LDAP directives
These configuration parameters control the Lightweight Directory Access Protocol (LDAP) feature in IBM HTTP Server.
- LdapCodepageDir directive
- LdapConfigfile directive
- LDAPRequire directive
- Ldap.application.authType directive
- Ldap.application.DN directive
- Ldap.application.password.stashFile directive
- Ldap.cache.timeout directive
- Ldap.group.attribute directive
- Ldap.group.dnattribute directive
- Ldap.group.memberattribute directive
- Ldap.group.memberAttributes directive
- Ldap.group.name.filter directive
- Ldap.group.search.depth directive
- Ldap.group.URL directive
- Ldap.idleConnection.timeout directive
- Ldap.key.file.password.stashfile directive
- Ldap.key.fileName directive
- Ldap.key.label directive
- Ldap.LdapReferralhoplimit directive
- Ldap.LdapReferrals directive
- Ldap.realm directive
- Ldap.search.timeout directive
- Ldap.transport directive
- Ldap.url directive
- Ldap.user.authType directive
- Ldap.user.cert.filter directive
- Ldap.user.name.fieldSep directive
- Ldap.user.name.filter directive
- Ldap.version directive
- Ldap.waitToRetryConnection.interval directive
LdapCodepageDir directive
The LdapCodepageDir directive specifies the full path to the codepages directory that is installed with IBM HTTP Server.
Syntax ldap.CodepageDir <full_path_to_codpages_directory> Scope Global server or virtual host Default <server_root>/codepages Module mod_ibm_ldap Multiple instances in the configuration file One instance in global configuration.
LdapConfigfile directive
The LdapConfigFile directive indicates the name of the LDAP properties file associated with a group of LDAP parameters.
Syntax LdapConfigFile <Fully qualified path to configuration file> Scope Single instance per directory stanza Default c:\program files\ibm http server\conf\ldap.prop.sample Module mod_ibm_ldap Multiple instances in the configuration file yes Values Fully qualified path to a single configuration file. Use this directive in the httpd.conf file.
LDAPRequire directive
The uire directive is used to restrict access to a resource that is controlled by LDAP
authentication to a specified collection of users. It can either use groups that are defined in LDAP by using the group type, or it can use an LDAP filter type to designate a collection of users with a similar set of attribute values.
Syntax uire filter <filter name> or uire group <group1 [group2.group3....]> Scope Single instance per directory stanza Default None Module mod_ibm_ldap Multiple instances in the configuration file yes Values uire filter "(&(objectclass=person)(cn=*)(ou=IHS)(o=IBM ))", or uire group "sample group". Use this directive in the httpd.conf file.
If the group type is used, and multiple group values are specified, the group validation is a logical AND of the groups. A user must be a member of sample Group1 and sample Group2 if a logical OR of groups is required. For example, if a user is a member of sample Group1 or sample Group2, then a new LDAP group, our department group, should be created on the LDAP server that has sample Group1 and sample Group2 as its members. We would then use the directive: uire group our Department Group.
Ldap.application.authType directive
The Ldap.application.authType directive specifies the method for authenticating the Web server to the LDAP server.
Syntax ldap.application.authType=None Scope Single instance per directory stanza Default None Module mod_ibm_ldap Multiple instances in the configuration file yes Values
- None: If the LDAP server does not require the Web server to authenticate.
- Basic: Uses the distinguished name (DN) of the Web server as the user ID, and the password stored in the stash file, as the password.
Ldap.application.DN directive
The Ldap.application.DN directive indicates the distinguished name (DN) of the Web server. Use this name as the user name when accessing an LDAP server using basic authentication. Use the entry specified in the LDAP server to access the directory server.
Syntax ldap.application.DN=cn=ldapadm,ou=ihs test,o=IBM,c=US Scope Single instance per directory stanza Default None Module mod_ibm_ldap Multiple instances in the configuration file yes Values Distinguished name
Ldap.application.password.stashFile directive
The Ldap.application.password.stashFile directive indicates the name of the stash file containing the encrypted password for the application to authenticate to the LDAP server when Server Authentication type is Basic.
Syntax ldap.application.password.stashFile=c:\IHS\ldap.sth Scope Single instance per directory stanza Default None Module mod_ibm_ldap Multiple instances in the configuration file yes Values Fully qualified path to the stash file. We can create this stash file with the ldapstash command.
