friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6290434003
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaie_5.4.0.1/rzaiemod_ibm_ldap.htm

977 lines
62 KiB
HTML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="topic" />
<meta name="DC.Title" content="Module mod_ibm_ldap" />
<meta name="abstract" content="This module contains directives that allow HTTP Server to access an Lightweight Directory Access Protocol (LDAP) directory and to query the directory in a database fashion to obtain authentication information." />
<meta name="description" content="This module contains directives that allow HTTP Server to access an Lightweight Directory Access Protocol (LDAP) directory and to query the directory in a database fashion to obtain authentication information." />
<meta name="copyright" content="(C) Copyright IBM Corporation 2002,2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002,2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaiemod_ibm_ldap" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Module mod_ibm_ldap</title>
</head>
<body id="rzaiemod_ibm_ldap"><a name="rzaiemod_ibm_ldap"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<!--Java sync-link--><h1 class="topictitle1">Module mod_ibm_ldap</h1>
<div><p>This module contains directives that allow HTTP Server to access
an Lightweight Directory Access Protocol (LDAP) directory and to query the
directory in a database fashion to obtain authentication information.</p>
<div class="important"><span class="importanttitle">Important:</span> Information
for this topic supports the latest PTF levels for HTTP Server for i5/OS .
It is recommended that you install the latest PTFs to upgrade to the latest
level of the HTTP Server for i5/OS. Some of the topics documented here are
not available prior to this update. See <a href="http://www-03.ibm.com/servers/eserver/iseries/software/http/services/service.html" target="_blank">http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm</a> <img src="www.gif" alt="Link outside Information Center" /> for more information. </div>
<p>These directives provide the server with information regarding the LDAP
Servers in which HTTP Server configuration (see mod_ibm_linc) and authentication
information may be stored. You can put these directives in a file and then
include that file in your server configuration file using the LdapConfigFile
directive. If these directives are placed in the configuration file, the following
directive must be specified prior to their use: </p>
<pre>LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</pre>
<p><strong>Directives</strong></p>
<ul><li><a href="#ldapappId">ldap.AppId</a></li>
<li><a href="#ldapapplicationauthtype">ldap.application.authType</a></li>
<li><a href="#ldapapplicationdn">ldap.application.DN</a></li>
<li><a href="#ldapapplicationpasswordstashfile">ldap.application.password.stashFile</a></li>
<li><a href="#ldapcachetimeout">ldap.cache.timeout</a></li>
<li><a href="#ldapgroupmemberattributes">ldap.group.memberAttributes</a></li>
<li><a href="#ldapgroupnamefilter">ldap.group.name.filter</a></li>
<li><a href="#ldapgroupurl">ldap.group.url</a></li>
<li><a href="#ldapidleconnectiontimeout">ldap.idleConnection.timeout</a></li>
<li><a href="#ldapntdomain">ldap.NTDomain</a></li>
<li><a href="#ldapobjectclass">ldap.ObjectClass</a></li>
<li><a href="#ldaprealm">ldap.realm</a></li>
<li><a href="#ldapsearchtimeout">ldap.search.timeout</a></li>
<li><a href="#ldaptransport">ldap.transport</a></li>
<li><a href="#ldapurl">ldap.url</a></li>
<li><a href="#ldapuserauthtype">ldap.user.authType</a></li>
<li><a href="#ldapusernamefieldsep">ldap.user.name.fieldSep</a></li>
<li><a href="#ldapusernamefilter">ldap.user.name.filter</a></li>
<li><a href="#ldapversion">ldap.version</a></li>
<li><a href="#ldapwaittoretryconnectioninterval">ldap.waitToRetryConnection.interval</a></li>
<li><a href="#configFile">LDAPConfigFile</a></li>
<li><a href="#ldaprequire">LDAPRequire</a></li>
</ul>
</div>
<div class="hr" id="ldapappId"><a name="ldapappId"><!-- --></a><h2 class="topictitle2">ldap.AppId</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.AppId <var class="varname">application_ID</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries™</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.AppId QIBM_HTTP_SERVER_SRVINST1</td>
</tr>
</tbody>
</table>
</div>
<p>The ldap.AppId directive is used to enable SSL connections to the LDAP
server. An Application ID that has been obtained and associated with a certificate
through Digital Certificate Manager (DCM ) is supplied with this directive.
