<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us" xml:lang="en-us"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="security" content="public" /> <meta name="Robots" content="index,follow" /> <meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' /> <meta name="DC.Type" content="topic" /> <meta name="DC.Title" content="Module mod_ibm_ldap" /> <meta name="abstract" content="This module contains directives that allow HTTP Server to access an Lightweight Directory Access Protocol (LDAP) directory and to query the directory in a database fashion to obtain authentication information." /> <meta name="description" content="This module contains directives that allow HTTP Server to access an Lightweight Directory Access Protocol (LDAP) directory and to query the directory in a database fashion to obtain authentication information." /> <meta name="copyright" content="(C) Copyright IBM Corporation 2002,2006" /> <meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002,2006" /> <meta name="DC.Format" content="XHTML" /> <meta name="DC.Identifier" content="rzaiemod_ibm_ldap" /> <meta name="DC.Language" content="en-us" /> <!-- All rights reserved. Licensed Materials Property of IBM --> <!-- US Government Users Restricted Rights --> <!-- Use, duplication or disclosure restricted by --> <!-- GSA ADP Schedule Contract with IBM Corp. --> <link rel="stylesheet" type="text/css" href="./ibmdita.css" /> <link rel="stylesheet" type="text/css" href="./ic.css" /> <title>Module mod_ibm_ldap</title> </head> <body id="rzaiemod_ibm_ldap"><a name="rzaiemod_ibm_ldap"><!-- --></a> <!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script> <!--Java sync-link--><h1 class="topictitle1">Module mod_ibm_ldap</h1> <div><p>This module contains directives that allow HTTP Server to access an Lightweight Directory Access Protocol (LDAP) directory and to query the directory in a database fashion to obtain authentication information.</p> <div class="important"><span class="importanttitle">Important:</span> Information for this topic supports the latest PTF levels for HTTP Server for i5/OS . It is recommended that you install the latest PTFs to upgrade to the latest level of the HTTP Server for i5/OS. Some of the topics documented here are not available prior to this update. See <a href="http://www-03.ibm.com/servers/eserver/iseries/software/http/services/service.html" target="_blank">http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm</a> <img src="www.gif" alt="Link outside Information Center" /> for more information. </div> <p>These directives provide the server with information regarding the LDAP Servers in which HTTP Server configuration (see mod_ibm_linc) and authentication information may be stored. You can put these directives in a file and then include that file in your server configuration file using the LdapConfigFile directive. If these directives are placed in the configuration file, the following directive must be specified prior to their use: </p> <pre>LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</pre> <p><strong>Directives</strong></p> <ul><li><a href="#ldapappId">ldap.AppId</a></li> <li><a href="#ldapapplicationauthtype">ldap.application.authType</a></li> <li><a href="#ldapapplicationdn">ldap.application.DN</a></li> <li><a href="#ldapapplicationpasswordstashfile">ldap.application.password.stashFile</a></li> <li><a href="#ldapcachetimeout">ldap.cache.timeout</a></li> <li><a href="#ldapgroupmemberattributes">ldap.group.memberAttributes</a></li> <li><a href="#ldapgroupnamefilter">ldap.group.name.filter</a></li> <li><a href="#ldapgroupurl">ldap.group.url</a></li> <li><a href="#ldapidleconnectiontimeout">ldap.idleConnection.timeout</a></li> <li><a href="#ldapntdomain">ldap.NTDomain</a></li> <li><a href="#ldapobjectclass">ldap.ObjectClass</a></li> <li><a href="#ldaprealm">ldap.realm</a></li> <li><a href="#ldapsearchtimeout">ldap.search.timeout</a></li> <li><a href="#ldaptransport">ldap.transport</a></li> <li><a href="#ldapurl">ldap.url</a></li> <li><a href="#ldapuserauthtype">ldap.user.authType</a></li> <li><a href="#ldapusernamefieldsep">ldap.user.name.fieldSep</a></li> <li><a href="#ldapusernamefilter">ldap.user.name.filter</a></li> <li><a href="#ldapversion">ldap.version</a></li> <li><a href="#ldapwaittoretryconnectioninterval">ldap.waitToRetryConnection.interval</a></li> <li><a href="#configFile">LDAPConfigFile</a></li> <li><a href="#ldaprequire">LDAPRequire</a></li> </ul> </div> <div class="hr" id="ldapappId"><a name="ldapappId"><!-- --></a><h2 class="topictitle2">ldap.AppId</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.AppId <var class="varname">application_ID</var></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries™</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in the configuration file prior to using the directive. The statement should be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.AppId QIBM_HTTP_SERVER_SRVINST1</td> </tr> </tbody> </table> </div> <p>The ldap.AppId directive is used to enable SSL connections to the LDAP server. An Application ID that has been obtained and associated with a certificate through Digital Certificate Manager (DCM ) is supplied with this directive. The application ID is then used when making an SSL connection to the LDAP server to validate that the server can make a secure connection. The Application ID provided may be the same Application ID that is used elsewhere in HTTP Server.