256 lines
17 KiB
HTML
256 lines
17 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="topic" />
|
||
|
<meta name="DC.Title" content="Module mod_as_auth" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2002,2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002,2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzaiemod_as_auth" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Module mod_as_auth</title>
|
||
|
</head>
|
||
|
<body id="rzaiemod_as_auth"><a name="rzaiemod_as_auth"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<!--Java sync-link--><h1 class="topictitle1">Module mod_as_auth</h1>
|
||
|
<div><div class="important"><span class="importanttitle">Important:</span> Information
|
||
|
for this topic supports the latest PTF levels for HTTP Server for i5/OS .
|
||
|
It is recommended that you install the latest PTFs to upgrade to the latest
|
||
|
level of the HTTP Server for i5/OS. Some of the topics documented here are
|
||
|
not available prior to this update. See <a href="http://www-03.ibm.com/servers/eserver/iseries/software/http/services/service.html" target="_blank">http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm</a> <img src="www.gif" alt="Link outside Information Center" /> for more information. </div>
|
||
|
<p><strong>Summary</strong></p>
|
||
|
<p>The module mod_as_auth provides user authentication using iSeries™ system
|
||
|
profiles, Internet users (through validation lists), or LDAP users. </p>
|
||
|
<p><strong>Directives</strong></p>
|
||
|
<ul><li><a href="#asauthauthoritative">AsAuthAuthoritative</a></li>
|
||
|
<li><a href="#groupfile">GroupFile</a></li>
|
||
|
<li><a href="#passwdfile">PasswdFile</a></li>
|
||
|
<li><a href="#userid">UserID</a></li>
|
||
|
</ul>
|
||
|
</div>
|
||
|
<div class="hr" id="asauthauthoritative"><a name="asauthauthoritative"><!-- --></a><h2 class="topictitle2">AsAuthAuthoritative</h2>
|
||
|
<div>
|
||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_as_auth </td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: AsAuthAuthoritative <em>On | Off</em> </td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: AsAuthAuthoritative On</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="asauthauthoritative__asauthauthoritative_context"><a name="asauthauthoritative__asauthauthoritative_context"><!-- --></a>directory </span></td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none </td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="asauthauthoritative__asauthauthoritative_origin"><a name="asauthauthoritative__asauthauthoritative_origin"><!-- --></a>iSeries </span></td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: AsAuthAuthoritative Off</td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
<p>Setting the AsAuthAuthoritative directive explicitly to off allows for
|
||
|
both authentication and authorization to be passed on to lower level modules
|
||
|
(if there is no userid or rule matching the supplied userid). </p>
|
||
|
<dl class="block"><dt class="dlterm"><strong>Parameter</strong>: <em>On | Off</em></dt>
|
||
|
<dd><ul><li>When <em>On</em> is specified, both authentication and authorization are
|
||
|
not allowed to be passed on to lower level modules (if there is no userid
|
||
|
or rule matching the supplied userid). </li>
|
||
|
<li>When <em>Off</em> is specified, allows for both authentication and authorization
|
||
|
to be passed on to lower level modules (if there is no userid or rule matching
|
||
|
the supplied userid). </li>
|
||
|
</ul>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
<p>If a userid appears in an authentication realm other than those supported
|
||
|
by the iSeries (for example, System Userid), or if a valid Require directive
|
||
|
applies to more than one module, the first module verifies the credentials
|
||
|
and no access is passed on regardless of the AsAuthAuthoritative setting. </p>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="hr" id="groupfile"><a name="groupfile"><!-- --></a><h2 class="topictitle2">GroupFile</h2>
|
||
|
<div>
|
||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_as_auth </td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: GroupFile <em>filename</em> </td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none </td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="groupfile__groupfile_context"><a name="groupfile__groupfile_context"><!-- --></a>directory </span></td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none </td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="groupfile__groupfile_origin"><a name="groupfile__groupfile_origin"><!-- --></a>iSeries </span></td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: GroupFile /docs/restrict.group </td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
<p>The GroupFile directive sets the name of a GroupFile to use for a protection
|
||
|
setup. Group files are used to classify users into various groups. A protection
|
||
|
setup can use groups on limit directives. If a protected directory contains
|
||
|
an ACL file, the rules in the ACL file can also use the groups that you define
|
||
|
in the group file. </p>
|
||
|
<dl class="block"><dt class="dlterm"><strong>Parameter</strong>: <em>filename </em></dt>
|
||
|
<dd><ul><li>The <em>filename</em> parameter is any valid filename of the iSeries. </li>
|
||
|
</ul>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
<div class="note"><span class="notetitle">Note:</span> The GroupFile directive is case-sensitive. If the filename is incorrectly
|
||
|
cased, the GroupFile directive will not work properly. Since iSeries user
|
||
|
profiles are not case-sensitive, the entries in the GroupFile will be treated
|
||
|
as non-case-sensitive if the PasswdFile directive is set to %%SYSTEM%%. For
|
||
|
all other values of PasswdFile, the values in the GroupFile will be treated
|
||
|
as case-sensitive.</div>
|
||
|
<p>To work correctly this directive must be accompanied by <a href="#passwdfile">PasswdFile</a>, <a href="rzaiemod_core.htm#authtype">AuthType</a>, and <a href="rzaiemod_access.htm#require">Require</a>.
