These configuration parameters control the Lightweight Directory
Access Protocol (LDAP) feature in IBM HTTP Server.
LdapCodepageDir directive
The
LdapCodepageDir directive specifies the full path to the codepages directory
that is installed with IBM HTTP Server.
Syntax |
ldap.CodepageDir <full_path_to_codpages_directory> |
Scope |
Global server or virtual host |
Default |
<server_root>/codepages |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
One instance in global configuration. |
LDAPRequire directive
The uire
directive is used to restrict access to a resource that is controlled by LDAP
authentication to a specified collection of users. It can either use groups
that are defined in LDAP by using the group type, or it can use an LDAP filter
type to designate a collection of users with a similar set of attribute values.
Syntax |
uire filter <filter name> or uire group <group1
[group2.group3....]> |
Scope |
Single instance per directory stanza |
Default |
None |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
uire filter "(&(objectclass=person)(cn=*)(ou=IHS)(o=IBM))",
or uire group "sample group". Use this directive in the httpd.conf file.
|
If the group type is used, and multiple group values
are specified, the group validation is a logical AND of the groups. A user
must be a member of sample Group1 and sample Group2 if a logical
OR of groups is required. For example, if a user is a member of sample
Group1 or sample Group2, then a new LDAP group, our department
group, should be created on the LDAP server that has sample Group1 and sample
Group2 as its members. You would then use the directive: uire group our
Department Group .
Ldap.group.URL directive
The
ldap.group.URL directive specifies a different location for a group on the
same LDAP server. You cannot use this directive to specify a different LDAP
server from that specified in the ldap.URL directive.
Syntax |
ldap.group.URL = ldap://<hostname:port>/<BaseDN> |
Scope |
Single instance per directory stanza |
Default |
None |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
- host name: Host name of the LDAP server.
- port number: Optional port number on which the LDAP server listens. The
default for TCP connections is 389. If you use SSL, you must specify the port
number.
- BaseDN: Provides the root of the LDAP tree in which to perform the search
for groups.
|
Attention:
This property becomes required
if the LDAP URL for groups differs from the URL specified by the ldap.URL
property.
Ldap.LdapReferralhoplimit directive
The
ldap.LdapReferralHopLimit directive indicates the maximum number of referrals
to follow. LDAP authentication will fail if the specified limit is exceeded.
Syntax |
ldap.LdapReferralHopLimit = <number_of_hops> |
Scope |
Single instance per directory stanza |
Default |
10 |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
0 to 10 |
Set the LdapReferrals directive
on to use the
LdapReferralhoplimit directive.
Important: An LdapReferralhoplimit
value of 0 will cause authentication to fail if any referrals are encountered.
The
LdapReferralhoplimit directive is not meaningful when the LdapReferrals directive
is off (default).
uire directive
The uire directive
is used to restrict access to a resource that is controlled by LDAP authentication
to a specified collection of users. It can either use groups that are defined
in LDAP by using the group type, or it can use an LDAP filter type to designate
a collection of users with a similar set of attribute values.
Syntax |
uire filter <filter name> or uire group <group1
[group2.group3....]> |
Scope |
Single instance per directory stanza |
Default |
None |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
uire filter "(&(objectclass=person)(cn=*)(ou=IHS)(o=IBM))",
or uire group "sample group". Use this directive in the httpd.conf file.
|
If the group type is used, and multiple group values
are specified, the group validation is a logical AND of the groups. A user
must be a member of sample Group1 and sample Group2 if a logical
OR of groups is required. For example, if a user is a member of sample
Group1 or sample Group2, then a new LDAP group, our department
group, should be created on the LDAP server that has sample Group1 and sample
Group2 as its members. You would then use the directive: uire group our
Department Group .
Ldap.user.cert.filter directive
The
ldap.usr.cert.filter directive indicates the filter used to convert the information
in the client certificate passed over Secure Sockets Layer (SSL) to a search
filter for and LDAP entry.
Syntax |
ldap.user.cert.filter=(&(objectclass=person)(cn=%v1)) |
Scope |
Single instance per directory stanza |
Default |
"(&(objectclass=person) (cn=%v1, ou=%v2, o=%v3,c=%v4))" |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
An LDAP filter. See Querying the LDAP server using LDAP search filters. |
Secure Socket Layer (SSL) certificates include the following
fields, all of which you can convert to a search filter:
Certificate field |
Variable |
common name |
%v1 |
organizational unit |
%v2 |
organization |
%v3 |
country |
%v4 |
locality |
%v5 |
state or country |
%v6 |
serial number |
%v7 |
When you generate the search filter, you can find the field values
in the matching variable fields (%v1, %v2). The following table shows the
conversion:
User certificate |
Filter conversion |
Certificate |
cn=Road Runner, o=Acme Inc, c=US |
Filter |
(cn=%v1, o=%v3, c=%v4) |
Resulting query |
(cn=RoadRunner, o=Acme, Inc, c=US) |
Ldap.version directive
The ldap.version
directive indicates the version of the LDAP protocol used to connect to the
LDAP server. the protocol version used by the LDAP server determines the LDAP
version.
Attention: This directive is optional.
Syntax |
ldap.version=3 |
Scope |
Single instance per directory stanza |
Default |
ldap.version=3 |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
2 or 3 |
Ldap.waitToRetryConnection.interval
directive
The ldap.waitToRetryConnection.interval directive indicates
the time the Web server waits between failed attempts to connect.
If
an LDAP server goes down, the Web server continues to try to connect.
Syntax |
ldap.waitToRetryConnection.interval=<secs> |
Scope |
Single instance per directory stanza |
Default |
300 |
Module |
mod_ibm_ldap |
Multiple instances in the configuration file |
yes |
Values |
Time (in seconds) |