The application ID is then used when making an SSL connection to the LDAP
server to validate that the server can make a secure connection. The Application
ID provided may be the same Application ID that is used elsewhere in HTTP
Server.</p>
<p>The ldap.AppId directive is required if ldap.transport is SSL.</p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>application_ID</em></dt>
<dd><ul><li> The <var class="varname">application_ID</var> parameter is an application ID
obtained from DCM for this HTTP Server instance.</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>
<div class="hr" id="ldapapplicationauthtype"><a name="ldapapplicationauthtype"><!-- --></a><h2 class="topictitle2">ldap.application.authType</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.application.authType <var class="varname">authtype</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.application.authType Basic </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.application.authType None</td>
</tr>
</tbody>
</table>
</div>
<p>The ldap.application.authtype directive is used to specify the method used
to authenticate HTTP Server application to the LDAP server. The possible values
are None and Basic. </p>
<p>For Basic authentication, the ldap.application.DN and the ldap.application.password.stashFile
directives are required to identify HTTP Server. </p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>authtype</em></dt>
<dd><ul><li> The <var class="varname">authtype</var> parameter specifies the method used to
authenticate HTTP Server application to the LDAP server. Valid values are <var class="varname">Basic</var>,
or <var class="varname">None</var>.<ol><li>If <var class="varname">None</var> is selected, HTTP Server connects using anonymous
access, if permitted by the LDAP server.</li>
<li>If <var class="varname">Basic</var> authentication is chosen, HTTP Server is required
to identify itself to the LDAP server by using a Distinguished Name and password.</li>
</ol>
</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>
<div class="hr" id="ldapapplicationdn"><a name="ldapapplicationdn"><!-- --></a><h2 class="topictitle2">ldap.application.DN</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.application.DN <var class="varname">Distinguished_Name</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows:<samp class="codeph"> LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.application.DN cn=Administrator</td>
</tr>
</tbody>
</table>
</div>
<p>The ldap.application.DN directive specifies the Distinguished Name (DN)
HTTP Server uses to authenticate to the LDAP server. </p>
<p>When using ldap.application.authType Basic, the directive ldap.application.password.stashFile
should be used with ldap.application.DN. Unless the LDAP server allows anonymous
access, the connection between HTTP Server and the LDAP server will not be
made without a valid password. </p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>Distinguished_Name</em></dt>
<dd><ul><li> The <var class="varname">Distinguished_Name</var> parameter is a character string
representing the Distinguished Name used by HTTP Server to authenticate to
the LDAP server.</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>
<div class="hr" id="ldapapplicationpasswordstashfile"><a name="ldapapplicationpasswordstashfile"><!-- --></a><h2 class="topictitle2">ldap.application.password.stashFile</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.application.password.stashFile <var class="varname">filename</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.application.password.stashFile /QIBM/UserData/HTTPA/LDAP/websrv1/lcfg1.stash</td>
</tr>
</tbody>
</table>
</div>
<p>The ldap.application.password.stashFile directive specifies the file that
contains the encoded password used by HTTP Server to authenticate to the LDAP
server when ldap.application.authType is Basic. The configuration tools create,
encode, and name the filename.</p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>filename</em></dt>
<dd><ul><li>The <var class="varname">filename</var> parameter is the name of a file containing
the encoded password used to authenticate HTTP Server to the LDAP server.</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>
<div class="hr" id="ldapcachetimeout"><a name="ldapcachetimeout"><!-- --></a><h2 class="topictitle2">ldap.cache.timeout</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.cache.timeout <var class="varname">seconds</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.cache.timeout 600 (10 minutes) </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.cache.timeout 300</td>
</tr>
</tbody>
</table>
</div>
<p>The ldap.cache.timeout directive specifies the maximum length of time (in
seconds) that these cached results may be used. After ldap.cache.timeout seconds,
the cache elements are discarded, and subsequent requests cause a search of
the LDAP server. Results of a search of an LDAP server are cached in local
HTTP Server storage to save the time of executing another LDAP search in a
short period of time.</p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>seconds</em></dt>
<dd><ul><li>The <var class="varname">seconds</var> parameter is the length of time, in seconds,
for the server to retain the results of successful LDAP searches.</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>
<div class="hr" id="ldapgroupmemberattributes"><a name="ldapgroupmemberattributes"><!-- --></a><h2 class="topictitle2">ldap.group.memberAttributes</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.group.memberAttributes "<var class="varname">attributes</var>" </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.group.memberAttributes "member uniquemember" </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.group.memberAttributes "member"</td>
</tr>
</tbody>
</table>
</div>
<p>The ldap.group.memberAttributes directive specifies the attribute names
that are used to extract members from a group entry in an LDAP directory.
