You can configure Lightweight Directory Access Protocol
(LDAP) to authenticate and protect files on IBM® HTTP
Server.
Before you begin
Best Practice: If you are using the mod_ibm_ldap module for your LDAP configuration,
consider migrating your mod_ibm_ldap directives to use the mod_ldap
module. The mod_ibm_ldap module is provided with this release of IBM HTTP Server for compatibility with previous releases, however,
you must migrate existing configurations to use the mod_authnz_ldap
and mod_ldap modules to ensure future support for your LDAP configuration.
The LoadModule directive for LDAP does not load into IBM HTTP Server by default. Without the LoadModule directive,
the LDAP features are not available for use.
In order to enable
the LDAP function, add a LoadModule directive to the IBM HTTP
Server
httpd.conf file as follows:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
About this task
LDAP authentication is provided by the mod_ldap and mod_authnz_ldap
Apache modules.
- The mod_ldap module provides LDAP connection pooling and caching.
- The mod_authnz_ldap makes use of the LDAP connection pooling and
caching services to provide Web client authentication.
See the following Web sites to obtain detailed descriptions of
the LDAP (ldap_module and authnz_ldap_module) directives:
Procedure
- Edit the httpd.conf IBM HTTP
Server configuration file.
- Determine the resource for which you want to limit access. For example: <Directory "/secure_info">
- Add the LDAPTrustedGlobalCert directive to httpd.conf if the IBM HTTP Server connection to the LDAP server
is an SSL connection.
The LDAPTrustedGlobalCert directive
specifies the directory path and file name of the trusted certificate
authority (CA) that mod_ldap uses when establishing an SSL connection
to an LDAP server.
Certificates can be stored in a .kdb file or a SAF key ring. If a .kdb file is used, a .sth file must be located in
the same directory path and have the same filename, but the extension
must be .sth instead of .kdb.
The LDAPTrustedGlobalCert directive must
be a CMS_KEYFILE value type. Use this value if the certificates indicated
by the LDAPTrustedGlobalCert directive are stored in a .kdb file.
The LDAPTrustedGlobalCert
directive must be a SAF_KEYRING value type. Use this value if the
certificates indicated by the LDAPTrustedGlobalCert directive are
stored in a SAF key ring. Example when the certificate is stored in
a .kdb file:
LDAPTrustedGlobalCert CMS_KEYFILE /path/to/keyfile.kdb myKDBpassword
Example when the certificate is stored in a SAF key ring.
LDAPTrustedGlobalCert SAF saf_keyring
Important: The user ID that you use to start IBM HTTP Server must have access to the SAF key ring that you
name in this directive. If the user ID does not have access to the
SAF key ring, SSL initialization fails.
See Performing required z/OS system configurations for information on
accessing SAF key rings defined in RACF®.
- Add the AuthLDAPUrl directive, which specifies the LDAP
search parameters to use.
The syntax of the URL is:
ldap://host:port/basedn?attribute?scope?filter
- Add directives in httpd.conf to the
directory location (container) to be protected with values specific
to your environment, such as:
- Order deny,allow
- Allow from all
- AuthName "Title of your protected Realm"
- AuthType Basic
- AuthBasicProvider ldap
- AuthLDAPURL your_ldap_url
- Require valid-user
- AuthLDAPBindDN "cn=Directory Manager"
- AuthLDAPBindPassword auth_password
For each combination of LDAP server, protection setup,
and protect directive, code a Location container similar to the following
example:
<Location /ldapdir>
AuthName "whatever_LDAP"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL ldap://9.27.163.182:389/o=abc.xyz.com?cn?sub?
Require valid-user
AuthLDAPBindDN "cn=Directory Manager"
AuthLDAPBindPassword d44radar
</Location>
http://publib.boulder.ibm.com/httpserv/manual70/mod/mod_authnz_ldap.html