Module mod_ibm_ldap

The ldap.AppId directive is used to enable SSL connections to the LDAP server. An Application ID that has been obtained and associated with a certificate through Digital Certificate Manager (DCM ) is supplied with this directive. The application ID is then used when making an SSL connection to the LDAP server to validate that the server can make a secure connection. The Application ID provided may be the same Application ID that is used elsewhere in HTTP Server.

The ldap.AppId directive is required if ldap.transport is SSL.

Parameter: application_ID

• The application_ID parameter is an application ID obtained from DCM for this HTTP Server instance.

The ldap.application.authtype directive is used to specify the method used to authenticate HTTP Server application to the LDAP server. The possible values are None and Basic.

For Basic authentication, the ldap.application.DN and the ldap.application.password.stashFile directives are required to identify HTTP Server.

Parameter: authtype

• The authtype parameter specifies the method used to authenticate HTTP Server application to the LDAP server. Valid values are Basic, or None.
  1. If None is selected, HTTP Server connects using anonymous access, if permitted by the LDAP server.
  2. If Basic authentication is chosen, HTTP Server is required to identify itself to the LDAP server by using a Distinguished Name and password.

The ldap.application.DN directive specifies the Distinguished Name (DN) HTTP Server uses to authenticate to the LDAP server.

When using ldap.application.authType Basic, the directive ldap.application.password.stashFile should be used with ldap.application.DN. Unless the LDAP server allows anonymous access, the connection between HTTP Server and the LDAP server will not be made without a valid password.

Parameter: Distinguished_Name

• The Distinguished_Name parameter is a character string representing the Distinguished Name used by HTTP Server to authenticate to the LDAP server.

The ldap.application.password.stashFile directive specifies the file that contains the encoded password used by HTTP Server to authenticate to the LDAP server when ldap.application.authType is Basic. The configuration tools create, encode, and name the filename.

Parameter: filename

• The filename parameter is the name of a file containing the encoded password used to authenticate HTTP Server to the LDAP server.

The ldap.cache.timeout directive specifies the maximum length of time (in seconds) that these cached results may be used. After ldap.cache.timeout seconds, the cache elements are discarded, and subsequent requests cause a search of the LDAP server. Results of a search of an LDAP server are cached in local HTTP Server storage to save the time of executing another LDAP search in a short period of time.

Parameter: seconds

• The seconds parameter is the length of time, in seconds, for the server to retain the results of successful LDAP searches.

The ldap.group.memberAttributes directive specifies the attribute names that are used to extract members from a group entry in an LDAP directory. The values of these attributes must be the distinguished names of the members of the group.

This directive is used in conjunction with the ldap.group.name.filter and the LDAPRequire directives to allow users in specific groups access to a resource.

Parameter One: attributes

• The attributes parameter is the group attribute names used to extract users from an LDAP group entry. Beginning in i5/OS™ V5R4, if the attributes parameter is the operational attribute ibm-allMembers, then group membership is checked for all forms of groups: static, dynamic, nested, and hybrid. Otherwise, group membership is checked only for a static group.

If multiple occurrences of this directive are configured in a container, only the last occurrence is processed. All other occurrences are ignored.

The ldap.group.name.filter directive specifies the filter that is used to convert, via an LDAP search request, a group name to a unique DN. The unique DN for the group is then used to allow individual users who are members of the group to access their source. The default value is "(&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)))", where %v is a substitution variable for the group name.

This directive is used in conjunction with the ldap.group.memberAttributes and the LDAPRequire directives to allow users in specific groups access to a resource.

Parameter: filter

• The filter parameter is a valid LDAP search filter that will return a unique DN for a given group name.

The ldap.group.url directive tells HTTP Server the location of the LDAP server that is being used for authentication of users in groups. Hostname is the hostname of the LDAP server. The DNS name or the IP address is used to identify the host where the LDAP server resides. The port is optional. If not specified, port 389 will be assumed if using TCP/IP connections, and 636 will be used for SSL connections to the LDAP server. The BaseDN provides the starting point for searches of the LDAP directory.