Ldap.cache.timeout directive
The ldap.cache.timeout directive caches responses from the LDAP server. If you configure the Web server to run as multiple processes, each process manages its own copy of the cache.
Syntax ldap.cache.timeout= <secs> Scope Single instance per directory stanza Default 600 Module mod_ibm_ldap Multiple instances in the configuration file yes Values The maximum length of time, in seconds, a response returned from the LDAP server remains valid.
Ldap.group.attribute directive
The ldap.group.attributes directive indicates the filter used to determine if a distinguished name (DN) is an actual group through an LDAP search.
Syntax ldap.group.memberattribute = <attribute> Scope Single instance per directory stanza Default uniquegroup Module mod_ibm_ldap Multiple instances in the configuration file yes Values An ldap attribute - See the ldap.prop.sample directive for more information on the use of this directive.
Ldap.group.dnattribute directive
The ldap.group.dnattributes specifies the filter used to determine, through an LDAP search, if a distinguished name (DN) is an actual group.
Syntax ldap.group.memberattribute = <ldap filter> Scope Single instance per directory stanza Default groupofnames groupofuniquenames Module mod_ibm_ldap Multiple instances in the configuration file yes Values An ldap filter - See the ldap.prop.sample directive for more information on the use of this directive.
Ldap.group.memberattribute directive
The ldap.group.memberattribute directive specifies the attribute to retrieve unique groups from an existing group.
Syntax ldap.group.memberattribute = <ldap filter> Scope Single instance per directory stanza Default groupofnames groupofuniquenames Module mod_ibm_ldap Multiple instances in the configuration file yes Values An ldap filter - See the ldap.prop.sample directive for more information on the use of this directive.
Ldap.group.memberAttributes directive
The ldap.group.memberAttributes directive serves as a means to extract group members, once the function finds a group entry in an LDAP directory.
Syntax ldap.group.memberAttributes= attribute [attribute2....] Scope Single instance per directory stanza Default member and uniquemember Module mod_ibm_ldap Multiple instances in the configuration file yes Values Must equal the distinguished names of the group members. We can use more than one attribute to contain member information.
Ldap.group.name.filter directive
The ldap.group.name.filter directive indicates the filter LDAP uses to search for group names.
Syntax ldap.group.name.filter = <group name filter> Scope Single instance per directory stanza Default (&(cn=%v1) (|(objectclass=groupOfNames) (objectclass=groupOfUniqueNames)) Module mod_ibm_ldap Multiple instances in the configuration file yes Values An LDAP filter. See Querying the LDAP server using LDAP search filters.
Ldap.group.search.depth directive
The ldap.group.search.depth directive searches subgroups when specifying the uire group <group> directives. Groups can contain both individual members and other groups.
Syntax ldap.group.search.depth = <integer depth> Scope Single instance per directory stanza Default 1 Module mod_ibm_ldap Multiple instances in the configuration file yes Values An integer. When doing a search for a group, if a member in the process of authentication is not a member of the required group, any subgroups of the required group are also searched. For example:
group1 >group2 (group2 is a member of group1) group2 >group3 (group3 is a member of group2) group3 >jane (jane is a member of group3)If we search for jane and require her as a member of group1, the search fails with the default ldap.search.depth value of 1. If we specify ldap.group.search.depth>2, the search succeeds.
Use ldap.group.search.depth=<depth to search -- number> to limit the depth of subgroup searches. This type of search can become very intensive on an LDAP server. Where group1 has group2 as a member, and group2 has group1 as a member, this directive limits the depth of the search. In the previous example, group1 has a depth of 1, group2 has a depth of 2 and group3 has a depth of 3.
Ldap.group.URL directive
The ldap.group.URL directive specifies a different location for a group on the same LDAP server. We cannot use this directive to specify a different LDAP server from that specified in the ldap.URL directive.
Syntax ldap.group.URL = ldap://<hostname:port>/<BaseDN> Scope Single instance per directory stanza Default None Module mod_ibm_ldap Multiple instances in the configuration file yes Values
- host name: Host name of the LDAP server.
- port number: Optional port number on which the LDAP server listens. The default for TCP connections is 389. If we use SSL, we must specify the port number.
- BaseDN: Provides the root of the LDAP tree in which to perform the search for groups.
This property becomes required if the LDAP URL for groups differs from the URL specified by the ldap.URL property.
Ldap.idleConnection.timeout directive
The ldap.idleConnection.timeout directive caches connections to the LDAP server for performance.
