+

Search Tips   |   Advanced Search

Home

 

Converting your directives from mod_ibm_ldap to mod_ldap

Convert directives that use the mod_ibm_ldap module to use the mod_ldap Apache module to ensure continued IHS support for your LDAP configuration.

Determine which directives to convert.

Complete these steps to convert your directives.

  1. Edit the LoadModule directive in the httpd.conf or ldap.prop configuration file to remove mod_ibm_ldap. 

    LoadModule ibm_ldap_module modules/mod_ibm_ldap.so

  2. Add the mod_ldap LoadModule directive to the httpd.conf configuration file. 

    LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so

  3. Convert one or more of the following directives. For more information about converting your directives, see the topic about mod_ibm_ldap migration.

    A one to one correlation might not exist for some directives.

    Table 1. LDAP configuration directives conversion
    mod_ibm_ldap mod_ldap
    ldapCodePageDir None. The codepages cannot be moved from its installed location.
    LdapConfigFile include
    LdapRequire require
    ldap.application.authType None. If the mod_ldap directive, AuthLDAPBindDN, is specified, then you will get Basic auth. If no AuthLDAPBindDN is specified, then you get what would have been the None auth type (anonymous). If the mod_ldap configuration specifies an LDAPTrustedClientCert value then you will get the Cert auth type.
    ldap.application.DN AuthLDAPBindDN
    ldap.application.password AuthLDAPBindPassword
    ldap.application.password.stashFile None. The mod_ldap module does not provide a directive for using stashed passwords.
    ldap.cache.timeout LDAPCacheTTL
    ldap.group.dnattributes AuthLDAPSubGroupClass
    ldap.group.memberattribute AuthLDAPSubGroupAttribute
    ldap.group.memberattributes AuthLDAPGroupAttribute
    ldap.group.name.filter None. The mod_ldap module uses the filter provided at the end of the AuthLDAPURL directive.
    ldap.group.search.depth AuthLDAPMaxSubGroupDepth
    ldap.group.URL AuthLDAPURL
    ldap.idleConnection.timeout None. The mod_ldap module does not provide a directive for connection timeouts.
    ldap.key.file.password.stashfile None. The mod_ldap module does not provide a directive for using stashed passwords. Specify the keyfile password, in clear text, at the end of the LDAPTrustedGlobalCert directive. Alternatively, omit the password on the LDAPTrustedGlobalCert directive and the mod_ldap module automatically looks for a /path/to/keyfile.sth file, assuming /path/to/keyfile.kdb was the specified value of the LDAPTrustedGlobalCert directive.
    ldap.key.fileName LDAPTrustedGlobalCert
    ldap.key.label LDAPTrustedClientCert
    ldap.ReferralHopLimit LDAPReferralHopLimit
    ldapReferrals LDAPReferrals
    ldap.realm None. The mod_ibm_ldap value of this directive was only used for logging purposes. No equivalent directive is required in mod_ldap.
    ldap.search.timeout LDAPSearchTimeout
    ldap.transport LDAPTrustedMode
    ldap.URL AuthLDAPURL
    ldap.user.authType None. The mod_ldap module authenticates users based on the user ID and password credentials provided.
    ldap.user.cert.filter None. The mod_ldap module does not work directly with client certificates. Authorization directives use the environment values set by the SSL module.
    ldap.user.name.fieldSep None. The mod_ldap module does not provide support for parsing the provided credentials into subcomponents.
    ldap.user.name.filter None. The mod_ldap module specifies the user name filter as part of the AuthLDAPURL directive.
    ldap.version None. The mod_ldap module uses only LDAP version 3.
    ldap.waitToRetryConnection.interval None. The mod_ldap module does not have a timed delay between connection retries when a connection attempt fails. The connection attempt is retried for a maximum of 10 times before request fails.

  4. Run the Apache control with the verify flag to verify the configuration. 

    /IBM/IHS/bin/apachectl -t

    Attention: This configuration check confirms that the syntax is correct, but verify any configuration changes for a directive using the documentation for that directive to ensure an optimal configuration.

