|
This section provides information on the Lightweight Directory Access Protocol (LDAP) directives.
These directives work on all supported platforms, except
Linux for S/390. The information includes specific directive descriptions, values, defaults, and special
notes . Links to related
topics appear at the end of this section.
|
|
- Description: Specifies the method for authenticating the Web server
to the LDAP server.
- Default: None
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.application.authType=None
- Values:
- None: If the LDAP server does not require the Web server to authenticate.
- Basic: Uses the distinguished name (DN) of the Web server as the user ID, and the password
stored in the stash file, as the password.
- Description: Indicates the distinguished name (DN) of the Web server. Use this name
as the user name when accessing an LDAP server using basic authentication.
Use the entry specified in the LDAP server to access the directory server.
- Default: None
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.application.DN=cn=ldapadm,ou=ihs test,o=IBM,c=US
- Values: Distinguished name
- Description: Caches responses from the LDAP server. If you configure the Web server to run as multiple processes, each process
manages its own copy of the cache.
- Default: 600
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.cache.timeout= <secs>
- Values: The maximum length of time, in seconds, a response returned from the LDAP server remains valid.
- Description: Indicates the filter used to determine if a distinguished name (DN) is an actual group through an LDAP search.
- Default: groupofnames groupofuniquenames
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.group.attribute= attribute1 [attribute2...]
- Values: Filter name
- Description: Filter used to determine,via an LDAP search, if a DN is an actual group
- Default: groupofnames groupofuniquenames
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.group.memberattribute= <ldap filter>
- Values: An ldap filter. - See sample ldap.prop.sample for more information on the use of this directive.
- Description: Attribute specified to retrieve unique groups from an existing group
- Default: uniquegroup
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.group.memberattribute= <attribute>
- Values: An ldap attribute. See sample ldap.prop.sample for more information on the use of this directive.
- Description: Serves as a means to extract group members, once the function finds a group entry in an LDAP directory.
- Default: member and uniqueMember
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.group.memberAttributes=
attribute [attribute2....]
- Values: Must equal the distinguished names of the group members. You can use more than
one attribute to contain member information.
- Description: Indicates the filter LDAP uses to search for group names.
- Default: (&(cn=%v1)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.group.name.filter= <group name filter>
- Values: An LDAP filter. See Querying the LDAP server using LDAP search filters.
- Description: Caches connections to the LDAP server for performance.
- Default: 600
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.idleConnection.timeout= <secs>
- Values: Length of time, in seconds, before an idle LDAP server connection
closes because of inactivity.
- Description: Indicates the stash file containing the encrypted keyfile password;
use the ldapstash command to create this stash file.
- Default: None
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.key.file.password.stashfile =d:\<Key password file name>
- Values: Fully qualified path to the stash file.
- Description: Indicates the file name of the key file database. This option becomes required when you
use SSL.
- Default: None
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.key.fileName=d:\<Key file name>
- Values: Fully qualified path to the key file.
- Description: Indicates the certificate label name the Web server uses to authenticate to
the LDAP server.
- Default: None
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.key.label=<My Server Certificate>
- Values: A valid label used in the key database file.
This label becomes required only when using Secure Sockets Layer (SSL)
and the LDAP server requests client authentication from the Web server.
- Description: Indicates the name of the protected area, as seen by the requesting client.
- Default: None
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.realm==<Protection Realm>
- Values: A description describing the protected page.
- Description: Searches subgroups when specifying LdapRequire group <group> directives. Groups can contain
both individual members and other groups.
- Default: 1
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.search.depth = <secs>
- Values: An integer.
When doing a search for a group, if a member in the process of authentication is not a member
of the required group, any subgroups of the required group are also searched. For example:
group1 >group2 (group2 is a member of group1)
group2 >group3 (group3 is a member of group2)
group3 >jane (jane is a member of group3)
If you search for jane and require her as a member of group1, the search fails with the default ldap.search.depth
value of 1. If you specify ldap.group.search.depth>2, the search succeeds.
Use ldap.group.search.depth=<depth to search -- number> to limit the depth of subgroup searches.
This type of search can become very intensive on an LDAP server. Where group1 has group2 as a member, and group2 has group1
as a member, this directive limits the depth of the search. In the previous example, group1 has a depth of 1, group2
has a depth of 2 and group3 has a depth of 3.
