This article contains information to help with migration from existing directives that use the mod_ibm_ldap module to the use of the open source LDAP modules (mod_authnz_ldap and mod_ldap). Migration will ensure future support for your LDAP configuration.
The open source LDAP features are provided by two modules. The AuthLDAP directives are provided by the mod_authnz_ldap module and the LDAP directives are provided by the mod_ldap module. Both modules need to be loaded for the LDAP features to be available. Throughout the following section the generic name, mod_ldap, is used to reference the open source LDAP modules.
The mod_ldap module does not provide a directive for specifying a codepages directory. The codepages directory is automatically installed in the correct directory, and the codepages directory cannot be moved from its installed location.
ldapCodePageDir /location/of/codepages
The mod_ldap module does not provide a directive for specifying an LDAP configuration file. Although there is no mod_ldap directive for specifying the LDAP configuration file, if you want to put your LDAP configuration in a separate file, you might use the Apache include directive.
ldapConfigFile ldap.propto this:
Include /location/of/ldap_conf/apache_ldap.conf
Another alternative for migrating the mod_ibm_ldap LDAPConfigfile directive is to use the mod_authn_alias module AuthnProviderAlias container to create one or more groupings of ldap directives, and then use them by referencing the alias labels where required
The mod_ldap module provides the require directive, with LDAP extensions, for LDAP authentication security.
If you used require valid-user previously for IBM HTTP Server, you may leave this require directive in place without modification. For the highest level of LDAP authentication security, you should migrate require valid-user to a more specific form. For additional information, see the Apache documentation for these require directives: ldap-user, ldap-dn, ldap-attribute, ldap-group, ldap-filter, and valid-user.
LdapRequire filter "(&(objectclass=person)(cn=*)(ou=OurUnit)(o=OurOrg))" LdapRequire group MyDepartmentto this:
require ldap-filter &(objectclass=person)(cn=*)(ou=OurUnit)(o=OurOrg) require ldap-group cn=MyDepartment,o=OurOrg,c=US
The mod_ldap module does not provide a directive specifying an authentication type. If a value is specified for the AuthLDAPBindDN directive, then basic authentication is enabled. If a value is not specified for the AuthLDAPBindDN directive, then what was previously the None authentication type for the mod_ibm_ldap module, or anonymous, is enabled.
ldap.application.authType=[None | Basic | Cert]
The mod_ldap module provides the AuthLDAPBindDN directive to determine the application authentication type.
If a value is specified for the AuthLDAPBindDN directive, then the value of the authType directive is Basic. If the AuthLDAPBindDN directive is not enabled, then the value for the authType directive is None. If a value is specified for the LDAPTrustedClientCert directive, then the value for the authType directive is Cert.
ldap.application.DN=cn=ldapadm,ou=OurDirectory,o=OurCompany,c=USto this:
AuthLDAPBindDN "cn=ldapadm,ou=OurDirectory,o=OurCompany,c=US"
The mod_ldap module provides the AuthLDAPBindPassword directive to specify a bind password. The value is stored in the configuration file in plain text. Therefore, you should restrict access to the configuration file
ldap.application.password=mypasswordto this:
AuthLDAPBindPassword mypassword
The mod_ldap module does not provide a directive for stashing the password. The directive AuthLDAPBindPassword is the only means to specify a password, and the value is stored in the configuration file in plain text. Therefore, you should restrict access to the configuration file.
ldap.application.password.stashfile=/path/to/stashfile.sth
The mod_ldap module provides the LDAPCacheTTL directive to specify a timeout for the LDAP cache. The LDAPCacheTTL directive is globally scoped and must be located at the beginning of the configuration file. This is different from the mod_ibm_ldap module, because the ldap.cache.timeout directive could be located anywhere in the configuration file.
ldap.cache.timeout=60to this:
LDAPCacheTTL 60The default value is 600 seconds.