</p> <p>The ldap.AppId directive is required if ldap.transport is SSL.</p> <blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>application_ID</em></dt> <dd><ul><li> The <var class="varname">application_ID</var> parameter is an application ID obtained from DCM for this HTTP Server instance.</li> </ul> </dd> </dl> </blockquote> </div> </div> <div class="hr" id="ldapapplicationauthtype"><a name="ldapapplicationauthtype"><!-- --></a><h2 class="topictitle2">ldap.application.authType</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.application.authType <var class="varname">authtype</var></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.application.authType Basic </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in the configuration file prior to using the directive. The statement should be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.application.authType None</td> </tr> </tbody> </table> </div> <p>The ldap.application.authtype directive is used to specify the method used to authenticate HTTP Server application to the LDAP server. The possible values are None and Basic. </p> <p>For Basic authentication, the ldap.application.DN and the ldap.application.password.stashFile directives are required to identify HTTP Server. </p> <blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>authtype</em></dt> <dd><ul><li> The <var class="varname">authtype</var> parameter specifies the method used to authenticate HTTP Server application to the LDAP server. Valid values are <var class="varname">Basic</var>, or <var class="varname">None</var>.<ol><li>If <var class="varname">None</var> is selected, HTTP Server connects using anonymous access, if permitted by the LDAP server.</li> <li>If <var class="varname">Basic</var> authentication is chosen, HTTP Server is required to identify itself to the LDAP server by using a Distinguished Name and password.</li> </ol> </li> </ul> </dd> </dl> </blockquote> </div> </div> <div class="hr" id="ldapapplicationdn"><a name="ldapapplicationdn"><!-- --></a><h2 class="topictitle2">ldap.application.DN</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.application.DN <var class="varname">Distinguished_Name</var></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in the configuration file prior to using the directive. The statement should be as follows:<samp class="codeph"> LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.application.DN cn=Administrator</td> </tr> </tbody> </table> </div> <p>The ldap.application.DN directive specifies the Distinguished Name (DN) HTTP Server uses to authenticate to the LDAP server. </p> <p>When using ldap.application.authType Basic, the directive ldap.application.password.stashFile should be used with ldap.application.DN. Unless the LDAP server allows anonymous access, the connection between HTTP Server and the LDAP server will not be made without a valid password. </p> <blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>Distinguished_Name</em></dt> <dd><ul><li> The <var class="varname">Distinguished_Name</var> parameter is a character string representing the Distinguished Name used by HTTP Server to authenticate to the LDAP server.</li> </ul> </dd> </dl> </blockquote> </div> </div> <div class="hr" id="ldapapplicationpasswordstashfile"><a name="ldapapplicationpasswordstashfile"><!-- --></a><h2 class="topictitle2">ldap.application.password.stashFile</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.application.password.stashFile <var class="varname">filename</var></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in the configuration file prior to using the directive. The statement should be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.application.password.stashFile /QIBM/UserData/HTTPA/LDAP/websrv1/lcfg1.stash</td> </tr> </tbody> </table> </div> <p>The ldap.application.password.stashFile directive specifies the file that contains the encoded password used by HTTP Server to authenticate to the LDAP server when ldap.application.authType is Basic. The configuration tools create, encode, and name the filename.</p> <blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>filename</em></dt> <dd><ul><li>The <var class="varname">filename</var> parameter is the name of a file containing the encoded password used to authenticate HTTP Server to the LDAP server.</li> </ul> </dd> </dl> </blockquote> </div> </div> <div class="hr" id="ldapcachetimeout"><a name="ldapcachetimeout"><!