These configuration parameters control the Lightweight
Directory Access Protocol (LDAP) feature in IBM® HTTP
Server.
Deprecated feature: If you are using the mod_ibm_ldap
module for your LDAP configuration, consider migrating your mod_ibm_ldap
directives to use the mod_ldap module. The mod_ibm_ldap module is
provided with this release of IBM HTTP Server for compatibility
with previous releases, however, you must migrate existing configurations
to use the mod_authnz_ldap and mod_ldap modules to ensure future support
for your LDAP configuration.
depfeat
LdapCodepageDir directive
Codepages
are now automatically installed in the IHS installation directory
and are referenced relative to the IHS installation directory, as
opposed to the configured server root directory as in previous versions.
LdapConfigfile directive
The
LdapConfigFile directive indicates the name of the LDAP properties
file associated with a group of LDAP parameters.
sim
Syntax |
LdapConfigFile <Fully qualified path to configuration
file> |
Scope |
Single instance per directory stanza |
Default |
c:\program files\ibm http server\conf\ldap.prop.sample |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
Fully qualified path to a single configuration file. Use
this directive in the httpd.conf file. |
LDAPRequire directive
The
LDAPRequire directive is used to restrict access to a resource that
is controlled by LDAP authentication to a specified collection of
users. It can either use groups that are defined in LDAP by using
the group type, or it can use an LDAP filter type to designate a collection
of users with a similar set of attribute values.
Name |
Description |
Syntax |
LDAPRequire filter <filter name> or LDAPRequire group <group1
[group2.group3....]> |
Scope |
Single instance per directory stanza |
Default |
None |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
LDAPRequire filter "(&(objectclass=person)(cn=*)(ou=IHS)(o=IBM))",
or LDAPRequire group "sample group". Use this directive in the httpd.conf file.
|
If the group type is used, and multiple group
values are specified, the group validation is a logical AND of the
groups. A user must be a member of sample Group1 and sample
Group2 if a logical OR of groups is required. For example, if
a user is a member of sample Group1 or sample Group2,
then a new LDAP group, our department group, should be created
on the LDAP server that has sample Group1 and sample Group2 as
its members. You would then use the directive: LDAPRequire group our
Department Group .
Ldap.application.authType
directive
The Ldap.application.authType directive specifies
the method for authenticating the Web server to the LDAP server.
Name |
Description |
Syntax |
ldap.application.authType=None |
Scope |
Single instance per directory stanza |
Default |
None |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
- None: If the LDAP server does not require the Web server to authenticate.
- Basic: Uses the distinguished name (DN) of the Web server as the
user ID, and the password stored in the stash file, as the password.
|
Ldap.application.DN directive
The
Ldap.application.DN directive indicates the distinguished name (DN)
of the Web server. Use this name as the user name when accessing an
LDAP server using basic authentication. Use the entry specified in
the LDAP server to access the directory server.
Name |
Description |
Syntax |
ldap.application.DN=cn=ldapadm,ou=ihs test,o=IBM,c=US |
Scope |
Single instance per directory stanza |
Default |
None |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
Distinguished name |
Ldap.application.password.stashFile
directive
The Ldap.application.password.stashFile directive
indicates the name of the stash file containing the encrypted password
for the application to authenticate to the LDAP server when Server
Authentication type is Basic.
Name |
Description |
Syntax |
ldap.application.password.stashFile=c:\IHS\ldap.sth |
Scope |
Single instance per directory stanza |
Default |
None |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
Fully qualified path to the stash file. You can create
this stash file with the ldapstash command. |
Ldap.cache.timeout directive
The
ldap.cache.timeout directive caches responses from the LDAP server.
If you configure the Web server to run as multiple processes, each
process manages its own copy of the cache.