The values of these attributes must be the distinguished names of the members
of the group. </p>
<p>This directive is used in conjunction with the ldap.group.name.filter and
the LDAPRequire directives to allow users in specific groups access to a resource. </p>
<blockquote><dl><dt class="dlterm"><strong>Parameter One</strong>: <em>attributes</em></dt>
<dd><ul><li>The <var class="varname">attributes</var> parameter is the group attribute names
used to extract users from an LDAP group entry. Beginning in i5/OS™ V5R4, if
the attributes parameter is the operational attribute ibm-allMembers, then
group membership is checked for all forms of groups: static, dynamic, nested,
and hybrid. Otherwise, group membership is checked only for a static group. </li>
</ul>
</dd>
</dl>
</blockquote>
<p>If multiple occurrences of this directive are configured in a container,
only the last occurrence is processed. All other occurrences are ignored.</p>
</div>
</div>
<div class="hr" id="ldapgroupnamefilter"><a name="ldapgroupnamefilter"><!-- --></a><h2 class="topictitle2">ldap.group.name.filter</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.group.name.filter <var class="varname">filter</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.group.name.filter (&amp;(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames))) </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.group.name.filter (&amp;(cn=%v)(objectclass=groupofnames))</td>
</tr>
</tbody>
</table>
</div>
<p>The ldap.group.name.filter directive specifies the filter that is used
to convert, via an LDAP search request, a group name to a unique DN. The unique
DN for the group is then used to allow individual users who are members of
the group to access their source. The default value is "(&amp;(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)))",
where %v is a substitution variable for the group name.</p>
<p>This directive is used in conjunction with the ldap.group.memberAttributes
and the LDAPRequire directives to allow users in specific groups access to
a resource.</p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>filter</em></dt>
<dd><ul><li> The <var class="varname">filter</var> parameter is a valid LDAP search filter
that will return a unique DN for a given group name.</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>
<div class="hr" id="ldapgroupurl"><a name="ldapgroupurl"><!-- --></a><h2 class="topictitle2">ldap.group.url</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.group.url ldap://<var class="varname">hostname:port/BaseDN</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.group.url ldap://www-5.ibm.com/o=deltawing,c=au </td>
</tr>
</tbody>
</table>
</div>
<p>The ldap.group.url directive tells HTTP Server the location of the LDAP
server that is being used for authentication of users in groups. Hostname
is the hostname of the LDAP server. The DNS name or the IP address is used
to identify the host where the LDAP server resides. The port is optional.
