System Administration IBM HTTP Server documentation
Pertains to Linux for S/390 users

Using Lightweight Directory Access Protocol directives

This section provides information on the Lightweight Directory Access Protocol (LDAP) directives. These directives work on all supported platforms, except Linux for S/390. The information includes specific directive descriptions, values, defaults, and special notes Tips. Links to related topics appear at the end of this section.

LdapConfigFile

  • Description: Indicates the name of the LDAP properties file associated with a group of LDAP parameters.
  • Default: c:\program files\ibm http server\conf\ldap.prop.sample.
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: LdapConfigFile <Fully qualified path to configuration file>
  • Values: Fully qualified path to a single configuration file.

    • Tip Use this directive in the httpd.conf file.

LDAPRequire

  • Description: Indicates the group when using LDAP authentication.
  • Default: None
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: LDAPRequire filter <filter name> or LDAPRequire group <group1 [group2.group3....]>
  • Values: LDAPRequire filter "(&(objectclass=person)(cn=*)(ou=IHS)(o=IBM))", or LDAPRequire group "sample group".

    • Tip: Use this directive in the httpd.conf file.

ldap.application.authType

  • Description: Specifies the method for authenticating the Web server to the LDAP server.
  • Default: None
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.application.authType=None
  • Values:
    • None: If the LDAP server does not require the Web server to authenticate.
    • Basic: Uses the distinguished name (DN) of the Web server as the user ID, and the password stored in the stash file, as the password.

ldap.application.DN

  • Description: Indicates the distinguished name (DN) of the Web server. Use this name as the user name when accessing an LDAP server using basic authentication. Use the entry specified in the LDAP server to access the directory server.
  • Default: None
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.application.DN=cn=ldapadm,ou=ihs test,o=IBM,c=US
  • Values: Distinguished name

ldap.application.password.stashFile

  • Description: Indicates the name of the stash file containing the encrypted password for the application to authenticate to the LDAP server when Server Authentication type is Basic.
  • Default: None
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.application.password.stashFile=c:\IHS\ldap.sth
  • Values: Fully qualified path to the stash file.

    • Tip: You can create this stash file with the ldapstash command.

ldap.cache.timeout

  • Description: Caches responses from the LDAP server. If you configure the Web server to run as multiple processes, each process manages its own copy of the cache.
  • Default: 600
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.cache.timeout= <secs>
  • Values: The maximum length of time, in seconds, a response returned from the LDAP server remains valid.

ldap.group.attributes

  • Description: Indicates the filter used to determine if a distinguished name (DN) is an actual group through an LDAP search.
  • Default: groupofnames groupofuniquenames
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.group.attribute= attribute1 [attribute2...]
  • Values: Filter name

ldap.group.dnattributes

  • Description: Filter used to determine,via an LDAP search, if a DN is an actual group
  • Default: groupofnames groupofuniquenames
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.group.memberattribute= <ldap filter>
  • Values: An ldap filter. - See sample ldap.prop.sample for more information on the use of this directive.

ldap.group.memberattribute

  • Description: Attribute specified to retrieve unique groups from an existing group
  • Default: uniquegroup
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.group.memberattribute= <attribute>
  • Values: An ldap attribute. See sample ldap.prop.sample for more information on the use of this directive.

ldap.group.memberAttributes

  • Description: Serves as a means to extract group members, once the function finds a group entry in an LDAP directory.
  • Default: member and uniqueMember
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.group.memberAttributes= attribute [attribute2....]
  • Values: Must equal the distinguished names of the group members. You can use more than one attribute to contain member information.

ldap.group.name.filter

  • Description: Indicates the filter LDAP uses to search for group names.
  • Default: (&(cn=%v1)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.group.name.filter= <group name filter>
  • Values: An LDAP filter. See Querying the LDAP server using LDAP search filters.

ldap.group.URL

  • Description: Specifies a different location for a group on the same LDAP server. You cannot use this directive to specify a different LDAP server from that specified in the ldap.URL directive.
  • Default: None
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.group.URL=ldap://<hostName:Port>/<BaseDN>
  • Values:
    • hostName: Host name of the LDAP server.
    • Port Number: Optional port number on which the LDAP server listens. The default for TCP connections is 389. If you use SSL, you must specify the port number.
    • BaseDN: Provides the root of the LDAP tree in which to perform the search for groups.

    Tip: This property becomes required if the LDAP URL for groups differs from the URL specified by the ldap.URL property.

ldap.idleConnection.timeout

  • Description: Caches connections to the LDAP server for performance.
  • Default: 600
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.idleConnection.timeout= <secs>
  • Values: Length of time, in seconds, before an idle LDAP server connection closes because of inactivity.

ldap.key.file.password.stashfile

  • Description: Indicates the stash file containing the encrypted keyfile password; use the ldapstash command to create this stash file.
  • Default: None
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.key.file.password.stashfile =d:\<Key password file name>
  • Values: Fully qualified path to the stash file.

ldap.key.fileName

  • Description: Indicates the file name of the key file database. This option becomes required when you use SSL.
  • Default: None
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.key.fileName=d:\<Key file name>
  • Values: Fully qualified path to the key file.

ldap.key.label

  • Description: Indicates the certificate label name the Web server uses to authenticate to the LDAP server.
  • Default: None
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.key.label=<My Server Certificate>
  • Values: A valid label used in the key database file.