-- --></a><h2 class="topictitle2">ldap.cache.timeout</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.cache.timeout <var class="varname">seconds</var></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.cache.timeout 600 (10 minutes) </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in the configuration file prior to using the directive. The statement should be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.cache.timeout 300</td> </tr> </tbody> </table> </div> <p>The ldap.cache.timeout directive specifies the maximum length of time (in seconds) that these cached results may be used. After ldap.cache.timeout seconds, the cache elements are discarded, and subsequent requests cause a search of the LDAP server. Results of a search of an LDAP server are cached in local HTTP Server storage to save the time of executing another LDAP search in a short period of time.</p> <blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>seconds</em></dt> <dd><ul><li>The <var class="varname">seconds</var> parameter is the length of time, in seconds, for the server to retain the results of successful LDAP searches.</li> </ul> </dd> </dl> </blockquote> </div> </div> <div class="hr" id="ldapgroupmemberattributes"><a name="ldapgroupmemberattributes"><!-- --></a><h2 class="topictitle2">ldap.group.memberAttributes</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.group.memberAttributes "<var class="varname">attributes</var>" </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.group.memberAttributes "member uniquemember" </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in the configuration file prior to using the directive. The statement should be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.group.memberAttributes "member"</td> </tr> </tbody> </table> </div> <p>The ldap.group.memberAttributes directive specifies the attribute names that are used to extract members from a group entry in an LDAP directory. The values of these attributes must be the distinguished names of the members of the group. </p> <p>This directive is used in conjunction with the ldap.group.name.filter and the LDAPRequire directives to allow users in specific groups access to a resource. </p> <blockquote><dl><dt class="dlterm"><strong>Parameter One</strong>: <em>attributes</em></dt> <dd><ul><li>The <var class="varname">attributes</var> parameter is the group attribute names used to extract users from an LDAP group entry. Beginning in i5/OS™ V5R4, if the attributes parameter is the operational attribute ibm-allMembers, then group membership is checked for all forms of groups: static, dynamic, nested, and hybrid. Otherwise, group membership is checked only for a static group. </li> </ul> </dd> </dl> </blockquote> <p>If multiple occurrences of this directive are configured in a container, only the last occurrence is processed. All other occurrences are ignored.</p> </div> </div> <div class="hr" id="ldapgroupnamefilter"><a name="ldapgroupnamefilter"><!-- --></a><h2 class="topictitle2">ldap.group.name.filter</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.group.name.filter <var class="varname">filter</var></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.group.name.filter (&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames))) </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in the configuration file prior to using the directive. The statement should be as follows: LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.group.name.filter (&(cn=%v)(objectclass=groupofnames))</td> </tr> </tbody> </table> </div> <p>The ldap.group.name.filter directive specifies the filter that is used to convert, via an LDAP search request, a group name to a unique DN. The unique DN for the group is then used to allow individual users who are members of the group to access their source. The default value is "(&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)))", where %v is a substitution variable for the group name.</p> <p>This directive is used in conjunction with the ldap.group.memberAttributes and the LDAPRequire directives to allow users in specific groups access to a resource.</p> <blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>filter</em></dt> <dd><ul><li> The <var class="varname">filter</var> parameter is a valid LDAP search filter that will return a unique DN for a given group name.</li> </ul> </dd> </dl> </blockquote> </div> </div> <div class="hr" id="ldapgroupurl"><a name="ldapgroupurl"><!-- --></a><h2 class="topictitle2">ldap.group.url</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.group.url ldap://<var class="varname">hostname:port/BaseDN</var></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in the configuration file prior to using the directive. The statement should be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.group.url ldap://www-5.ibm.com/o=deltawing,c=au </td> </tr> </tbody> </table> </div> <p>The ldap.group.url directive tells HTTP Server the location of the LDAP server that is being used for authentication of users in groups. Hostname is the hostname of the LDAP server. The DNS name or the IP address is used to identify the host where the LDAP server resides. The port is optional. If not specified, port 389 will be assumed if using TCP/IP connections, and 636 will be used for SSL connections to the LDAP server. The BaseDN provides the starting point for searches of the LDAP directory. </p> <p>If the ldap.group.url is not present in the configuration file, the ldap.url value is used. If the same host, port and BaseDN are the same for group searches, as they are for user searches, you do not need to specify ldap.group.url. </p> <blockquote><dl><dt class="dlterm"><strong>Parameter One</strong>: <em>hostname</em></dt> <dd><ul><li> The <var class="varname">hostname</var> parameter is the DNS name or IP address of the host where the LDAP server is located.