If not specified, port 389 will be assumed if using TCP/IP connections, and
636 will be used for SSL connections to the LDAP server. The BaseDN provides
the starting point for searches of the LDAP directory. </p>
<p>If the ldap.group.url is not present in the configuration file, the ldap.url
value is used. If the same host, port and BaseDN are the same for group searches,
as they are for user searches, you do not need to specify ldap.group.url. </p>
<blockquote><dl><dt class="dlterm"><strong>Parameter One</strong>: <em>hostname</em></dt>
<dd><ul><li> The <var class="varname">hostname</var> parameter is the DNS name or IP address
of the host where the LDAP server is located.</li>
</ul>
</dd>
</dl>
<dl><dt class="dlterm"><strong>Parameter Two</strong>: <em>port</em></dt>
<dd><ul><li> The <var class="varname">port</var> parameter is the port on which the LDAP server
listens. It is optional. If not present, and the transport is TCP, the well-known
LDAP port 389 is assumed. If the transport is SSL, the well-known LDAP SSL
port 636 will be assumed.</li>
</ul>
</dd>
</dl>
<dl><dt class="dlterm"><strong>Parameter Three</strong>: <em>BaseDN</em></dt>
<dd><ul><li> The <var class="varname">BaseDN</var> parameter is the starting point for searches
of the LDAP directory for group information.</li>
</ul>
</dd>
</dl>
</blockquote>
<div class="note"><span class="notetitle">Note:</span> The ldap.group.url value is case sensitive. For example, the following
value is not valid: <samp class="codeph">ldap.group.url LdaP://www-5.ibm.com/o=deltawing,c=au</samp>.
However, the following value is valid: <samp class="codeph">ldap.group.url ldap://www-5.ibm.com/o=deltawing,c=au</samp>.</div>
</div>
</div>
<div class="hr" id="ldapidleconnectiontimeout"><a name="ldapidleconnectiontimeout"><!-- --></a><h2 class="topictitle2">ldap.idleConnection.timeout</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.idleConnection.timeout <var class="varname">seconds</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.idleConnection.timeout 600 (10 minutes) </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.idleConnection.timeout 900</td>
</tr>
</tbody>
</table>
</div>
<p>The ldap.idleConnection.timeout directive is used to determine the time
that idle connections to the LDAP server are kept open. This improves performance
by saving the path length necessary to open connections if there are several
requests of the LDAP server in a short period of time.</p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>seconds</em></dt>
<dd><ul><li> The seconds parameter is the length of time, in seconds, that an idle
connection should remain open.</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>
<div class="hr" id="ldapntdomain"><a name="ldapntdomain"><!-- --></a><h2 class="topictitle2">ldap.NTDomain</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.NTDomain <var class="varname">domainname</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.NTDomain "cn=myexchServer"</td>
</tr>
</tbody>
</table>
</div>
<p>Since Microsoft<sup>®</sup> Windows NT<sup>®</sup> authenticates differently
than the other industry LDAP servers, this directive was added to configure
the Microsoft Windows NT domain name. This directive should only be used when
a Microsoft Exchange Server is being used and the authentication requires
that ldap.NTDomain be specified. This directive should not be used in other
cases. </p>
<p>Use of this directive allows an HTTP Server to access a Microsoft Exchange
Server version 5.0 or 5.5 by means of Lightweight Directory Access Protocol
(LDAP). It may be necessary to use this directive if this product is used
to perform LDAP authentication of HTTP requests. </p>
<p>Directive ldap.NTDomain can be specified two different ways. The format
may be dependent on the Microsoft Exchange Server. </p>
<p>If the Exchange Server requires the account to look like "cn=NTAccount,
cn=NTDomain", use the format:</p>
<pre>ldap.NTDomain "cn=exchServer"</pre>
<p>If the Exchange Server requires the account in the form ("dc=NTDomain,
cn=NTAccount"), use the format:</p>
<pre>ldap.NTDomain "dc=exchServer"</pre>
<p>When this directive is present, HTTP Server appends or precedes the information
in the ldap.NTDomain directive to the DN used when authenticating a user to
the LDAP server.</p>
</div>
</div>
<div class="hr" id="ldapobjectclass"><a name="ldapobjectclass"><!-- --></a><h2 class="topictitle2">ldap.ObjectClass</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.ObjectClass <var class="varname">objectclass</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.ObjectClass eProperty </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: Apache</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule IBM_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.ObjectClass applicationProcess</td>
</tr>
</tbody>
</table>
</div>
<p>The ldap.ObjectClass directive is used to publish configuration information
to the LDAP server. The object class is used as an entry to the LDAP server
and describes the content and purpose of an object in the LDAP directory tree.