Syntax ldap.idleConection.timeout = <secs> Scope Single instance per directory stanza Default 600 Module mod_ibm_ldap Multiple instances in the configuration file yes Values Length of time, in seconds, before an idle LDAP server connection closes due to inactivity.
Ldap.key.file.password.stashfile directive
The ldap.key.file.password.stashfile directive indicates the stash file containing the encrypted keyfile password; use the ldapstash command to create this stash file.
Syntax ldap.key.file.password.stashfile =d:\ <Key password file name> Scope Single instance per directory stanza Default None Module mod_ibm_ldap Multiple instances in the configuration file yes Values Fully qualified path to the stash file.
Ldap.key.fileName directive
The ldap.key.fileName directive indicates the file name of the key file database. This option becomes required when we use SSL.
Syntax ldap.key.fileName=d:\<Key file name> Scope Single instance per directory stanza Default None Module mod_ibm_ldap Multiple instances in the configuration file yes Values Fully qualified path to the key file.
Ldap.key.label directive
The ldap.key.file.password.stashfile directive indicates the certificate label name the Web server uses to authenticate to the LDAP server.
Syntax My Server Certificate Scope Single instance per directory stanza Default None Module mod_ibm_ldap Multiple instances in the configuration file yes Values A valid label used in the key database file. This label becomes required only when using SSL and the LDAP server requests client
authentication from the Web server.
Ldap.LdapReferralhoplimit directive
The ldap.LdapReferralHopLimit directive indicates the maximum number of referrals to follow. LDAP authentication will fail if the specified limit is exceeded.
Syntax ldap.LdapReferralHopLimit = <number_of_hops> Scope Single instance per directory stanza Default 10 Module mod_ibm_ldap Multiple instances in the configuration file yes Values 0 to 10
Set the LdapReferrals directive on to use the LdapReferralhoplimit directive.
An LdapReferralhoplimit value of 0 will cause authentication to fail if any referrals are encountered.
The LdapReferralhoplimit directive is not meaningful when the LdapReferrals directive is off (default).
Ldap.LdapReferrals directive
The ldap.LdapReferrals directive indicates whether referrals (which redirect a client request to another LDAP server) will be chased for searches while performing LDAP queries.
Syntax ldap.LdapReferrals = off | on Scope Single instance per directory stanza Default off Module mod_ibm_ldap Multiple instances in the configuration file yes Values On or off
Ldap.realm directive
he ldap.key.realm directive indicates the name of the protected area, as seen by the requesting client.
Syntax ldap.realm==<Protection Realm> Scope Single instance per directory stanza Default None Module mod_ibm_ldap Multiple instances in the configuration file yes Values A description describing the protected page.
uire directive
The uire directive is used to restrict access to a resource that is controlled by LDAP authentication to a specified collection of users. It can either use groups that are defined in LDAP by using the group type, or it can use an LDAP filter type to designate a collection of users with a similar set of attribute values.
Syntax uire filter <filter name> or uire group <group1 [group2.group3....]> Scope Single instance per directory stanza Default None Module mod_ibm_ldap Multiple instances in the configuration file yes Values uire filter "(&(objectclass=person)(cn=*)(ou=IHS)(o=IBM ))", or uire group "sample group". Use this directive in the httpd.conf file.
If the group type is used, and multiple group values are specified, the group validation is a logical AND of the groups. A user must be a member of sample Group1 and sample Group2 if a logical OR of groups is required. For example, if a user is a member of sample Group1 or sample Group2, then a new LDAP group, our department group, should be created on the LDAP server that has sample Group1 and sample Group2 as its members. We would then use the directive: uire group our Department Group.
Ldap.search.timeout directive
The ldap.search.timeout directive indicates the maximum time, in seconds, to wait for an LDAP server to complete a search operation.
Syntax ldap.search.timeout = <secs> Scope Single instance per directory stanza Default 10 Module mod_ibm_ldap Multiple instances in the configuration file yes Values Length of time, in seconds.
Ldap.transport directive
The ldap.transport directive indicates the transport method used to communicate with the LDAP server.
Syntax ldap.transport = TCP Scope Single instance per directory stanza Default TCP Module mod_ibm_ldap Multiple instances in the configuration file yes Values TCP or SSL
Ldap.url directive
The ldap.url directive indicates the URL of the LDAP server to authenticate against.
Syntax ldap.url = ldap://<hostname:port>/<BaseDN> ...where:
- hostname: Represents the host name of the LDAP server.