The mod_ldap module provides the AuthLDAPSubGroupClass directive to specify the object classes which identify groups. For the mod_ibm_ldap module all values were specified on a single directive line; but for the mod_ldap module, the values can either be specified all on one line or on multiple lines, with the directive and one value on each line.
ldap.group.dnattributes=groupOfNames GroupOfUniqueNamesto this:
AuthLDAPSubGroupClass groupOfNames AuthLDAPSubGroupClass groupOfUniqueNamesThese are the default values.
The mod_ldap module provides the AuthLDAPSubGroupAttribute directive to specify the labels which identify the subgroup members of the current group. For the mod_ibm_ldap module, you could only specify one label; but for the mod_ldap module, you can specify multiple labels either by listing all of the labels in one directive line or by providing multiple directive lines, with each label on a separate directive line.
ldap.group.memberattribute=memberto this:
AuthLDAPSubGroupAttribute member AuthLDAPSubGroupAttribute uniqueMember
The mod_ldap module provides the AuthLDAPGroupAttribute directive to specify the labels which identify any member of the current group, such as a user or subgroup. For the mod_ibm_ldap module, you specified all labels on one directive line; but for the mod_ldap module, you may either specify them all on one directive line or specify each label on a separate directive line.
ldap.group.membreattributes=member uniqueMemberto this:
AuthLDAPGroupAttribute member AuthLDAPGroupAttribute uniqueMember
The mod_ldap module does not provide a directive to specify separate user and group filters. The mod_ldap module uses the filter that is provided at the end of the AuthLDAPURL directive. You can use the AuthnProviderAlias container directive, which is provided by the mod_authn_alias module, to create separate my_ldap_user_alias and my_ldap_group_alias aliases containing the required ldap directives. You can then use your group alias in locations where authorization is controlled by way of group membership.
ldap.group.name.filter=(&(cn=%v1)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)))
The mod_ldap module provides the AuthLDAPMaxSubGroupDepth directive to limit the recursive depth pursued before stopping attempts to locate a user within nested groups.
ldap.group.search.depth=5to this:
AuthLDAPMaxSubGroupDepth 5The default value is 10.
The mod_ldap module does not provide a directive for specifying an LDAP server for authorizing a group membership that is different from the LDAP server that is used to authenticate users.
You must also specify the LDAP group server in the AuthLDAPURL directive for the container. Ensure that you specify the correct filter for each group.
ldap.group.URL=ldap://groups_ldap.server.org:389/o=OurOrg,c=US ldap.group.URL=ldaps://groups_ldap.server.org:636/o=OurOrg,c=US
The mod_ldap module does not provide a directive for specifying when established connections to the LDAP server, that have gone idle, should timeout. The mod_ldap module automatically detects when the LDAP server expires connections, but does not cause connections to expire.
ldap.idleConnection.timeout=60
If no password is specified in the LDAPTrustedGlobalCert directive, the mod_ldap module automatically uses a /path/to/keyfile.sth file (assuming that /path/to/keyfile.kdb is the keyfile that is specified in the LDAPTrustedGlobalCert directive).
For information about how to specify the keyfile password, see the Apache information for the LDAPTrustedGlobalCert directive. The value is stored in the configuration file in plain text. Therefore, you should restrict access to the configuration file.
ldap.key.file.password.stashfile=/path/to/ldap.sth
The mod_ldap module provides the LDAPTrustedGlobalCert directive to specify the keyfile to be used when loading certificates. The mod_ldap module also uses these directives to specify the password in plain text in the configuration file. Therefore, you should restrict access to the configuration file.
ldap.key.filename=/path/to/keyfile.kdbto this:
LDAPTrustedGlobalCert CMS_KEYFILE /path/to/keyfile.kdb myKDBpassword
LDAPTrustedGlobalCert SAF saf_keyring
The mod_ldap module provides the LDAPTrustedClientCert directive to specify which certificate to use from the KDB keyfile. If the default certificate is used, then you do not need to specify a value for these directives.
ldap.key.label=certname_from_kdbto this:
LDAPTrustedClientCert CMS_LABEL certname_from_kdb
The mod_ldap module provides the LDAPReferralHopLimit directive to limit the number of referrals to chase before stopping attempts to locate a user in a distributed directory tree.
ldapReferralHopLimit 5to this:
LDAPReferralHopLimit 5The default value is 5.
The mod_ldap module provides the LDAPReferrals directive to enable or disable referral chasing when locating users in a distributed directory tree.
ldapReferrals Onto this:
LDAPReferrals OnThe default value is On.
The mod_ldap module provides the AuthName directive to specify the authorization realm.
ldap.realm=Some identifying textto this:
AuthName "Some identifying text"
The mod_ldap module provides the LDAPSearchTimeout directive to specify when a search request should be abandoned.
ldap.search.timeout=10to
LDAPSearchTimeout 10The default value is 10 seconds.
The mod_ldap module provides the LDAPTrustedMode directive to specify the type of network transport to use when communicating with the LDAP server.
If no port is specified on the AuthLDAPURL directive, then the mod_ldap module ignores the LDAPTrustedMode directive, and specifies a network transport value of SSL. For more information, see the Apache documentation for the LDAPTrustedMode and AuthLDAPURL directives.
ldap.transport=TCP (or SSL)to this:
LDAPTrustedMode NONE (or SSL)If an ldaps://URL is specified, the mode becomes SSL and the setting of LDAPTrustedMode is ignored.
The mod_ldap module provides the AuthLDAPURL directive for specifying the LDAP server hostname and port as well as the base DN to use when connecting to the server. The mod_ldap module also provides a means for specifying the user attribute, scope, user filter, and transport mode. For more information, see the Apache documentation for the AuthLDAPURL directives.
ldap.URL=ldap://our_ldap.server.org:389/o=OurOrg,c=US ldap.URL=ldaps://our_ldap.server.org:636/o=OurOrg,c=USto this:
AuthLDAPURL ldap://our_ldap.server.org:389/o=OurOrg,c=US?cn?sub?(objectclass=person) AuthLDAPURL ldaps://our_ldap.server.org:636/o=OurOrg,c=US?cn?sub?(objectclass=person)
The mod_ldap module does not provide a directive for specifying a user authentication type. The mod_ldap module authenticates users based on the user ID and password credentials provided.
ldap.user.authType=Basic [Basic | Cert | BasicIfNoCert]
The mod_ldap module does not provide a directive for filtering client certificates. The mod_ldap module does not work directly with client certificates.
ldap.user.cert.filter=(&(objectclass=person)(cn=%v1)(ou=%v2)(o=%v3)(c=%v4))
The mod_ldap module does not provide a directive for parsing provided credentials into subcomponents. The mod_ibm_ldap module uses the ldap.user.name.fieldSep directive to specify the separator characters used to parse the credentials into the %v1, %v2, ...%vN tokens.
ldap.user.name.fieldSep=/ ,
The mod_ldap module does not provide a directive for specifying the user name filter. The mod_ldap module specifies the user name filter as part of the AuthLDAPURL directive.
The AuthLDAPURL directive combines the user attribute specified in the directive with the provided filter to create the search filter. The provided filter follows the standard search filter specification. The mod_ldap module also does not provide the %vx token parsing function available for the mod_ibm_ldap module.
ldap.user.name.filter=(&(objectclass=person)(cn=%v1 %v2))
The mod_ldap module does not provide a directive for specifying the LDAP version. The mod_ldap module uses only LDAP version 3.
ldap.version=2 (or 3)
The mod_ldap module does not provide a directive for specifying an amount of time before retrying a failed connection attempt. The mod_ldap module does not have a timed delay between connection retries when a connection attempt fails. The connection attempt is automatically retried for a maximum of 10 times before a request fails.
When a new request needs to access the same LDAP server, the connection is retried for a maximum of 10 times again. The retry throttle is based on the volume of new requests sent to the LDAP server.
ldap.waitToRetryConnection.interval=300