Name of the LDAP properties file associated with a group of LDAP parameters. Default
value:
c:\program files\ibm http server\conf\ldap.prop.sample. Used in the httpd.conf
file.
Used in the httpd.conf file to specify the group when LDAP authentication is being
used. Possible values:
LDAPRequire filter "(&(objectclass=person)(cn=*)(ou=IHS)(o=IBM))"
or LDAPRequire group "sample group".
Server's Distinguished Name - distinguished name of the Web server. This name
is used as the username when accessing an LDAP server using Basic authentication.
Use the entry specified in the LDAP server to access the directory server.
For example: ldap.application.DN=cn=ldapadm,ou=ihs test,o=IBM,c=US
Name of the stash file containing the encrypted password for the application to
authenticate to the LDAP server when Server Authentication type is Basic. This
stash file may be created with the 'ldapstash' command.
Cache Time-out - Responses from the LDAP server are cached. This is the maximum
length of time (in seconds) a response returned from the LDAP server remains valid.
If the web server is configured to run as multiple processes, each process will
manage its own copy of the cache.
Group Member Attributes - Once a group entry is found in an LDAP directory, the
group members are extracted by using these attribute names. The values of these
attributes must be the distinguished names of the members of the group. More than
one attribute may be used to contain member information. The default attributes
are member and uniqueMember.
Group Name Filter - filter LDAP uses to search for group names. The default is
(&(cn=%v1)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))
This property is only required if the LDAP URL for groups differs from the URL
specified by the ldap.URL property.
Host Name - hostname of the LDAP server.
Port Number - optional port number on which the LDAP server is listening. The
default for TCP connections is 389. If you are using SSL, the port number must
be specified.
BaseDN - provides the root of the LDAP tree in which to perform the search
for groups.
Note: This directive may only be used to specify a different location for a group on the same
LDAP server. It may not be used to specify a different LDAP server from that specified in
ldap.URL.
Idle Connection Time-out - Connections to the LDAP server are cached for performance.
This is the length of time (in seconds) before an idle LDAP server connection
is closed due to inactivity.
Key Label - name of the certificate label the Webserver uses to authenticate to
the LDAP server. This label is only required when doing SSL and the LDAP server
is set up to request client authentication from the webserver.
For example: My Server's Certificate
Port Number - optional port number on which the LDAP server is listening. The
default for TCP connections is 389. If you are using SSL, the port number must
be specified.
BaseDN - provides the root of the LDAP tree in which to perform the search
for users.
For example: ldap.URL=ldap://<ldap.ibm.com:489/o=Ace Industry, c=US
The method to use to authenticate the user requesting a Web server. This name
is used as the username when accessing an LDAP server. Possible values: Basic,
Cert, BasicIfNoCert
Filter used to convert the information in the client certificate passed over SSL
to a search filter for an LDAP entry. The default is "(&(objectclass=person)
(cn=%v1, ou=%v2, o=%v3,c=%v4))". SSL certificates include the following fields,
all of which can be converted to a search filter:
Certificate field
Variable
common name
%v1
organizational unit
%v2
organization
%v3
country
%v4
locality
%v5
state or country
%v6
serial number
%v7
Note:
When the search filter is generated, the values
in the fields are placed into the matching variable fields (%v1, %v2). The
following table shows the conversion:
The characters which are considered valid field separator characters when parsing
the user name into fields. For example, if '/' is the only field separator character
and the user inputs "Joe Smith/Acme," then '%v1' equals "Joe Smith" and '%v2'
equals "Acme." The default characters are the space, comma, and the tab (/t) character.
User Name Filter - filter used to convert the username as input by the user to
a search filter for an LDAP entry. The default is "((objectclass=person) (cn=%v1
%v2))" where %v1 and %v2 are the words typed by the user.
For example, if the user types "Paul Kelsey", the resulting search
filter would be "((objectclass=person)(cn=Paul Kelsey))". Search filter
syntax is described in "LDAP search filters".
However, because the Web server cannot differentiate between multiple returned
entries, authentication fails when the LDAP server returns more than one entry.
For example, if the user makes the ldap.user.name.filter= "((objectclass=person)(cn=%v1*
%v2*))" and types in "Pa Kel", the resulting search filter will be "(cn=Pa*
Kel*)". It will then find multiple entries such as (cn=Paul Kelsey) AND (cn=Paula
Kelly) and authentication will fail. You must modify your search filter.
The version of the LDAP protocol used to connect to the LDAP server. The
LDAP version is determined by the protocol version used by the LDAP server. This is
an optional directive. The default is LDAP Version 3. (Possible values are: 2 or 3.)
Connection retry interval - If an LDAP server is down, we must thrash continually
trying to connect to it. When a connection must be reestablished because of a
down server, this is the time (in seconds) the Web server waits between failed
attempts to connect.