- port: Represents the optional port number on which the LDAP server listens. The default for TCP connections is 389. We must specify the port number if we use SSL.
- BaseDN: Provides the root of the LDAP tree in which to perform the search for users.
For example: ldap.URL=ldap://<ldap.ibm.com:489/o=Ace Industry, c=US>
Scope Single instance per directory stanza Default None Module mod_ibm_ldap Multiple instances in the configuration file yes
Ldap.user.authType directive
The ldap.usr.authType directive indicates the method for authenticating the user requesting a Web server. Use this name as the user name when accessing an LDAP server.
Syntax ldap.user.authType = BasicIfNoCert Scope Single instance per directory stanza Default Basic Module mod_ibm_ldap Multiple instances in the configuration file yes Values Basic, Cert, BasicIfNoCert
Ldap.user.cert.filter directive
The ldap.usr.cert.filter directive indicates the filter used to convert the information in the client certificate passed over SSL to a search filter for and LDAP entry.
Syntax ldap.user.cert.filter=(&(objectclass=person)(cn=%v1)) Scope Single instance per directory stanza Default "(&(objectclass=person) (cn=%v1, ou=%v2, o=%v3,c=%v4))" Module mod_ibm_ldap Multiple instances in the configuration file yes Values An LDAP filter. See Querying the LDAP server using LDAP search filters.
Secure Socket Layer (SSL) certificates include the following fields, all of which we can convert to a search filter:
Certificate field Variable common name %v1 organizational unit %v2 organization %v3 country %v4 locality %v5 state or country %v6 serial number %v7
When we generate the search filter, we can find the field values in the matching variable fields (%v1, %v2). The following table shows the conversion:
User certificate Filter conversion Certificate cn=Road Runner, o=Acme Inc, c=US Filter (cn=%v1, o=%v3, c=%v4) Resulting query (cn=RoadRunner, o=Acme, Inc, c=US)
Ldap.user.name.fieldSep directive
The ldap.usr.name.fieldSep directive indicates characters as valid field separator characters when parsing the user name into fields.
Syntax ldap.user.name.fieldSep=/ Scope Single instance per directory stanza Default The space, comma, and the tab (/t) character. Module mod_ibm_ldap Multiple instances in the configuration file yes Values Characters. If '/' represents the only field separator character and the user enters "Joe Smith/Acme", then '%v2' equals "Acme".
Ldap.user.name.filter directive
The ldap.usr.name.filter directive indicates the filter used to convert the user name entered in a search filter for an LDAP entry.
Syntax ldap.user.name.filter=<user name filter> Scope Single instance per directory stanza Default "((objectclass=person) (cn=%v1 %v2))", where %v1 and %v2 represent characters entered by the user. For example, if the user enters "Paul Kelsey", the resulting search filter becomes "((objectclass=person)(cn=Paul Kelsey))". We can find search filter syntax described in Querying the
LDAP server using LDAP search filters.However, because the Web server cannot differentiate between multiple returned entries, authentication fails when the LDAP server returns more than one entry. For example, if the user makes the ldap.user.name.filter= "((objectclass=person)(cn=%v1* %v2*))" and enters Pa Kel, the resulting search filter becomes "(cn=Pa* Kel*)". The filter finds multiple entries such as (cn=Paul Kelsey) and (cn=Paula Kelly) and authentication fails. We must modify our search filter.
Module mod_ibm_ldap Multiple instances in the configuration file yes Values An LDAP filter. See Querying the LDAP server using LDAP search filters.
Ldap.version directive
The ldap.version directive indicates the version of the LDAP protocol used to connect to the LDAP server. the protocol version used by the LDAP server determines the LDAP version.
This directive is optional.
Syntax ldap.version=3 Scope Single instance per directory stanza Default ldap.version=3 Module mod_ibm_ldap Multiple instances in the configuration file yes Values 2 or 3
Ldap.waitToRetryConnection.interval directive
The ldap.waitToRetryConnection.interval directive indicates the time the Web server waits between failed attempts to connect.
If an LDAP server goes down, the Web server continues to try to connect.
Syntax ldap.waitToRetryConnection.interval=<secs> Scope Single instance per directory stanza Default 300 Module mod_ibm_ldap Multiple instances in the configuration file yes Values Time (in seconds)
Related tasks
Authenticating with LDAP on IBM HTTP Server (Distributed systems)