- Description: Indicates the maximum time, in seconds, to wait for an LDAP server to
complete a search operation.
- Default: 10
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.search.timeout = <secs>
- Values: Length of time, in seconds.
- Description: Indicates the transport method used to communicate with the LDAP server.
- Default: TCP
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.transport=TCP
- Values: TCP or SSL
- Description: Indicates the URL of LDAP server to authenticate against.
- Default: None
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.url=ldap://<hostName:Port>/<BaseDN>
where:
- hostName: Represents the host name of the LDAP server.
- Port: Represents the optional port number on which the LDAP server listens. The
default for TCP connections is 389. You must specify the port number, if you use SSL.
- BaseDN
: Provides the root of the LDAP tree in which to perform the search
for users.
For example: ldap.URL=ldap://<ldap.ibm.com:489/o=Ace Industry, c=US
- Description: Indicates the method for authenticating the user requesting a Web server. Use this name
as the user name when accessing an LDAP server.
- Default: Basic
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: Ldap.user.authType=BasicIfNoCert
- Values: Basic,
Cert, BasicIfNoCert
- Description: Indicates the filter used to convert the information in the client certificate passed over SSL
to a search filter for an LDAP entry.
- Default: "(&(objectclass=person)
(cn=%v1, ou=%v2, o=%v3,c=%v4))".
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.user.cert.filter=(&(objectclass=person)(cn=%v1))
- Values: An LDAP filter. See Querying the LDAP server using LDAP search filters.
SSL certificates include the following fields,
all of which you can convert to a search filter:
Certificate field |
Variable |
common name |
%v1 |
organizational unit |
%v2 |
organization |
%v3 |
country |
%v4 |
locality |
%v5 |
state or country |
%v6 |
serial number |
%v7 |
When you generate the search filter, you can find the field values
in the matching variable fields (%v1, %v2). The
following table shows the conversion:
User Certificate |
Filter Conversion |
Certificate: |
cn=Road Runner
o=Acme Inc
c=US
|
Filter: |
(cn=%v1, o=%v3, c=%v4)
|
Resulting Query: |
(cn=RoadRunner, o=Acme, Inc, c=US)
|
|
- Description: Indicates characters as valid field separator characters, when parsing
the user name into fields.
- Default: The space, comma, and the tab (/t) character.
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.user.name.fieldSep=/
- Values: Characters
If '/' represents the only field separator character
and the user inputs "Joe Smith/Acme," then '%v1' equals "Joe Smith" and '%v2'
equals "Acme."
- Description: Filter used to convert the user name as input by the user to
a search filter for an LDAP entry.
- Default: "((objectclass=person) (cn=%v1 %v2))"
where: %v1 and %v2 represent the words typed by the user.
For example, if the user types "Paul Kelsey", the resulting search
filter becomes "((objectclass=person)(cn=Paul Kelsey))". You can find search filter
syntax described in Querying the LDAP server using LDAP search filters.
However, because the Web server cannot differentiate between multiple returned
entries, authentication fails when the LDAP server returns more than one entry.
For example, if the user makes the ldap.user.name.filter= "((objectclass=person)(cn=%v1*
%v2*))" and types in Pa Kel, the resulting search filter becomes "(cn=Pa*
Kel*)". The filter finds multiple entries such as (cn=Paul Kelsey) and (cn=Paula
Kelly) and authentication fails. You must modify your search filter.
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.user.name.filter=<User Name Filter>
- Values: An LDAP filter. See Querying the LDAP server using LDAP search filters.
- Description: Indicates the version of the LDAP protocol used to connect to the LDAP server.
The protocol version used by the LDAP server determines the LDAP version. This directive is
optional.
- Default: ldap.version=3
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.version=3
- Values: 2 or 3
- Description: Indicates the time the Web server waits between failed attempts to connect. If an LDAP server goes
down, the Web server continually thrashes, trying to connect.
- Default: 300
- Module: mod_ibm_ldap
- Multiple instances in the configuration file: Yes
- Scope: Single instance per directory stanza.
- Syntax: ldap.waitToRetryConnection.interval=<secs>
- Values: Time (in seconds)
(Back to the top)
|