|
||
|
</p>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="hr" id="passwdfile"><a name="passwdfile"><!-- --></a><h2 class="topictitle2">PasswdFile</h2>
|
||
|
<div>
|
||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_as_auth </td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: PasswdFile <em>passfile [passfile passfile
|
||
|
...]</em> </td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none </td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="passwdfile__passwdfile_context"><a name="passwdfile__passwdfile_context"><!-- --></a>directory </span></td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none </td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="passwdfile__passwdfile_origin"><a name="passwdfile__passwdfile_origin"><!-- --></a>iSeries </span></td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: PasswdFile %%SYSTEM%%</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: PasswdFile "QUSRSYS/MY_USERS QGPL/DOC_USERS"</td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
<p>The PasswdFile directive specifies where the passwords (or certificates)
|
||
|
are stored for authentication.</p>
|
||
|
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>passfile </em></dt>
|
||
|
<dd>The different values supported by the passfile parameter value are:<dl class="dlexpand"><dt class="dltermexpand">%%SYSTEM%%</dt>
|
||
|
<dd>The passfile parameter can be in the %%SYSTEM%% format. Using this value
|
||
|
indicates that the server should use the iSeries User Profile support to validate
|
||
|
username/password.</dd>
|
||
|
</dl>
|
||
|
<dl class="dlexpand"><dt class="dltermexpand">%%LDAP%%</dt>
|
||
|
<dd>The passfile can also be in the %%LDAP%% format to validate the LDAP server
|
||
|
that has been defined to the server.</dd>
|
||
|
</dl>
|
||
|
<dl class="dlexpand"><dt class="dltermexpand">%%KERBEROS%%</dt>
|
||
|
<dd>The passfile parameter should be set to %%KERBEROS%% when the directive
|
||
|
AuthType Kerberos is configured.</dd>
|
||
|
</dl>
|
||
|
<dl class="dlexpand"><dt class="dltermexpand">passfile [passfile passfile ...]</dt>
|
||
|
<dd>The passfile parameter can be formatted to fit the Internet user list.
|
||
|
To use this format, specify QUSRSYS/MY_USERS as the filename. The HTTP Server
|
||
|
(powered by Apache) allows a space separated list of Internet User lists (for
|
||
|
example: 'library/vldl library/fort').</dd>
|
||
|
</dl>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
</blockquote>
|
||
|
<p>This directive may be configured multiple times in a container. The directives
|
||
|
are processed from the first to the last occurrence. </p>
|
||
|
<p>To work correctly this directive must be accompanied by <a href="rzaiemod_core.htm#authtype">AuthType</a>, <a href="rzaiemod_core.htm#authname">AuthName</a>,
|
||
|
and <a href="rzaiemod_access.htm#require">Require</a>.
|
||
|
</p>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="hr" id="userid"><a name="userid"><!-- --></a><h2 class="topictitle2">UserID</h2>
|
||
|
<div>
|
||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_as_auth </td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: Userid <em>user-profile | %%SERVER%% | %%CLIENT%%</em> </td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none </td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="userid__userid_context"><a name="userid__userid_context"><!-- --></a>directory </span></td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: none </td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="userid__userid_origin"><a name="userid__userid_origin"><!-- --></a>iSeries </span></td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: UserID WEBUSER</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: UserID %%SERVER%% </td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: UserID %%CLIENT%% </td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
<p>The UserID directive specifies the iSeries system profile to the server.