If the ldap.group.url is not present in the configuration file, the ldap.url value is used. If the same host, port and BaseDN are the same for group searches, as they are for user searches, you do not need to specify ldap.group.url.

Parameter One: hostname

• The hostname parameter is the DNS name or IP address of the host where the LDAP server is located.

Parameter Two: port

• The port parameter is the port on which the LDAP server listens. It is optional. If not present, and the transport is TCP, the well-known LDAP port 389 is assumed. If the transport is SSL, the well-known LDAP SSL port 636 will be assumed.

Parameter Three: BaseDN

• The BaseDN parameter is the starting point for searches of the LDAP directory for group information.

The ldap.idleConnection.timeout directive is used to determine the time that idle connections to the LDAP server are kept open. This improves performance by saving the path length necessary to open connections if there are several requests of the LDAP server in a short period of time.

Parameter: seconds

• The seconds parameter is the length of time, in seconds, that an idle connection should remain open.

Since Microsoft^® Windows NT^® authenticates differently than the other industry LDAP servers, this directive was added to configure the Microsoft Windows NT domain name. This directive should only be used when a Microsoft Exchange Server is being used and the authentication requires that ldap.NTDomain be specified. This directive should not be used in other cases.

Use of this directive allows an HTTP Server to access a Microsoft Exchange Server version 5.0 or 5.5 by means of Lightweight Directory Access Protocol (LDAP). It may be necessary to use this directive if this product is used to perform LDAP authentication of HTTP requests.

Directive ldap.NTDomain can be specified two different ways. The format may be dependent on the Microsoft Exchange Server.

If the Exchange Server requires the account to look like "cn=NTAccount, cn=NTDomain", use the format:

ldap.NTDomain "cn=exchServer"

If the Exchange Server requires the account in the form ("dc=NTDomain, cn=NTAccount"), use the format:

ldap.NTDomain "dc=exchServer"

When this directive is present, HTTP Server appends or precedes the information in the ldap.NTDomain directive to the DN used when authenticating a user to the LDAP server.

The ldap.ObjectClass directive is used to publish configuration information to the LDAP server. The object class is used as an entry to the LDAP server and describes the content and purpose of an object in the LDAP directory tree. The configuration information may then be retrieved using the LDAPInclude directive.

Parameter: objectclass

• The objectclass parameter is the name of the object class to be used as the entry in the LDAP directory. The object class used should have a binary file attribute value.

The ldap.realm directive is used to identify the LDAP configuration in error log messages. If a server uses different LDAP servers or different LDAP base DNs for different directories, ldap.realm will identify this particular LDAP configuration.

Parameter: label

• The label parameter can be a character string describing this LDAP configuration.

The ldap.search.timeout directive supplies the maximum amount of time (in seconds) to wait for an LDAP search request to complete. This prevents HTTP Server from waiting on a request to a slow LDAP server.

Parameter: seconds

• The seconds parameter is the length of time, in seconds, for the server to wait for an LDAP search request to complete.

The ldap.transport directive is used to specify the transport used to communicate with the LDAP server. The LDAP server can communicate over either TCP/IP or SSL connections.

If ldap.transport is set to SSL, then the ldap.AppId directive must be set, or HTTP Server will be unable to make the connection to the LDAP server.

Parameter: transport

• The transport parameter specifies the transport to be used for communication with the LDAP server. Valid values are 'TCP' or 'SSL'.

The ldap.url directive tells HTTP Server the location of the LDAP server that is being used for authentication or configuration. Hostname is the hostname of the LDAP server. The DNS name or the IP address is used to identify the host where the LDAP server resides. The port is optional. If not specified, port 389 will be assumed if using TCP/IP connections, and 636 will be used for SSL connections to the LDAP server. The BaseDN provides the starting point for searches of the LDAP directory.