</li> </ul> </dd> </dl> <dl><dt class="dlterm"><strong>Parameter Two</strong>: <em>port</em></dt> <dd><ul><li> The <var class="varname">port</var> parameter is the port on which the LDAP server listens. It is optional. If not present, and the transport is TCP, the well-known LDAP port 389 is assumed. If the transport is SSL, the well-known LDAP SSL port 636 will be assumed.</li> </ul> </dd> </dl> <dl><dt class="dlterm"><strong>Parameter Three</strong>: <em>BaseDN</em></dt> <dd><ul><li> The <var class="varname">BaseDN</var> parameter is the starting point for searches of the LDAP directory for group information.</li> </ul> </dd> </dl> </blockquote> <div class="note"><span class="notetitle">Note:</span> The ldap.group.url value is case sensitive. For example, the following value is not valid: <samp class="codeph">ldap.group.url LdaP://www-5.ibm.com/o=deltawing,c=au</samp>. However, the following value is valid: <samp class="codeph">ldap.group.url ldap://www-5.ibm.com/o=deltawing,c=au</samp>.</div> </div> </div> <div class="hr" id="ldapidleconnectiontimeout"><a name="ldapidleconnectiontimeout"><!-- --></a><h2 class="topictitle2">ldap.idleConnection.timeout</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.idleConnection.timeout <var class="varname">seconds</var></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.idleConnection.timeout 600 (10 minutes) </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: LoadModule is required in the configuration file prior to using the directive. The statement should be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.idleConnection.timeout 900</td> </tr> </tbody> </table> </div> <p>The ldap.idleConnection.timeout directive is used to determine the time that idle connections to the LDAP server are kept open. This improves performance by saving the path length necessary to open connections if there are several requests of the LDAP server in a short period of time.</p> <blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>seconds</em></dt> <dd><ul><li> The seconds parameter is the length of time, in seconds, that an idle connection should remain open.</li> </ul> </dd> </dl> </blockquote> </div> </div> <div class="hr" id="ldapntdomain"><a name="ldapntdomain"><!-- --></a><h2 class="topictitle2">ldap.NTDomain</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.NTDomain <var class="varname">domainname</var></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in the configuration file prior to using the directive. The statement should be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.NTDomain "cn=myexchServer"</td> </tr> </tbody> </table> </div> <p>Since Microsoft<sup>®</sup> Windows NT<sup>®</sup> authenticates differently than the other industry LDAP servers, this directive was added to configure the Microsoft Windows NT domain name. This directive should only be used when a Microsoft Exchange Server is being used and the authentication requires that ldap.NTDomain be specified. This directive should not be used in other cases. </p> <p>Use of this directive allows an HTTP Server to access a Microsoft Exchange Server version 5.0 or 5.5 by means of Lightweight Directory Access Protocol (LDAP). It may be necessary to use this directive if this product is used to perform LDAP authentication of HTTP requests. </p> <p>Directive ldap.NTDomain can be specified two different ways. The format may be dependent on the Microsoft Exchange Server. </p> <p>If the Exchange Server requires the account to look like "cn=NTAccount, cn=NTDomain", use the format:</p> <pre>ldap.NTDomain "cn=exchServer"</pre> <p>If the Exchange Server requires the account in the form ("dc=NTDomain, cn=NTAccount"), use the format:</p> <pre>ldap.NTDomain "dc=exchServer"</pre> <p>When this directive is present, HTTP Server appends or precedes the information in the ldap.NTDomain directive to the DN used when authenticating a user to the LDAP server.</p> </div> </div> <div class="hr" id="ldapobjectclass"><a name="ldapobjectclass"><!-- --></a><h2 class="topictitle2">ldap.ObjectClass</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.ObjectClass <var class="varname">objectclass</var></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.ObjectClass eProperty </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: Apache</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in the configuration file prior to using the directive. The statement should be as follows: <samp class="codeph">LoadModule IBM_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.ObjectClass applicationProcess</td> </tr> </tbody> </table> </div> <p>The ldap.ObjectClass directive is used to publish configuration information to the LDAP server. The object class is used as an entry to the LDAP server and describes the content and purpose of an object in the LDAP directory tree. The configuration information may then be retrieved using the LDAPInclude directive.