ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaie_5.4.0.1/rzaiemod_as_auth.htm

256 lines
17 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="topic" />
<meta name="DC.Title" content="Module mod_as_auth" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2002,2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002,2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaiemod_as_auth" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Module mod_as_auth</title>
</head>
<body id="rzaiemod_as_auth"><a name="rzaiemod_as_auth"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<!--Java sync-link--><h1 class="topictitle1">Module mod_as_auth</h1>
<div><div class="important"><span class="importanttitle">Important:</span> Information
for this topic supports the latest PTF levels for HTTP Server for i5/OS .
It is recommended that you install the latest PTFs to upgrade to the latest
level of the HTTP Server for i5/OS. Some of the topics documented here are
not available prior to this update. See <a href="http://www-03.ibm.com/servers/eserver/iseries/software/http/services/service.html" target="_blank">http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm</a> <img src="www.gif" alt="Link outside Information Center" /> for more information. </div>
<p><strong>Summary</strong></p>
<p>The module mod_as_auth provides user authentication using iSeries™ system
profiles, Internet users (through validation lists), or LDAP users. </p>
<p><strong>Directives</strong></p>
<ul><li><a href="#asauthauthoritative">AsAuthAuthoritative</a></li>
<li><a href="#groupfile">GroupFile</a></li>
<li><a href="#passwdfile">PasswdFile</a></li>
<li><a href="#userid">UserID</a></li>
</ul>
</div>
<div class="hr" id="asauthauthoritative"><a name="asauthauthoritative"><!-- --></a><h2 class="topictitle2">AsAuthAuthoritative</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_as_auth </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: AsAuthAuthoritative <em>On | Off</em> </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: AsAuthAuthoritative On</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="asauthauthoritative__asauthauthoritative_context"><a name="asauthauthoritative__asauthauthoritative_context"><!-- --></a>directory </span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="asauthauthoritative__asauthauthoritative_origin"><a name="asauthauthoritative__asauthauthoritative_origin"><!-- --></a>iSeries </span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: AsAuthAuthoritative Off</td>
</tr>
</tbody>
</table>
</div>
<p>Setting the AsAuthAuthoritative directive explicitly to off allows for
both authentication and authorization to be passed on to lower level modules
(if there is no userid or rule matching the supplied userid). </p>
<dl class="block"><dt class="dlterm"><strong>Parameter</strong>: <em>On | Off</em></dt>
<dd><ul><li>When <em>On</em> is specified, both authentication and authorization are
not allowed to be passed on to lower level modules (if there is no userid
or rule matching the supplied userid). </li>
<li>When <em>Off</em> is specified, allows for both authentication and authorization
to be passed on to lower level modules (if there is no userid or rule matching
the supplied userid). </li>
</ul>
</dd>
</dl>
<p>If a userid appears in an authentication realm other than those supported
by the iSeries (for example, System Userid), or if a valid Require directive
applies to more than one module, the first module verifies the credentials
and no access is passed on regardless of the AsAuthAuthoritative setting. </p>
</div>
</div>
<div class="hr" id="groupfile"><a name="groupfile"><!-- --></a><h2 class="topictitle2">GroupFile</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_as_auth </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: GroupFile <em>filename</em> </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="groupfile__groupfile_context"><a name="groupfile__groupfile_context"><!-- --></a>directory </span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="groupfile__groupfile_origin"><a name="groupfile__groupfile_origin"><!-- --></a>iSeries </span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: GroupFile /docs/restrict.group </td>
</tr>
</tbody>
</table>
</div>
<p>The GroupFile directive sets the name of a GroupFile to use for a protection
setup. Group files are used to classify users into various groups. A protection
setup can use groups on limit directives. If a protected directory contains
an ACL file, the rules in the ACL file can also use the groups that you define
in the group file. </p>
<dl class="block"><dt class="dlterm"><strong>Parameter</strong>: <em>filename </em></dt>
<dd><ul><li>The <em>filename</em> parameter is any valid filename of the iSeries. </li>
</ul>
</dd>
</dl>
<div class="note"><span class="notetitle">Note:</span> The GroupFile directive is case-sensitive. If the filename is incorrectly
cased, the GroupFile directive will not work properly. Since iSeries user
profiles are not case-sensitive, the entries in the GroupFile will be treated
as non-case-sensitive if the PasswdFile directive is set to %%SYSTEM%%. For
all other values of PasswdFile, the values in the GroupFile will be treated
as case-sensitive.</div>
<p>To work correctly this directive must be accompanied by <a href="#passwdfile">PasswdFile</a>, <a href="rzaiemod_core.htm#authtype">AuthType</a>, and <a href="rzaiemod_access.htm#require">Require</a>.
