Getting started with the Lightweight Directory Access Protocol
This section discusses the functions involved in getting started with Lightweight Directory Access Protocol (LDAP). Links to related topics appear at the end of this section.
- Protecting files or directories with user or group information on a Lightweight Directory Access Protocol server
- Using key ring files
- Using Secure Sockets Layer and the Lightweight Directory Access Protocol module
- Creating a Lightweight Directory Access Protocol connection
- Identifying supported Lightweight Directory Access Protocol servers on the IBM HTTP Server
- Finding related information
Protecting files or directories with user or group information on a Lightweight Directory Access Protocol server
You can protect files and directories with user or group information by defining through a user, group, or filter:
To define by user:
Launch the IBM Administration Server. Go to Access Permissions > General Access and insert the required file, LdapConfigFile, C:/Program Files/IBM HTTP Server/conf/ldap.prop, in the LDAP: Configuration File field.
Enter the authentication realm name for the directory, in the Authentication Realm Name field.
To define by group:
LDAPRequire group "group_name"
For example: LDAPRequire group "Administrative Users"
To define by filter:
LDAPRequire filter "ldap_search_filter"
For example: LDAPRequire filter"(&(objectclass=person)(cn=*)(ou=IHS)(o=IBM)) "
LDAPRequire only works if manually inserted into the httpd.conf file.
Using key ring files
To use the mod_ibm_ssl and mod_ibm_ldap files when configuring LDAP to use SSL for communicating with the LDAP server, both the mod_ibm_ssl and mod_ibm_ldap files must use the same key ring file. If you enable SSL connections to the Web server and also use SSL as the transport between the Web server and the LDAP server, the key ring files used for both modules can merge into one key ring file. The configuration of each module can specify a different default certificate.
Using Secure Sockets Layer and the Lightweight Directory Access Protocol module
When using Secure Sockets Layer (SSL) between the Lightweight Directory Access Protocol (LDAP) module and the LDAP directory server, the key database file must have write permission. The key database file contains the certificates which establish identity, and in a secure environment, the LDAP server can require the Web server to provide a certificate for querying the LDAP server for authentication information. The key database file must have write permission by the UNIX user ID on which the Web server runs.
Certificates establish identity, to prevent other certificates from stealing or overwriting your certificates. If someone has read permission to the key database file, they can retrieve the user's certificates and masquerade as that user. Grant read or write permission only to the owner of the key database file.
The LDAP module requires the password to the user's key database, even if a stash file exists. Use the ldapstash command to create an LDAP stash file, containing the key database file password.
Creating a Lightweight Directory Access Protocol connection
To create an LDAP connection, provide information about the LDAP server.
- Edit your sample LDAP properties file, ldap.prop, located in the IBM HTTP Server conf directory. Insert the applicable directives.
- Enter the Web server connection information.
- Enter client connection information.
- Enter timeout settings.
Identifying supported Lightweight Directory Access Protocol servers on the IBM HTTP Server
The IBM HTTP Server supports the following LDAP servers:
- iPlanet/Netscape Directory Server
- IBM SecureWay Directory Server
| Finding related information |
(Back to the top)