This directive is required when using LDAP for authentication or configuration.

The ldap.url directive will be used for all searches, unless a different value is provided with the ldap.group.url directive. If an ldap.group.url directive is present, its value is used to search for groups.

Parameter One: hostname

• The hostname parameter is the DNS name or IP address of the host where the LDAP server is located.

Parameter Two: port

• The port parameter is the port on which the LDAP server listens. It is optional. If not present, and the transport is TCP, the well-known LDAP port 389 is assumed. If the transport is SSL, the well-known LDAP SSL port 636 will be assumed.

Parameter Three: baseDN

• The baseDN parameter is the starting point for searches of the LDAP directory.

The ldap.user.authtype directive is used to specify the method used to authenticate the user requesting an HTTP resource to the LDAP server. Basic is the only possible value. During basic authentication, the user is prompted to enter a username and password.

Parameter: authtype

• The authtype parameter specifies the method used to authenticate the user requesting an HTTP resource to the LDAP server. 'Basic' is the only valid value.

The ldap.user.name.fieldSep directive specifies the characters that are considered valid field separator characters when parsing the user name into fields. The fields are then put into a filter and used on an LDAP search request. For example, if '/' is the only valid field separator, and the user entered "Joe Smith/Acme", then the first field is set to "Joe Smith" and the second field is set to "Acme".

Parameter: separators

• The separators parameter is the valid separator characters used to delimit fields.

If multiple occurrences of this directive are configured in a container, only the last occurrence is processed. All other occurrences are ignored.

The ldap.user.name.filter directive specifies the filter that is used to convert, via an LDAP search request, a user name to a unique DN. The DN is then used to authenticate the user making the HTTP request. The default value is "(&(objectclass=person)(|(cn=%v1 %v2)(uid=%v1))", where %v1 and %v2 are substitution variables for the words the user entered at the browser.

This directive is used when ldap.user.authType is Basic.

Parameter: filter

• The filter parameter is a valid LDAP search filter that will return a unique DN for a given user name.

The ldap.version directive is used to specify the version of LDAP to use to communicate with the LDAP server. The default version used by HTTP Server is version 3. If your LDAP server is not at version 3, use this directive to set it to 2.

Parameter: version

• The version parameter specifies the version of the LDAP to be used. Valid versions are '2' or '3'.

If an LDAP server is down, HTTP Server may have degraded performance because it will be continually trying to connect. The ldap.waitToRetryConnection.interval directive gives the length of time (in seconds) to wait between failed attempts to connect to the LDAP server.

Parameter: seconds

• The seconds parameter is the length of time, in seconds, for the server to wait between attempts to connect to the LDAP server.

The LDAPConfigFile directive provides a filename that contains the LDAP directives necessary to access an LDAP server. It allows the LDAP directives to be grouped into a file so they may easily be referenced in any container in HTTP Server configuration file by using the LDAPConfigFile directive. An example file can be found in /QIBM/ProdData/HTTPA/conf/ldap.prop

All LDAP directives except LDAPRequire may be put into the file.

Parameter: filename

• The filename parameter is the filename that contains other LDAP directives.

The LDAPRequire directive is used to restrict access to a resource controlled by LDAP authentication to members of a group. It can either use groups defined in LDAP by using the "group" parameter, or it can use an LDAP filter to assemble a group of users with a similar quality.

The LDAPRequire directive may not be put into an LDAP configuration file, it must be in the server configuration file. For LDAP, this can be used instead of the GroupFile directive. For more information, see theGroupFile directive.

Parameter One: type

• Valid values for the type parameter include 'group' or 'filter'.
• Group should be used for LDAP group entries.
• Filter should be used when grouping users by other qualities.

Parameter Two: groupname | filter

• The groupname parameter is the name of a group as defined in the LDAP directory.
• The filter parameter is a valid filter that may be used to determine if a user meets qualifications to be authenticated.