|
||
|
For a protected resource (one for which Protection directives are defined),
|
||
|
the UserID directive specifies which iSeries system profile the server temporarily
|
||
|
swaps to while serving that resource. The directive must be a valid user profile.
|
||
|
</p>
|
||
|
<dl class="block"><dt class="dlterm"><strong>Parameter</strong>: <em>user-profile | %%SERVER%% | %%CLIENT%% </em></dt>
|
||
|
<dd><ul><li>For <em>user-profile</em>, a valid iSeries system profile must be specified.
|
||
|
The value 'QSECOFR' cannot be specified on the directive. The profile that
|
||
|
issued the STRTCPSVR command to start HTTP Server (powered by Apache) must
|
||
|
have *USE authority to the profile specified on all of the UserID directives
|
||
|
and other directives. All UserID directives (and directives specified for
|
||
|
a protected resource) are verified during startup. If any UserID directive,
|
||
|
or any other directive, does not satisfy the rules listed here, the server
|
||
|
instance does not start and a message is sent to the user's interactive job
|
||
|
log. </li>
|
||
|
<li>Entering <em>%%SERVER%%</em> uses the default profile QTMHHTTP unless the
|
||
|
ServerUserId directive is specified. </li>
|
||
|
<li>Entering <em>%%CLIENT%%</em> causes the user profile from the request to
|
||
|
be used on the swap. If Kerberos is specified for the AuthType directive,
|
||
|
the server will use Enterprise Identity Mapping (EIM) to attempt to match
|
||
|
the user ID associated with the server ticket with an iSeries system profile.
|
||
|
If there is no iSeries system profile associated with the server ticket user
|
||
|
ID, the HTTP request will fail. This value cannot be used for LDAP or Validation
|
||
|
lists authentication. If is valid for iSeries profiles, client certificates,
|
||
|
and Kerberos.</li>
|
||
|
</ul>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
<p>The profile that issued the STRTCPSVR command to start HTTP Server (powered
|
||
|
by Apache) must have *USE authority to the profile specified on all of the
|
||
|
UserID directives and other directives. All UserID directives (and directives
|
||
|
specified for a protected resource) are verified during startup. If any UserID
|
||
|
directive, or any other directive, does not satisfy the rules, the server
|
||
|
instance does not start and a message is sent to the user's interactive joblog.</p>
|
||
|
<div class="note"><span class="notetitle">Note:</span> Because HTTP Server (powered by Apache) swaps to the profile that you
|
||
|
specify on the UserID directive, you should be careful what profile you specify.
|
||
|
For example, if you create a profile MIGHTY1 that is of the class *SECOFR
|
||
|
and use this profile on the UserID directive, then whenever the server invokes
|
||
|
a swap to that profile, all iSeries authority checking for the requested resource
|
||
|
is based on that profile. </div>
|
||
|
<p>When HTTP Server (powered by Apache) is running under the QTMHHTTP profile
|
||
|
(the QTMHHTTP profile is the default) and a UserID directive is not in effect,
|
||
|
the server switches to the QTMHHTP1 profile before starting a CGI program.
|
||
|
However, when a CGI program is running on servers where the UserID directive
|
||
|
is in effect or within a protection setup where the UserID directive has been
|
||
|
specified, the program is run under the specified profile, unless the profile
|
||
|
is QTMHHTTP. In which case, QTMHHTP1 is used. If the profile does not have
|
||
|
authority to the specified program, the request is rejected. </p>
|
||
|
<p>There are two special values you can use on the UserID directive. Entering <em>%%SERVER%%</em> uses
|
||
|
the default profile QTMHHTTP unless a protection setup has a different UserID
|
||
|
specified. Entering <em>%%CLIENT%%</em> causes the server to challenge the client
|
||
|
on each and every request for a user ID and password. </p>
|
||
|
<p>See also <a href="rzaiemod_core.htm#serveruserid">ServerUserID</a>. </p>
|
||
|
<p>To work correctly, this directive must be accompanied by the PasswdFile,
|
||
|
AuthType, AuthName, and Require directives. </p>
|
||
|
</div>
|
||
|
</div>
|
||
|
|
||
|
</body>
|
||
|
</html>
|