The configuration information may then be retrieved using the LDAPInclude
directive.</p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>objectclass</em></dt>
<dd><ul><li> The <var class="varname">objectclass</var> parameter is the name of the object
class to be used as the entry in the LDAP directory. The object class used
should have a binary file attribute value.</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>
<div class="hr" id="ldaprealm"><a name="ldaprealm"><!-- --></a><h2 class="topictitle2">ldap.realm</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.realm <var class="varname">"label" </var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.realm "HTTP Auth Server"</td>
</tr>
</tbody>
</table>
</div>
<p>The ldap.realm directive is used to identify the LDAP configuration in
error log messages. If a server uses different LDAP servers or different LDAP
base DNs for different directories, ldap.realm will identify this particular
LDAP configuration.</p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>label</em></dt>
<dd><ul><li>The <var class="varname">label</var> parameter can be a character string describing
this LDAP configuration.</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>
<div class="hr" id="ldapsearchtimeout"><a name="ldapsearchtimeout"><!-- --></a><h2 class="topictitle2">ldap.search.timeout</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.search.timeout <var class="varname">seconds</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.search.timeout 10 </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.search.timeout 30</td>
</tr>
</tbody>
</table>
</div>
<p>The ldap.search.timeout directive supplies the maximum amount of time (in
seconds) to wait for an LDAP search request to complete. This prevents HTTP
Server from waiting on a request to a slow LDAP server.</p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>seconds</em></dt>
<dd><ul><li> The <var class="varname">seconds</var> parameter is the length of time, in seconds,
for the server to wait for an LDAP search request to complete.</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>
<div class="hr" id="ldaptransport"><a name="ldaptransport"><!-- --></a><h2 class="topictitle2">ldap.transport</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.transport <var class="varname">transport</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.transport TCP </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.transport SSL</td>
</tr>
</tbody>
</table>
</div>
<p>The ldap.transport directive is used to specify the transport used to communicate
with the LDAP server. The LDAP server can communicate over either TCP/IP or
SSL connections. </p>
<p>If ldap.transport is set to SSL, then the ldap.AppId directive must be
set, or HTTP Server will be unable to make the connection to the LDAP server. </p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>transport</em></dt>
<dd><ul><li> The <var class="varname">transport</var> parameter specifies the transport to
be used for communication with the LDAP server. Valid values are 'TCP' or
'SSL'.</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>
<div class="hr" id="ldapurl"><a name="ldapurl"><!-- --></a><h2 class="topictitle2">ldap.url</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.url ldap://<var class="varname">hostname:port/baseDN </var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.url ldap://www-6.ibm.com:1636/ou=Payroll,o=Company,c=US</td>
</tr>
</tbody>
</table>
</div>
<p>The ldap.url directive tells HTTP Server the location of the LDAP server
that is being used for authentication or configuration. Hostname is the hostname
of the LDAP server. The DNS name or the IP address is used to identify the
host where the LDAP server resides. The port is optional. If not specified,
port 389 will be assumed if using TCP/IP connections, and 636 will be used
for SSL connections to the LDAP server. The BaseDN provides the starting point
for searches of the LDAP directory. </p>
<p>This directive is required when using LDAP for authentication or configuration.
</p>
<p>The ldap.url directive will be used for all searches, unless a different
value is provided with the ldap.group.url directive. If an ldap.group.url
directive is present, its value is used to search for groups.</p>
<blockquote><dl><dt class="dlterm"><strong>Parameter One</strong>: <em>hostname</em></dt>
<dd><ul><li>The <var class="varname">hostname</var> parameter is the DNS name or IP address
of the host where the LDAP server is located.</li>
</ul>
</dd>
</dl>
<dl><dt class="dlterm"><strong>Parameter Two</strong>: <em>port</em></dt>
<dd><ul><li>The <var class="varname">port</var> parameter is the port on which the LDAP server
listens. It is optional. If not present, and the transport is TCP, the well-known
LDAP port 389 is assumed. If the transport is SSL, the well-known LDAP SSL
port 636 will be assumed.</li>
</ul>
</dd>
</dl>
<dl><dt class="dlterm"><strong>Parameter Three</strong>: <em>baseDN</em></dt>
<dd><ul><li>The <var class="varname">baseDN</var> parameter is the starting point for searches
of the LDAP directory.</li>
</ul>
</dd>
</dl>
</blockquote>
<div class="note"><span class="notetitle">Note:</span> The ldap.url value is case sensitive. For example, the following value
is not valid: <samp class="codeph">ldap.url LdaP://www-5.ibm.com/o=deltawing,c= au</samp>.