    • Tip This label becomes required only when using Secure Sockets Layer (SSL) and the LDAP server requests client authentication from the Web server.

ldap.realm

  • Description: Indicates the name of the protected area, as seen by the requesting client.
  • Default: None
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.realm==<Protection Realm>
  • Values: A description describing the protected page.

ldap.search.depth

  • Description: Searches subgroups when specifying LdapRequire group <group> directives. Groups can contain both individual members and other groups.
  • Default: 1
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.search.depth = <secs>
  • Values: An integer.

    Tip: When doing a search for a group, if a member in the process of authentication is not a member of the required group, any subgroups of the required group are also searched. For example: 

    group1 >group2 (group2 is a member of group1)
group2 >group3 (group3 is a member of group2)
group3 >jane   (jane is a member of group3)

    If you search for jane and require her as a member of group1, the search fails with the default ldap.search.depth value of 1. If you specify ldap.group.search.depth>2, the search succeeds.

    Use ldap.group.search.depth=<depth to search -- number> to limit the depth of subgroup searches. This type of search can become very intensive on an LDAP server. Where group1 has group2 as a member, and group2 has group1 as a member, this directive limits the depth of the search. In the previous example, group1 has a depth of 1, group2 has a depth of 2 and group3 has a depth of 3.

ldap.search.timeout

  • Description: Indicates the maximum time, in seconds, to wait for an LDAP server to complete a search operation.
  • Default: 10
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.search.timeout = <secs>
  • Values: Length of time, in seconds.

ldap.transport

  • Description: Indicates the transport method used to communicate with the LDAP server.
  • Default: TCP
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.transport=TCP
  • Values: TCP or SSL

ldap.url

  • Description: Indicates the URL of LDAP server to authenticate against.
  • Default: None
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.url=ldap://<hostName:Port>/<BaseDN>
    where:
    • hostName: Represents the host name of the LDAP server.
    • Port: Represents the optional port number on which the LDAP server listens. The default for TCP connections is 389. You must specify the port number, if you use SSL.
    • BaseDN
      • : Provides the root of the LDAP tree in which to perform the search for users.

      For example: ldap.URL=ldap://<ldap.ibm.com:489/o=Ace Industry, c=US

Ldap.user.authType

  • Description: Indicates the method for authenticating the user requesting a Web server. Use this name as the user name when accessing an LDAP server.
  • Default: Basic
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: Ldap.user.authType=BasicIfNoCert
  • Values: Basic, Cert, BasicIfNoCert

ldap.user.cert.filter

  • Description: Indicates the filter used to convert the information in the client certificate passed over SSL to a search filter for an LDAP entry.
  • Default: "(&(objectclass=person) (cn=%v1, ou=%v2, o=%v3,c=%v4))".
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.user.cert.filter=(&(objectclass=person)(cn=%v1))
  • Values: An LDAP filter. See Querying the LDAP server using LDAP search filters.

    • Tip: SSL certificates include the following fields, all of which you can convert to a search filter:  

    Certificate field Variable
    common name %v1
    organizational unit %v2
    organization %v3
    country %v4
    locality %v5
    state or country %v6
    serial number %v7
    When you generate the search filter, you can find the field values in the matching variable fields (%v1, %v2). The following table shows the conversion:  
    User Certificate Filter Conversion
    Certificate: 
    cn=Road Runner
o=Acme Inc
c=US
    Filter: 
    (cn=%v1, o=%v3, c=%v4)
    Resulting Query: 
    (cn=RoadRunner, o=Acme, Inc, c=US)

ldap.user.name.fieldSep

  • Description: Indicates characters as valid field separator characters, when parsing the user name into fields.
  • Default: The space, comma, and the tab (/t) character.
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.user.name.fieldSep=/
  • Values: Characters

    • Tip: If '/' represents the only field separator character and the user inputs "Joe Smith/Acme," then '%v1' equals "Joe Smith" and '%v2' equals "Acme."

ldap.user.name.filter

  • Description: Filter used to convert the user name as input by the user to a search filter for an LDAP entry.
  • Default: "((objectclass=person) (cn=%v1 %v2))"
    where: %v1 and %v2 represent the words typed by the user.

    For example, if the user types "Paul Kelsey", the resulting search filter becomes "((objectclass=person)(cn=Paul Kelsey))". You can find search filter syntax described in Querying the LDAP server using LDAP search filters.

    However, because the Web server cannot differentiate between multiple returned entries, authentication fails when the LDAP server returns more than one entry. For example, if the user makes the ldap.user.name.filter= "((objectclass=person)(cn=%v1* %v2*))" and types in Pa Kel, the resulting search filter becomes "(cn=Pa* Kel*)". The filter finds multiple entries such as (cn=Paul Kelsey) and (cn=Paula Kelly) and authentication fails. You must modify your search filter.

  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.user.name.filter=<User Name Filter>
  • Values: An LDAP filter. See Querying the LDAP server using LDAP search filters.

Ldap.version

  • Description: Indicates the version of the LDAP protocol used to connect to the LDAP server. The protocol version used by the LDAP server determines the LDAP version. This directive is optional.
  • Default: ldap.version=3
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.version=3
  • Values: 2 or 3

ldap.waitToRetryConnection.interval

  • Description: Indicates the time the Web server waits between failed attempts to connect. If an LDAP server goes down, the Web server continually thrashes, trying to connect.
  • Default: 300
  • Module: mod_ibm_ldap
  • Multiple instances in the configuration file: Yes
  • Scope: Single instance per directory stanza.
  • Syntax: ldap.waitToRetryConnection.interval=<secs>
  • Values: Time (in seconds)

Finding related information
     (Back to the top)