Name |
Description |
Syntax |
ldap.cache.timeout= <secs> |
Scope |
Single instance per directory stanza |
Default |
600 |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
The maximum length of time, in seconds, a response returned
from the LDAP server remains valid. |
Ldap.group.attribute directive
The
ldap.group.attributes directive indicates the filter used to determine
if a distinguished name (DN) is an actual group through an LDAP search.
Name |
Description |
Syntax |
ldap.group.memberattribute = <attribute> |
Scope |
Single instance per directory stanza |
Default |
uniquegroup |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
An ldap attribute - See the ldap.prop.sample directive for
more information on the use of this directive. |
Ldap.group.dnattribute
directive
The ldap.group.dnattributes specifies the filter
used to determine, through an LDAP search, if a distinguished name
(DN) is an actual group.
Name |
Description |
Syntax |
ldap.group.memberattribute = <ldap filter> |
Scope |
Single instance per directory stanza |
Default |
groupofnames groupofuniquenames |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
An ldap filter - See the ldap.prop.sample directive for more
information on the use of this directive. |
Ldap.group.memberattribute
directive
The ldap.group.memberattribute directive specifies
the attribute to retrieve unique groups from an existing group.
Name |
Description |
Syntax |
ldap.group.memberattribute = <ldap filter> |
Scope |
Single instance per directory stanza |
Default |
groupofnames groupofuniquenames |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
An ldap filter - See the ldap.prop.sample directive for more
information on the use of this directive. |
Ldap.group.memberAttributes
directive
The ldap.group.memberAttributes directive serves
as a means to extract group members, once the function finds a group
entry in an LDAP directory.
Name |
Description |
Syntax |
ldap.group.memberAttributes= attribute [attribute2....] |
Scope |
Single instance per directory stanza |
Default |
member and uniquemember |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
Must equal the distinguished names of the group members.
You can use more than one attribute to contain member information. |
Ldap.group.name.filter
directive
The ldap.group.name.filter directive indicates
the filter LDAP uses to search for group names.
Name |
Description |
Syntax |
ldap.group.name.filter = <group name filter> |
Scope |
Single instance per directory stanza |
Default |
(&(cn=%v1) (|(objectclass=groupOfNames) (objectclass=groupOfUniqueNames)) |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
An LDAP filter. See Querying the LDAP server using LDAP search
filters. |
Ldap.group.search.depth
directive
The ldap.group.search.depth directive searches
subgroups when specifying the LDAPRequire group <group> directives.
Groups can contain both individual members and other groups.
Name |
Description |
Syntax |
ldap.group.search.depth = <integer depth> |
Scope |
Single instance per directory stanza |
Default |
1 |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
An integer. When doing a search for a group, if a member
in the process of authentication is not a member of the required group,
any subgroups of the required group are also searched. For example: group1 >group2 (group2 is a member of group1)
group2 >group3 (group3 is a member of group2)
group3 >jane (jane is a member of group3)
If you search for jane and require her as a member
of group1, the search fails with the default ldap.search.depth value
of 1. If you specify ldap.group.search.depth>2, the search succeeds.
Use
ldap.group.search.depth=<depth to search -- number> to limit
the depth of subgroup searches. This type of search can become very
intensive on an LDAP server. Where group1 has group2 as a member,
and group2 has group1 as a member, this directive limits the depth
of the search. In the previous example, group1 has a depth of 1, group2
has a depth of 2 and group3 has a depth of 3.
|
Ldap.group.URL directive
The
ldap.group.URL directive specifies a different location for a group
on the same LDAP server. You cannot use this directive to specify
a different LDAP server from that specified in the ldap.URL directive.
Name |
Description |
Syntax |
ldap.group.URL = ldap://<hostname:port>/<BaseDN> |
Scope |
Single instance per directory stanza |
Default |
None |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
- host name: Host name of the LDAP server.
- port number: Optional port number on which the LDAP server listens.
The default for TCP connections is 389. If you use SSL, you must specify
the port number.
- BaseDN: Provides the root of the LDAP tree in which to perform
the search for groups.
|
Attention:
This property becomes
required if the LDAP URL for groups differs from the URL specified
by the ldap.URL property.
Ldap.idleConnection.timeout
directive
The ldap.idleConnection.timeout directive caches
connections to the LDAP server for performance.
Name |
Description |
Syntax |
ldap.idleConection.timeout = <secs> |
Scope |
Single instance per directory stanza |
Default |
600 |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
Length of time, in seconds, before an idle LDAP server connection
closes due to inactivity. |
Ldap.key.file.password.stashfile
directive
The ldap.key.file.password.stashfile directive
indicates the stash file containing the encrypted keyfile password;
use the ldapstash command to create this stash file.
Name |
Description |
Syntax |
ldap.key.file.password.stashfile =d:\ <Key password
file name> |
Scope |
Single instance per directory stanza |
Default |
None |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
Fully qualified path to the stash file. |
Ldap.key.fileName directive
The
ldap.key.fileName directive indicates the file name of the key file
database. This option becomes required when you use Secure Sockets
Layer (SSL).
Name |
Description |
Syntax |
ldap.key.fileName=d:\<Key file name> |
Scope |
Single instance per directory stanza |
Default |
None |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
Fully qualified path to the key file. |
Ldap.key.label directive
The
ldap.key.file.password.stashfile directive indicates the certificate
label name the Web server uses to authenticate to the LDAP server.
Name |
Description |
Syntax |
My Server Certificate |
Scope |
Single instance per directory stanza |
Default |
None |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
A valid label used in the key database file. This label becomes
required only when using Secure Sockets Layer (SSL) and the LDAP server
requests client authentication from the Web server. |
LdapReferralhoplimit
directive
The LdapReferralHopLimit directive indicates the
maximum number of referrals to follow. LDAP authentication will fail
if the specified limit is exceeded.
Name |
Description |
Syntax |
LdapReferralHopLimit = <number_of_hops> |
Scope |
Single instance per directory stanza |
Default |
10 |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
0 to 10 |
Set the LdapReferrals directive
on to
use the LdapReferralhoplimit directive.
Important: An
LdapReferralhoplimit value of 0 will cause authentication to fail
if any referrals are encountered.
The LdapReferralhoplimit
directive is not meaningful when the LdapReferrals directive is off (default).
LdapReferrals directive
The
LdapReferrals directive indicates whether referrals (which redirect
a client request to another LDAP server) will be chased for searches
while performing LDAP queries.
Name |
Description |
Syntax |
LdapReferrals = off | on |
Scope |
Single instance per directory stanza |
Default |
off |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
On or off |
Ldap.realm directive
he
ldap.key.realm directive indicates the name of the protected area,
as seen by the requesting client.
Name |
Description |
Syntax |
ldap.realm=<Protection Realm> |
Scope |
Single instance per directory stanza |
Default |
None |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
A description describing the protected page. |
Ldap.search.timeout directive
The
ldap.search.timeout directive indicates the maximum time, in seconds,
to wait for an LDAP server to complete a search operation.
Name |
Description |
Syntax |
ldap.search.timeout = <secs> |
Scope |
Single instance per directory stanza |
Default |
10 |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
Length of time, in seconds. |
Ldap.transport directive
The
ldap.transport directive indicates the transport method used to communicate
with the LDAP server.
Name |
Description |
Syntax |
ldap.transport = TCP |
Scope |
Single instance per directory stanza |
Default |
TCP |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
TCP or SSL |
Ldap.url directive
The ldap.url
directive indicates the URL of the LDAP server to authenticate against.
Name |
Description |
Syntax |
ldap.url = ldap://<hostname:port>/<BaseDN>
|
Scope |
Single instance per directory stanza |
Default |
None |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Ldap.user.authType directive
The
ldap.usr.authType directive indicates the method for authenticating
the user requesting a Web server. Use this name as the user name when
accessing an LDAP server.
Name |
Description |
Syntax |
ldap.user.authType = BasicIfNoCert |
Scope |
Single instance per directory stanza |
Default |
Basic |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
Basic, Cert, BasicIfNoCert |
Ldap.user.cert.filter directive
The
ldap.usr.cert.filter directive indicates the filter used to convert
the information in the client certificate passed over Secure Sockets
Layer (SSL) to a search filter for and LDAP entry.
Name |
Description |
Syntax |
ldap.user.cert.filter=(&(objectclass=person)(cn=%v1)) |
Scope |
Single instance per directory stanza |
Default |
"(&(objectclass=person) (cn=%v1, ou=%v2, o=%v3,c=%v4))" |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
An LDAP filter. See Querying the LDAP server using LDAP search
filters. |
Secure Socket Layer (SSL) certificates include
the following fields, all of which you can convert to a search filter:
Certificate field |
Variable |
common name |
%v1 |
organizational unit |
%v2 |
organization |
%v3 |
country |
%v4 |
locality |
%v5 |
state or country |
%v6 |
serial number |
%v7 |
When you generate the search filter, you can find the field
values in the matching variable fields (%v1, %v2). The following table
shows the conversion:
User certificate |
Filter conversion |
Certificate |
cn=Road Runner, o=Acme Inc, c=US |
Filter |
(cn=%v1, o=%v3, c=%v4) |
Resulting query |
(cn=RoadRunner, o=Acme, Inc, c=US) |
Ldap.user.name.fieldSep
directive
The ldap.usr.name.fieldSep directive indicates
characters as valid field separator characters when parsing the user
name into fields.
Name |
Description |
Syntax |
ldap.user.name.fieldSep=/ |
Scope |
Single instance per directory stanza |
Default |
The space, comma, and the tab (/t) character. |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
Characters. If '/' represents the only field separator character
and the user enters "Joe Smith/Acme", then '%v2' equals "Acme". |
Ldap.user.name.filter directive
The
ldap.usr.name.filter directive indicates the filter used to convert
the user name entered in a search filter for an LDAP entry.
Name |
Description |
Syntax |
ldap.user.name.filter=<user name filter> |
Scope |
Single instance per directory stanza |
Default |
"((objectclass=person) (cn=%v1 %v2))", where %v1 and %v2 represent
characters entered by the user. For example, if the user enters
"Paul Kelsey", the resulting search filter becomes "((objectclass=person)(cn=Paul
Kelsey))". You can find search filter syntax described in Querying
the LDAP server using LDAP search filters.
However, because
the Web server cannot differentiate between multiple returned entries,
authentication fails when the LDAP server returns more than one entry.
For example, if the user makes the ldap.user.name.filter= "((objectclass=person)(cn=%v1*
%v2*))" and enters Pa Kel, the resulting search filter becomes
"(cn=Pa* Kel*)". The filter finds multiple entries such as (cn=Paul
Kelsey) and (cn=Paula Kelly) and authentication fails. You must modify
your search filter.
|
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
An LDAP filter. See Querying the LDAP server using LDAP search
filters. |
Ldap.version directive
The
ldap.version directive indicates the version of the LDAP protocol
used to connect to the LDAP server. the protocol version used by the
LDAP server determines the LDAP version.
Attention: This
directive is optional.
Name |
Description |
Syntax |
ldap.version=3 |
Scope |
Single instance per directory stanza |
Default |
ldap.version=3 |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
2 or 3 |
Ldap.waitToRetryConnection.interval
directive
The ldap.waitToRetryConnection.interval directive
indicates the time the Web server waits between failed attempts to
connect.
If an LDAP server goes down, the Web server continues
to try to connect.
Name |
Description |
Syntax |
ldap.waitToRetryConnection.interval=<secs> |
Scope |
Single instance per directory stanza |
Default |
300 |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
Time (in seconds) |