However, the following value is valid: <samp class="codeph">ldap.url ldap://www-5.ibm.com/o=deltawing,c=
au</samp>. </div>
</div>
</div>
<div class="hr" id="ldapuserauthtype"><a name="ldapuserauthtype"><!-- --></a><h2 class="topictitle2">ldap.user.authType</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.user.authType <var class="varname">authtype</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.user.authType Basic </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.user.authType Basic</td>
</tr>
</tbody>
</table>
</div>
<p>The ldap.user.authtype directive is used to specify the method used to
authenticate the user requesting an HTTP resource to the LDAP server. Basic
is the only possible value. During basic authentication, the user is prompted
to enter a username and password. </p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>authtype</em></dt>
<dd><ul><li> The <var class="varname">authtype</var> parameter specifies the method used to
authenticate the user requesting an HTTP resource to the LDAP server. 'Basic'
is the only valid value.</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>
<div class="hr" id="ldapusernamefieldsep"><a name="ldapusernamefieldsep"><!-- --></a><h2 class="topictitle2">ldap.user.name.fieldSep</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.user.name.fieldSep <var class="varname">"separators" </var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.user.name.fieldSep " \t," </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.user.name.fieldSep " \t,/"</td>
</tr>
</tbody>
</table>
</div>
<p>The ldap.user.name.fieldSep directive specifies the characters that are
considered valid field separator characters when parsing the user name into
fields. The fields are then put into a filter and used on an LDAP search request.
For example, if '/' is the only valid field separator, and the user entered
"Joe Smith/Acme", then the first field is set to "Joe Smith" and the second
field is set to "Acme". </p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>separators</em></dt>
<dd><ul><li> The <var class="varname">separators</var> parameter is the valid separator characters
used to delimit fields.</li>
</ul>
</dd>
</dl>
</blockquote>
<p>If multiple occurrences of this directive are configured in a container,
only the last occurrence is processed. All other occurrences are ignored.</p>
</div>
</div>
<div class="hr" id="ldapusernamefilter"><a name="ldapusernamefilter"><!-- --></a><h2 class="topictitle2">ldap.user.name.filter</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.user.name.filter <var class="varname">filter</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.user.name.filter(&amp;(objectclass=person)(|(cn=%v1
%v2)(uid=%v1)))</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.user.name.filter (&amp;(objectclass=person)(uid=%v1))</td>
</tr>
</tbody>
</table>
</div>
<p>The ldap.user.name.filter directive specifies the filter that is used to
convert, via an LDAP search request, a user name to a unique DN. The DN is
then used to authenticate the user making the HTTP request. The default value
is "(&amp;(objectclass=person)(|(cn=%v1 %v2)(uid=%v1))", where %v1 and %v2
are substitution variables for the words the user entered at the browser.
