qualified path to the key file. |
Syntax | My Server Certificate |
Scope | Single instance per directory stanza |
Default | None |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | A valid label used in the key database file. This label becomes required only when using Secure Sockets Layer (SSL) and the LDAP server requests client authentication from the Web server. |
Syntax | LdapReferralHopLimit = <number_of_hops> |
Scope | Single instance per directory stanza |
Default | 10 |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | 0 to 10 |
The LdapReferralhoplimit directive is not meaningful when the LdapReferrals directive is off (default).
Syntax | LdapReferrals = off | on |
Scope | Single instance per directory stanza |
Default | off |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | On or off |
Syntax | ldap.realm=<Protection Realm> |
Scope | Single instance per directory stanza |
Default | None |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | A description describing the protected page. |
Syntax | ldap.search.timeout = <secs> |
Scope | Single instance per directory stanza |
Default | 10 |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | Length of time, in seconds. |
Syntax | ldap.transport = TCP |
Scope | Single instance per directory stanza |
Default | TCP |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | TCP or SSL |
Syntax | ldap.url = ldap://<hostname:port>/<BaseDN> where:
|
Scope | Single instance per directory stanza |
Default | None |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Syntax | ldap.user.authType = BasicIfNoCert |
Scope | Single instance per directory stanza |
Default | Basic |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | Basic, Cert, BasicIfNoCert |
Syntax | ldap.user.cert.filter=(&(objectclass=person)(cn=%v1)) |
Scope | Single instance per directory stanza |
Default | "(&(objectclass=person) (cn=%v1, ou=%v2, o=%v3,c=%v4))" |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | An LDAP filter. See Querying the LDAP server using LDAP search filters. |
Secure Socket Layer (SSL) certificates include the following fields, all of which you can convert to a search filter:
Certificate field | Variable |
common name | %v1 |
organizational unit | %v2 |
organization | %v3 |
country | %v4 |
locality | %v5 |
state or country | %v6 |
serial number | %v7 |
User certificate | Filter conversion |
Certificate | cn=Road Runner, o=Acme Inc, c=US |
Filter | (cn=%v1, o=%v3, c=%v4) |
Resulting query | (cn=RoadRunner, o=Acme, Inc, c=US) |
Syntax | ldap.user.name.fieldSep=/ |
Scope | Single instance per directory stanza |
Default | The space, comma, and the tab (/t) character. |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | Characters. If '/' represents the only field separator character and the user enters "Joe Smith/Acme", then '%v2' equals "Acme". |
The ldap.usr.name.filter directive indicates the filter used to convert the user name entered in a search filter for an LDAP entry.
Syntax | ldap.user.name.filter=<user name filter> |
Scope | Single instance per directory stanza |
Default | "((objectclass=person) (cn=%v1 %v2))", where %v1 and %v2 represent
characters entered by the user. For example, if the user enters "Paul Kelsey", the resulting search filter becomes "((objectclass=person)(cn=Paul Kelsey))". You can find search filter syntax described in Querying the LDAP server using LDAP search filters. However, because the Web server cannot differentiate between multiple returned entries, authentication fails when the LDAP server returns more than one entry. For example, if the user makes the ldap.user.name.filter= "((objectclass=person)(cn=%v1* %v2*))" and enters Pa Kel, the resulting search filter becomes "(cn=Pa* Kel*)". The filter finds multiple entries such as (cn=Paul Kelsey) and (cn=Paula Kelly) and authentication fails. You must modify your search filter. |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | An LDAP filter. See Querying the LDAP server using LDAP search filters. |
The ldap.version directive indicates the version of the LDAP protocol used to connect to the LDAP server. the protocol version used by the LDAP server determines the LDAP version.
Syntax | ldap.version=3 |
Scope | Single instance per directory stanza |
Default | ldap.version=3 |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | 2 or 3 |
The ldap.waitToRetryConnection.interval directive indicates the time the Web server waits between failed attempts to connect.
If an LDAP server goes down, the Web server continues to try to connect.
Syntax | ldap.waitToRetryConnection.interval=<secs> |
Scope | Single instance per directory stanza |
Default | 300 |
Module | mod_ibm_ldap |
Multiple instances in the configuration file | yes |
Values | Time (in seconds) |