Module mod_as_auth

Important: Information for this topic supports the latest PTF levels for HTTP Server for i5/OS . It is recommended that you install the latest PTFs to upgrade to the latest level of the HTTP Server for i5/OS. Some of the topics documented here are not available prior to this update. See http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm Link outside Information Center for more information.

Summary

The module mod_as_auth provides user authentication using iSeries™ system profiles, Internet users (through validation lists), or LDAP users.

Directives

AsAuthAuthoritative

Module: mod_as_auth
Syntax: AsAuthAuthoritative On | Off
Default: AsAuthAuthoritative On
Context: directory
Override: none
Origin: iSeries
Example: AsAuthAuthoritative Off

Setting the AsAuthAuthoritative directive explicitly to off allows for both authentication and authorization to be passed on to lower level modules (if there is no userid or rule matching the supplied userid).

Parameter: On | Off
  • When On is specified, both authentication and authorization are not allowed to be passed on to lower level modules (if there is no userid or rule matching the supplied userid).
  • When Off is specified, allows for both authentication and authorization to be passed on to lower level modules (if there is no userid or rule matching the supplied userid).

If a userid appears in an authentication realm other than those supported by the iSeries (for example, System Userid), or if a valid Require directive applies to more than one module, the first module verifies the credentials and no access is passed on regardless of the AsAuthAuthoritative setting.

GroupFile

Module: mod_as_auth
Syntax: GroupFile filename
Default: none
Context: directory
Override: none
Origin: iSeries
Example: GroupFile /docs/restrict.group

The GroupFile directive sets the name of a GroupFile to use for a protection setup. Group files are used to classify users into various groups. A protection setup can use groups on limit directives. If a protected directory contains an ACL file, the rules in the ACL file can also use the groups that you define in the group file.

Parameter: filename
  • The filename parameter is any valid filename of the iSeries.
Note: The GroupFile directive is case-sensitive. If the filename is incorrectly cased, the GroupFile directive will not work properly. Since iSeries user profiles are not case-sensitive, the entries in the GroupFile will be treated as non-case-sensitive if the PasswdFile directive is set to %%SYSTEM%%. For all other values of PasswdFile, the values in the GroupFile will be treated as case-sensitive.

To work correctly this directive must be accompanied by PasswdFile, AuthType, and Require.

PasswdFile

Module: mod_as_auth
Syntax: PasswdFile passfile [passfile passfile ...]
Default: none
Context: directory
Override: none
Origin: iSeries
Example: PasswdFile %%SYSTEM%%
Example: PasswdFile "QUSRSYS/MY_USERS QGPL/DOC_USERS"

The PasswdFile directive specifies where the passwords (or certificates) are stored for authentication.

Parameter: passfile
The different values supported by the passfile parameter value are:
%%SYSTEM%%
The passfile parameter can be in the %%SYSTEM%% format. Using this value indicates that the server should use the iSeries User Profile support to validate username/password.
%%LDAP%%
The passfile can also be in the %%LDAP%% format to validate the LDAP server that has been defined to the server.
%%KERBEROS%%
The passfile parameter should be set to %%KERBEROS%% when the directive AuthType Kerberos is configured.
passfile [passfile passfile ...]
The passfile parameter can be formatted to fit the Internet user list. To use this format, specify QUSRSYS/MY_USERS as the filename. The HTTP Server (powered by Apache) allows a space separated list of Internet User lists (for example: 'library/vldl library/fort').

This directive may be configured multiple times in a container. The directives are processed from the first to the last occurrence.

To work correctly this directive must be accompanied by AuthType, AuthName, and Require.

UserID

Module: mod_as_auth
Syntax: Userid user-profile | %%SERVER%% | %%CLIENT%%
Default: none
Context: directory
Override: none
Origin: iSeries
Example: UserID WEBUSER
Example: UserID %%SERVER%%
Example: UserID %%CLIENT%%

The UserID directive specifies the iSeries system profile to the server. For a protected resource (one for which Protection directives are defined), the UserID directive specifies which iSeries system profile the server temporarily swaps to while serving that resource. The directive must be a valid user profile.

Parameter: user-profile | %%SERVER%% | %%CLIENT%%
  • For user-profile, a valid iSeries system profile must be specified. The value 'QSECOFR' cannot be specified on the directive. The profile that issued the STRTCPSVR command to start HTTP Server (powered by Apache) must have *USE authority to the profile specified on all of the UserID directives and other directives. All UserID directives (and directives specified for a protected resource) are verified during startup. If any UserID directive, or any other directive, does not satisfy the rules listed here, the server instance does not start and a message is sent to the user's interactive job log.
  • Entering %%SERVER%% uses the default profile QTMHHTTP unless the ServerUserId directive is specified.
  • Entering %%CLIENT%% causes the user profile from the request to be used on the swap. If Kerberos is specified for the AuthType directive, the server will use Enterprise Identity Mapping (EIM) to attempt to match the user ID associated with the server ticket with an iSeries system profile. If there is no iSeries system profile associated with the server ticket user ID, the HTTP request will fail. This value cannot be used for LDAP or Validation lists authentication. If is valid for iSeries profiles, client certificates, and Kerberos.

The profile that issued the STRTCPSVR command to start HTTP Server (powered by Apache) must have *USE authority to the profile specified on all of the UserID directives and other directives. All UserID directives (and directives specified for a protected resource) are verified during startup. If any UserID directive, or any other directive, does not satisfy the rules, the server instance does not start and a message is sent to the user's interactive joblog.

Note: Because HTTP Server (powered by Apache) swaps to the profile that you specify on the UserID directive, you should be careful what profile you specify. For example, if you create a profile MIGHTY1 that is of the class *SECOFR and use this profile on the UserID directive, then whenever the server invokes a swap to that profile, all iSeries authority checking for the requested resource is based on that profile.

When HTTP Server (powered by Apache) is running under the QTMHHTTP profile (the QTMHHTTP profile is the default) and a UserID directive is not in effect, the server switches to the QTMHHTP1 profile before starting a CGI program. However, when a CGI program is running on servers where the UserID directive is in effect or within a protection setup where the UserID directive has been specified, the program is run under the specified profile, unless the profile is QTMHHTTP. In which case, QTMHHTP1 is used. If the profile does not have authority to the specified program, the request is rejected.

There are two special values you can use on the UserID directive. Entering %%SERVER%% uses the default profile QTMHHTTP unless a protection setup has a different UserID specified. Entering %%CLIENT%% causes the server to challenge the client on each and every request for a user ID and password.

See also ServerUserID.

To work correctly, this directive must be accompanied by the PasswdFile, AuthType, AuthName, and Require directives.