</p> <blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>objectclass</em></dt> <dd><ul><li> The <var class="varname">objectclass</var> parameter is the name of the object class to be used as the entry in the LDAP directory. The object class used should have a binary file attribute value.</li> </ul> </dd> </dl> </blockquote> </div> </div> <div class="hr" id="ldaprealm"><a name="ldaprealm"><!-- --></a><h2 class="topictitle2">ldap.realm</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.realm <var class="varname">"label" </var></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in the configuration file prior to using the directive. The statement should be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.realm "HTTP Auth Server"</td> </tr> </tbody> </table> </div> <p>The ldap.realm directive is used to identify the LDAP configuration in error log messages. If a server uses different LDAP servers or different LDAP base DNs for different directories, ldap.realm will identify this particular LDAP configuration.</p> <blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>label</em></dt> <dd><ul><li>The <var class="varname">label</var> parameter can be a character string describing this LDAP configuration.</li> </ul> </dd> </dl> </blockquote> </div> </div> <div class="hr" id="ldapsearchtimeout"><a name="ldapsearchtimeout"><!-- --></a><h2 class="topictitle2">ldap.search.timeout</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.search.timeout <var class="varname">seconds</var></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.search.timeout 10 </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in the configuration file prior to using the directive. The statement should be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.search.timeout 30</td> </tr> </tbody> </table> </div> <p>The ldap.search.timeout directive supplies the maximum amount of time (in seconds) to wait for an LDAP search request to complete. This prevents HTTP Server from waiting on a request to a slow LDAP server.</p> <blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>seconds</em></dt> <dd><ul><li> The <var class="varname">seconds</var> parameter is the length of time, in seconds, for the server to wait for an LDAP search request to complete.</li> </ul> </dd> </dl> </blockquote> </div> </div> <div class="hr" id="ldaptransport"><a name="ldaptransport"><!-- --></a><h2 class="topictitle2">ldap.transport</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.transport <var class="varname">transport</var></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.transport TCP </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in the configuration file prior to using the directive. The statement should be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.transport SSL</td> </tr> </tbody> </table> </div> <p>The ldap.transport directive is used to specify the transport used to communicate with the LDAP server. The LDAP server can communicate over either TCP/IP or SSL connections. </p> <p>If ldap.transport is set to SSL, then the ldap.AppId directive must be set, or HTTP Server will be unable to make the connection to the LDAP server. </p> <blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>transport</em></dt> <dd><ul><li> The <var class="varname">transport</var> parameter specifies the transport to be used for communication with the LDAP server. Valid values are 'TCP' or 'SSL'.</li> </ul> </dd> </dl> </blockquote> </div> </div> <div class="hr" id="ldapurl"><a name="ldapurl"><!-- --></a><h2 class="topictitle2">ldap.url</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.url ldap://<var class="varname">hostname:port/baseDN </var></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in the configuration file prior to using the directive. The statement should be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.url ldap://www-6.ibm.com:1636/ou=Payroll,o=Company,c=US</td> </tr> </tbody> </table> </div> <p>The ldap.url directive tells HTTP Server the location of the LDAP server that is being used for authentication or configuration. Hostname is the hostname of the LDAP server. The DNS name or the IP address is used to identify the host where the LDAP server resides. The port is optional. If not specified, port 389 will be assumed if using TCP/IP connections, and 636 will be used for SSL connections to the LDAP server. The BaseDN provides the starting point for searches of the LDAP directory. </p> <p>This directive is required when using LDAP for authentication or configuration. </p> <p>The ldap.url directive will be used for all searches, unless a different value is provided with the ldap.group.url directive. If an ldap.group.url directive is present, its value is used to search for groups.</p> <blockquote><dl><dt class="dlterm"><strong>Parameter One</strong>: <em>hostname</em></dt> <dd><ul><li>The <var class="varname">hostname</var> parameter is the DNS name or IP address of the host where the LDAP server is located.</li> </ul> </dd> </dl> <dl><dt class="dlterm"><strong>Parameter Two</strong>: <em>port</em></dt> <dd><ul><li>The <var class="varname">port</var> parameter is the port on which the LDAP server listens. It is optional. If not present, and the transport is TCP, the well-known LDAP port 389 is assumed. If the transport is SSL, the well-known LDAP SSL port 636 will be assumed.</li> </ul> </dd> </dl> <dl><dt class="dlterm"><strong>Parameter Three</strong>: <em>baseDN</em></dt> <dd><ul><li>The <var class="varname">baseDN</var> parameter is the starting point for searches of the LDAP directory.</li> </ul> </dd> </dl> </blockquote> <div class="note"><span class="notetitle">Note:</span> The ldap.url value is case sensitive. For example, the following value is not valid: <samp class="codeph">ldap.url LdaP://www-5.ibm.com/o=deltawing,c= au</samp>. However, the following value is valid: <samp class="codeph">ldap.url ldap://www-5.ibm.com/o=deltawing,c= au</samp>. </div> </div> </div> <div class="hr" id="ldapuserauthtype"><a name="ldapuserauthtype"><!-- --></a><h2 class="topictitle2">ldap.user.authType</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.user.authType <var class="varname">authtype</var></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.user.authType Basic </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in the configuration file prior to using the directive. The statement should be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.user.authType Basic</td> </tr> </tbody> </table> </div> <p>The ldap.user.authtype directive is used to specify the method used to authenticate the user requesting an HTTP resource to the LDAP server. Basic is the only possible value. During basic authentication, the user is prompted to enter a username and password. </p> <blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>authtype</em></dt> <dd><ul><li> The <var class="varname">authtype</var> parameter specifies the method used to authenticate the user requesting an HTTP resource to the LDAP server. 'Basic' is the only valid value.</li> </ul> </dd> </dl> </blockquote> </div> </div> <div class="hr" id="ldapusernamefieldsep"><a name="ldapusernamefieldsep"><!-- --></a><h2 class="topictitle2">ldap.user.name.fieldSep</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.user.name.fieldSep <var class="varname">"separators" </var></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.user.name.fieldSep " \t," </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in the configuration file prior to using the directive. The statement should be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.user.name.fieldSep " \t,/"</td> </tr> </tbody> </table> </div> <p>The ldap.user.name.fieldSep directive specifies the characters that are considered valid field separator characters when parsing the user name into fields. The fields are then put into a filter and used on an LDAP search request. For example, if '/' is the only valid field separator, and the user entered "Joe Smith/Acme", then the first field is set to "Joe Smith" and the second field is set to "Acme". </p> <blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>separators</em></dt> <dd><ul><li> The <var class="varname">separators</var> parameter is the valid separator characters used to delimit fields.</li> </ul> </dd> </dl> </blockquote> <p>If multiple occurrences of this directive are configured in a container, only the last occurrence is processed. All other occurrences are ignored.</p> </div> </div> <div class="hr" id="ldapusernamefilter"><a name="ldapusernamefilter"><!-- --></a><h2 class="topictitle2">ldap.user.name.filter</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.user.name.filter <var class="varname">filter</var></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.user.name.filter(&(objectclass=person)(|(cn=%v1 %v2)(uid=%v1)))</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in the configuration file prior to using the directive. The statement should be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.user.name.filter (&(objectclass=person)(uid=%v1))</td> </tr> </tbody> </table> </div> <p>The ldap.user.name.filter directive specifies the filter that is used to convert, via an LDAP search request, a user name to a unique DN. The DN is then used to authenticate the user making the HTTP request. The default value is "(&(objectclass=person)(|(cn=%v1 %v2)(uid=%v1))", where %v1 and %v2 are substitution variables for the words the user entered at the browser. </p> <p>This directive is used when ldap.user.authType is Basic. </p> <blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>filter</em></dt> <dd><ul><li> The <var class="varname">filter</var> parameter is a valid LDAP search filter that will return a unique DN for a given user name.</li> </ul> </dd> </dl> </blockquote> </div> </div> <div class="hr" id="ldapversion"><a name="ldapversion"><!-- --></a><h2 class="topictitle2">ldap.version</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.version <var class="varname">version</var></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.version 3 </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in the configuration file prior to using the directive. The statement should be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.version 2</td> </tr> </tbody> </table> </div> <p>The ldap.version directive is used to specify the version of LDAP to use to communicate with the LDAP server. The default version used by HTTP Server is version 3. If your LDAP server is not at version 3, use this directive to set it to 2. </p> <blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>version</em></dt> <dd><ul><li> The <var class="varname">version</var> parameter specifies the version of the LDAP to be used. Valid versions are '2' or '3'.</li> </ul> </dd> </dl> </blockquote> </div> </div> <div class="hr" id="ldapwaittoretryconnectioninterval"><a name="ldapwaittoretryconnectioninterval"><!-- --></a><h2 class="topictitle2">ldap.waitToRetryConnection.interval</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.waitToRetryConnection.interval <var class="varname">seconds</var></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.waitToRetryConnection.interval 30 </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in the configuration file prior to using the directive. The statement should be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.waitToRetryConnection.interval 60</td> </tr> </tbody> </table> </div> <p>If an LDAP server is down, HTTP Server may have degraded performance because it will be continually trying to connect. The ldap.waitToRetryConnection.interval directive gives the length of time (in seconds) to wait between failed attempts to connect to the LDAP server. </p> <blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>seconds</em></dt> <dd><ul><li> The <var class="varname">seconds</var> parameter is the length of time, in seconds, for the server to wait between attempts to connect to the LDAP server.</li> </ul> </dd> </dl> </blockquote> </div> </div> <div class="hr" id="configFile"><a name="configFile"><!-- --></a><h2 class="topictitle2">LDAPConfigFile</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: LDAPConfigFile <var class="varname">filename</var></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in the configuration file prior to using the directive. The statement should be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: LDAPConfigFile /QIBM/UserData/HTTPA/ldap/ldapSvr1.conf</td> </tr> </tbody> </table> </div> <p>The LDAPConfigFile directive provides a filename that contains the LDAP directives necessary to access an LDAP server. It allows the LDAP directives to be grouped into a file so they may easily be referenced in any container in HTTP Server configuration file by using the LDAPConfigFile directive. An example file can be found in /QIBM/ProdData/HTTPA/conf/ldap.prop </p> <p>All LDAP directives except LDAPRequire may be put into the file. </p> <blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>filename</em></dt> <dd><ul><li> The <var class="varname">filename</var> parameter is the filename that contains other LDAP directives.</li> </ul> </dd> </dl> </blockquote> </div> </div> <div class="hr" id="ldaprequire"><a name="ldaprequire"><!-- --></a><h2 class="topictitle2">LDAPRequire</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: LDAPRequire<var class="varname"> type [groupname | filter]</var></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in the configuration file prior to using the directive. The statement should be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: LDAPRequire filter (&(objectclass=person)(ou=Payroll)(cn=*))</td> </tr> </tbody> </table> </div> <p>The LDAPRequire directive is used to restrict access to a resource controlled by LDAP authentication to members of a group. It can either use groups defined in LDAP by using the "group" parameter, or it can use an LDAP filter to assemble a group of users with a similar quality. </p> <p>The LDAPRequire directive may not be put into an LDAP configuration file, it must be in the server configuration file. For LDAP, this can be used instead of the GroupFile directive. For more information, see the<a href="rzaiemod_as_auth.htm#groupfile">GroupFile</a> directive.</p> <blockquote><dl><dt class="dlterm"><strong>Parameter One</strong>: <em>type</em></dt> <dd><ul><li> Valid values for the <var class="varname">type</var> parameter include 'group' or 'filter'.</li> <li> Group should be used for LDAP group entries.</li> <li> Filter should be used when grouping users by other qualities.</li> </ul> </dd> </dl> <dl><dt class="dlterm"><strong>Parameter Two</strong>: <em>groupname | filter</em></dt> <dd><ul><li> The <var class="varname">groupname</var> parameter is the name of a group as defined in the LDAP directory.</li> <li> The <var class="varname">filter</var> parameter is a valid filter that may be used to determine if a user meets qualifications to be authenticated.</li> </ul> </dd> </dl> </blockquote> </div> </div> </body> </html>