</p>
<p>This directive is used when ldap.user.authType is Basic. </p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>filter</em></dt>
<dd><ul><li> The <var class="varname">filter</var> parameter is a valid LDAP search filter
that will return a unique DN for a given user name.</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>
<div class="hr" id="ldapversion"><a name="ldapversion"><!-- --></a><h2 class="topictitle2">ldap.version</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.version <var class="varname">version</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.version 3 </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.version 2</td>
</tr>
</tbody>
</table>
</div>
<p>The ldap.version directive is used to specify the version of LDAP to use
to communicate with the LDAP server. The default version used by HTTP Server
is version 3. If your LDAP server is not at version 3, use this directive
to set it to 2. </p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>version</em></dt>
<dd><ul><li> The <var class="varname">version</var> parameter specifies the version of the
LDAP to be used. Valid versions are '2' or '3'.</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>
<div class="hr" id="ldapwaittoretryconnectioninterval"><a name="ldapwaittoretryconnectioninterval"><!-- --></a><h2 class="topictitle2">ldap.waitToRetryConnection.interval</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: ldap.waitToRetryConnection.interval <var class="varname">seconds</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: ldap.waitToRetryConnection.interval 30 </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: ldap.waitToRetryConnection.interval 60</td>
</tr>
</tbody>
</table>
</div>
<p>If an LDAP server is down, HTTP Server may have degraded performance because
it will be continually trying to connect. The ldap.waitToRetryConnection.interval
directive gives the length of time (in seconds) to wait between failed attempts
to connect to the LDAP server. </p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>seconds</em></dt>
<dd><ul><li> The <var class="varname">seconds</var> parameter is the length of time, in seconds,
for the server to wait between attempts to connect to the LDAP server.</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>
<div class="hr" id="configFile"><a name="configFile"><!-- --></a><h2 class="topictitle2">LDAPConfigFile</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: LDAPConfigFile <var class="varname">filename</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: LDAPConfigFile /QIBM/UserData/HTTPA/ldap/ldapSvr1.conf</td>
</tr>
</tbody>
</table>
</div>
<p>The LDAPConfigFile directive provides a filename that contains the LDAP
directives necessary to access an LDAP server. It allows the LDAP directives
to be grouped into a file so they may easily be referenced in any container
in HTTP Server configuration file by using the LDAPConfigFile directive. An
example file can be found in /QIBM/ProdData/HTTPA/conf/ldap.prop </p>
<p>All LDAP directives except LDAPRequire may be put into the file. </p>
<blockquote><dl><dt class="dlterm"><strong>Parameter</strong>: <em>filename</em></dt>
<dd><ul><li> The <var class="varname">filename</var> parameter is the filename that contains
other LDAP directives.</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>
<div class="hr" id="ldaprequire"><a name="ldaprequire"><!-- --></a><h2 class="topictitle2">LDAPRequire</h2>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_ibm_ldap</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: LDAPRequire<var class="varname"> type [groupname | filter]</var></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: directory, .htaccess </td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: AuthCfg</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: iSeries</td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__UsageConsiderations">Usage Considerations</a></strong>: A LoadModule is required in
the configuration file prior to using the directive. The statement should
be as follows: <samp class="codeph">LoadModule ibm_ldap_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVLDAP.SRVPGM</samp></td>
</tr>
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: LDAPRequire filter (&amp;(objectclass=person)(ou=Payroll)(cn=*))</td>
</tr>
</tbody>
</table>
</div>
<p>The LDAPRequire directive is used to restrict access to a resource controlled
by LDAP authentication to members of a group. It can either use groups defined
in LDAP by using the "group" parameter, or it can use an LDAP filter to assemble
a group of users with a similar quality. </p>
<p>The LDAPRequire directive may not be put into an LDAP configuration file,
it must be in the server configuration file. For LDAP, this can be used instead
of the GroupFile directive. For more information, see the<a href="rzaiemod_as_auth.htm#groupfile">GroupFile</a> directive.</p>
<blockquote><dl><dt class="dlterm"><strong>Parameter One</strong>: <em>type</em></dt>
<dd><ul><li> Valid values for the <var class="varname">type</var> parameter include 'group'
or 'filter'.</li>
<li> Group should be used for LDAP group entries.</li>
<li> Filter should be used when grouping users by other qualities.</li>
</ul>
</dd>
</dl>
<dl><dt class="dlterm"><strong>Parameter Two</strong>: <em>groupname | filter</em></dt>
<dd><ul><li> The <var class="varname">groupname</var> parameter is the name of a group as
defined in the LDAP directory.</li>
<li> The <var class="varname">filter</var> parameter is a valid filter that may be
used to determine if a user meets qualifications to be authenticated.</li>
</ul>
</dd>
</dl>
</blockquote>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink