Protecting Files or Directories Using User or Group Information on an LDAP Server
To define by user:
Launch the IBM Administration Server. Go to Access Permissions > General Access
and insert the LdapConfigFile (C:/Program Files/IBM HTTP Server/conf/ldap.prop) in the
LDAP: configuration file field. This is a required file.
Enter the authentication realm name for the directory in the Authentication realm name field.
To define by group:
LDAPRequire group "group_name"
Example: LDAPRequire group "Administrative Users"
Note: LDAPRequire will only work if it is manually inserted into httpd.conf.
Using Keyring Files
In order to use mod_ibm_ssl and mod_ibm_ldap when configuring LDAP to use SSL for
communicating with the LDAP server, both mod_ibm_ssl and mod_ibm_ldapMUST use the same keyring file. If you are allowing SSL connections to the
Web server and are also using SSL as the transport between the Web server and the LDAP server,
the keyring files (which are used for both modules) can be merged into one keyring file.
The configuration of each module can specify a different default certificate.
SSL and the LDAP Module
When using SSL between the LDAP module and the LDAP Directory Server,
the key database file must have write permission. The key database file
contains the certificates which establish one's identity, and in a secure
environment, the LDAP server may require the Web server to provide a
certificate in order to query the LDAP server for authenticatoin information.
The key database file must be writable by whatever Unix user ID the Web
server is running as. For example, if the Web server is running as Unix
ID "user ID", then the key database file should be owned by user "user ID" and
must have write permission.
Certificates establish one's identity; therefore, it is important that one's
certificates not be stolen or overwritten by someone else's certificates.
If someone has read permission to the key database file, they can
retrieve the user's certificates and masquerade as that user. Hence,
no one but the owner of the key database file should have read
or write permission to it.
The LDAP module requires the password to the user's key database even
if a stash file exists. The user must use the ldapstash command
to create an LDAP stash file containing the password to the key database
file.
Creating an LDAP connection
To create an LDAP connection, you must provide information about the LDAP server being used.
Edit your ldap properties file (sample ldap.prop found in the HTTP Server conf directory)
and insert the applicable directives.