IBM HTTP Server for WebSphere Application Server, Versão 6.1
             Sistemas Operacionais: z/OS

             Personalize o índice e os resultados da procura
Este tópico se aplica apenas aos sistemas operacionais z/OS.

Authenticating with LDAP on IBM HTTP Server (z/OS systems)

You can configure Lightweight Directory Access Protocol (LDAP) to authenticate and protect files on IBM HTTP Server for z/OS.

Antes de Começar

The LoadModule directive for LDAP does not load into IBM HTTP Server by default. Without the LoadModule directive, the LDAP features are not available for use.

In order to enable the LDAP function, add a LoadModule directive to the IBM HTTP Server httpd.conf file as follows:
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so

Sobre Esta Tarefa

LDAP authentication is provided by the mod_ldap and mod_auth_ldap Apache modules. The two modules are configured in conjunction.
  • The mod_ldap module provides LDAP connection pooling and caching.
  • The mod_auth_ldap makes use of the LDAP connection pooling and caching services to provide Web client authentication.
See the following Web sites to obtain detailed descriptions of the LDAP (ldap_module and auth_ldap_module) directives:

Procedimento

  1. Edit the httpd.conf IBM HTTP Server configuration file.
  2. Determine the resource you want to limit access to. For example: <Directory "/secure_info">
  3. Add the LDAPTrustedCA and LDAPTrustedCAType directives to httpd.conf if the IBM HTTP Server connection to the LDAP server is an SSL connection.

    The LDAPTrustedCA directive specifies the directory path and file name of the trusted certificate authority (CA) that mod_ldap should use when establishing an SSL connection to an LDAP server.

    Certificates can be stored in a .kdb file or a SAF key ring. If a .kdb file is used, a .sth file must be located in the same directory path and have the same filename, but the extension must be .sth instead of .kdb.

    The LDAPTrustedCAType directive must be one of the following value types defined for z/OS only:
    • KDB_FILE. Use this value if the certificates indicated by the LDAPTrustedCA directive are stored in a .kdb file.
    • SAF_KEYRING. Use this value if the certificates indicated by the LDAPTrustedCA are stored in a SAF key ring.
    Example when the certificate is stored in a .kdb file:
    LDAPTrustedCA "/usr/lpp/internet/server4.kdb"
    LDAPTrustedCAType KDB_FILE
    
    Example when the certificate is stored in a SAF key ring.
    LDAPTrustedCA SAFKeyring
    LDAPTrustedCAType  SAF_KEYRING
    Important: The user ID that you use to start IBM HTTP Server must have access to the SAF key ring that you name in this directive. If the user ID does not have access to the SAF key ring, SSL initialization fails.
    See Performing required z/OS system configurations for information on accessing SAF key rings defined in RACF.
  4. Add the AuthLDAPUrl directive, which specifies the LDAP search parameters to use.
    The syntax of the URL is:
    ldap://host:port/basedn?attribute?scope?filter
    
  5. Add directives in httpd.conf to the directory location (container) to be protected with values specific to your environment, such as:
    • Order deny,allow
    • Allow from all
    • AuthLDAPEnabled on
    • AuthName "Title of your protected Realm"
    • AuthType Basic
    • AuthLDAPURL your_ldap_url
    • Require valid-user
    • AuthLDAPBindDN "cn=Directory Manager"
    • AuthLDAPBindPassword auth_password
    For each combination of LDAP server, protection setup, and protect directive, code a Location container similar to the following example:
    <Location  /ldapdir>
      Order deny,allow
      Allow from all
      AuthLDAPEnabled on
      AuthName "whatever_LDAP"
      AuthType Basic
      AuthLDAPURL ldap://9.27.163.182:389/o=abc.xyz.com?cn?sub?
      Require valid-user
      AuthLDAPBindDN "cn=Directory Manager"
      AuthLDAPBindPassword d44radar
    </Location>



Related concepts
Lightweight Directory Access Protocol
SSL certificate revocation list
Tópico de Tarefa    

Termos de Uso | Feedback

Última atualização: Feb 19, 2009 4:14:16 PM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.ihs.doc/info/ihs/ihs/tihs_ldapconfigz.html