</p>
</div>
</div>
<div class="hr" id="passwdfile"><a name="passwdfile"><!-- --></a><h2 class="topictitle2">PasswdFile</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_as_auth </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: PasswdFile <em>passfile [passfile passfile
...]</em> </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="passwdfile__passwdfile_context"><a name="passwdfile__passwdfile_context"><!-- --></a>directory </span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="passwdfile__passwdfile_origin"><a name="passwdfile__passwdfile_origin"><!-- --></a>iSeries </span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: PasswdFile %%SYSTEM%%</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: PasswdFile "QUSRSYS/MY_USERS QGPL/DOC_USERS"</td>
</tr>
</tbody>
</table>
</div>
<p>The PasswdFile directive specifies where the passwords (or certificates)
are stored for authentication.</p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>passfile </em></dt>
<dd>The different values supported by the passfile parameter value are:<dl class="dlexpand"><dt class="dltermexpand">%%SYSTEM%%</dt>
<dd>The passfile parameter can be in the %%SYSTEM%% format. Using this value
indicates that the server should use the iSeries User Profile support to validate
username/password.</dd>
</dl>
<dl class="dlexpand"><dt class="dltermexpand">%%LDAP%%</dt>
<dd>The passfile can also be in the %%LDAP%% format to validate the LDAP server
that has been defined to the server.</dd>
</dl>
<dl class="dlexpand"><dt class="dltermexpand">%%KERBEROS%%</dt>
<dd>The passfile parameter should be set to %%KERBEROS%% when the directive
AuthType Kerberos is configured.</dd>
</dl>
<dl class="dlexpand"><dt class="dltermexpand">passfile [passfile passfile ...]</dt>
<dd>The passfile parameter can be formatted to fit the Internet user list.
To use this format, specify QUSRSYS/MY_USERS as the filename. The HTTP Server
(powered by Apache) allows a space separated list of Internet User lists (for
example: 'library/vldl library/fort').</dd>
</dl>
</dd>
</dl>
</blockquote>
<p>This directive may be configured multiple times in a container. The directives
are processed from the first to the last occurrence. </p>
<p>To work correctly this directive must be accompanied by <a href="rzaiemod_core.htm#authtype">AuthType</a>, <a href="rzaiemod_core.htm#authname">AuthName</a>,
and <a href="rzaiemod_access.htm#require">Require</a>.
</p>
</div>
</div>
<div class="hr" id="userid"><a name="userid"><!-- --></a><h2 class="topictitle2">UserID</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_as_auth </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: Userid <em>user-profile | %%SERVER%% | %%CLIENT%%</em> </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="userid__userid_context"><a name="userid__userid_context"><!-- --></a>directory </span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="userid__userid_origin"><a name="userid__userid_origin"><!-- --></a>iSeries </span></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: UserID WEBUSER</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: UserID %%SERVER%% </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: UserID %%CLIENT%% </td>
</tr>
</tbody>
</table>
</div>
<p>The UserID directive specifies the iSeries system profile to the server.
For a protected resource (one for which Protection directives are defined),
the UserID directive specifies which iSeries system profile the server temporarily
swaps to while serving that resource. The directive must be a valid user profile.
</p>
<dl class="block"><dt class="dlterm"><strong>Parameter</strong>: <em>user-profile | %%SERVER%% | %%CLIENT%% </em></dt>
<dd><ul><li>For <em>user-profile</em>, a valid iSeries system profile must be specified.
The value 'QSECOFR' cannot be specified on the directive. The profile that
issued the STRTCPSVR command to start HTTP Server (powered by Apache) must
have *USE authority to the profile specified on all of the UserID directives
and other directives. All UserID directives (and directives specified for
a protected resource) are verified during startup. If any UserID directive,
or any other directive, does not satisfy the rules listed here, the server
instance does not start and a message is sent to the user's interactive job
log. </li>
<li>Entering <em>%%SERVER%%</em> uses the default profile QTMHHTTP unless the
ServerUserId directive is specified. </li>
<li>Entering <em>%%CLIENT%%</em> causes the user profile from the request to
be used on the swap. If Kerberos is specified for the AuthType directive,
the server will use Enterprise Identity Mapping (EIM) to attempt to match
the user ID associated with the server ticket with an iSeries system profile.
If there is no iSeries system profile associated with the server ticket user
ID, the HTTP request will fail. This value cannot be used for LDAP or Validation
lists authentication. If is valid for iSeries profiles, client certificates,
and Kerberos.</li>
</ul>
</dd>
</dl>
<p>The profile that issued the STRTCPSVR command to start HTTP Server (powered
by Apache) must have *USE authority to the profile specified on all of the
UserID directives and other directives. All UserID directives (and directives
specified for a protected resource) are verified during startup. If any UserID
directive, or any other directive, does not satisfy the rules, the server
instance does not start and a message is sent to the user's interactive joblog.</p>
<div class="note"><span class="notetitle">Note:</span> Because HTTP Server (powered by Apache) swaps to the profile that you
specify on the UserID directive, you should be careful what profile you specify.
For example, if you create a profile MIGHTY1 that is of the class *SECOFR
and use this profile on the UserID directive, then whenever the server invokes
a swap to that profile, all iSeries authority checking for the requested resource
is based on that profile. </div>
<p>When HTTP Server (powered by Apache) is running under the QTMHHTTP profile
(the QTMHHTTP profile is the default) and a UserID directive is not in effect,
the server switches to the QTMHHTP1 profile before starting a CGI program.
However, when a CGI program is running on servers where the UserID directive
is in effect or within a protection setup where the UserID directive has been
specified, the program is run under the specified profile, unless the profile
is QTMHHTTP. In which case, QTMHHTP1 is used. If the profile does not have
authority to the specified program, the request is rejected. </p>
<p>There are two special values you can use on the UserID directive. Entering <em>%%SERVER%%</em> uses
the default profile QTMHHTTP unless a protection setup has a different UserID
specified. Entering <em>%%CLIENT%%</em> causes the server to challenge the client
on each and every request for a user ID and password. </p>
<p>See also <a href="rzaiemod_core.htm#serveruserid">ServerUserID</a>. </p>
<p>To work correctly, this directive must be accompanied by the PasswdFile,
AuthType, AuthName, and Require directives. </p>
</div>
</div>
</body>
</html>