    Attention: All mod_ibm_ldap directives that use the form ldap.* used to optionally display in the LDAPConfigFile configuration file without the ldap prefix.

 

Example

The following configuration directives show a sample SSL-enabled LDAP configuration. Some of the directives specify default values and would not typically need to be specified, but are retained to provide context. Those directives are included, but are commented out with '##" symbols. 

##LDAPReferrals On
##LDAPReferralHopLimit 5

LDAPTrustedGlobalCert CMS_KEYFILE /full/path/to/ldap_client.kdb clientkdbPassword
#default cert in this kdb is my_cert1

# Alternatively, you can specify a SAF-based keyring, on systems that support it...
#LDAPTrustedGlobalCert SAF saf_keyring

<VirtualHost *>
	ServerAdmin admin@my.address.com
	DocumentRoot /path/to/htdocs

	# Ignored because LDAP URLs use ldaps:, where needed
  ##LDAPTrustedMode SSL

  <Directory /minimal_ldap_config>
	  AuthBasicProvider ldap
    AuthLDAPURL ldap:
//our_ldap.server.org/o=OurOrg,c=US
    AuthName "Private root access"
    require valid-user
  </Directory>

	<Directory /path/to/htdocs>
		##AuthzLDAPAuthoritative on
		AuthBasicProvider ldap
		# This LDAPTrustedClientCert is required to use a different certificate
    # than the default
    LDAPTrustedClientCert CMS_LABEL my_cert2
		AuthLDAPURL ldaps:
//our_ldap.server.org:636/o=OurOrg,c=US?cn?sub? (objectclass=person)
		AuthLDAPBindDN "cn=ldapadm,ou=OurDirectory,o=OurCompany,c=US"
		AuthLDAPBindPassword mypassword
		AuthName "Private root access"
		require ldap-group cn=OurDepartment,o=OurOrg,c=us
	</Directory>

	<Directory "/path/to/htdocs/employee_of_the_month">
		##AuthzLDAPAuthoritative on
		AuthBasicProvider ldap
		#Uses default cert (my_cert1)
		##LDAPTrustedClientCert CMS_LABEL my_cert1
    AuthLDAPURL ldaps:
//our_ldap.server.org:636/o=OurOrg,c=US?cn?sub?(objectclass=person)
		AuthLDAPBindDN "cn=ldapadm,ou=OurDirectory,o=OurCompany,c=US"
		AuthLDAPBindPassword mypassword
		AuthName "Employee of the month login"
 		require ldap-attribute description="Employee of the Month."
	</Directory>

	<Directory "/path/to/htdocs/development_groups">

		#These are the default values for the subgroup-related directives and only need to be 
		#specified when the LDAP structure differs.
		##AuthzLDAPAuthoritative on
		AuthBasicProvider ldap
    # This LDAPTrustedClientCert is required to use a different certificate
		# than the default	 LDAPTrustedClientCert CMS_LABEL my_cert3
		AuthLDAPURL ldaps:
//groups_ldap.server.org:636/o=OurOrg,c=US?cn?sub?
			(|(objectclass=groupofnames)(object class=groupo1 funiquenames))
		AuthLDAPBindDN "cn=ldapadm,ou=OurDirectory,o=OurCompany,c=US"
 		AuthLDAPBindPassword mypassword
		AuthName "Developer Access"
		AuthLDAPGroupAttribute member
 		AuthLDAPMaxSubGroupDepth 2
		AuthLDAPSubGroupClass groupOfUniqueNames
		##AuthLDAPSubGroupClass groupOfNames
		##AuthLDAPSubGroupAttribute uniqueMember
		##AuthLDAPSubGroupAttribute member
		require ldap-group cn=Developers_group,o=OurOrg,c=us
	</Directory>
	</VirtualHost>

LDAPTrustedMode None

 

Subtopics

mod_ibm_ldap directives migration

 

Related tasks

Authenticate with LDAP on IHS using mod_ibm_ldap (Distributed systems)

 

Related reference

Apache modules (containing directives) supported by IHS