LDAP Directives: IBM HTTP Server
System Administration IBM HTTP Server documentation
Applies to AIX Applies to Windows NT Applies to Solaris

LDAP Directives - Not valid on HP or Linux

  • LdapConfigFile
  • ldap.key.label
  • LDAPRequire
  • ldap.realm
  • ldap.application.authType
  • ldap.search.timeout
  • ldap.application.DN
  • ldap.transport
  • ldap.application.password.stashFile
  • ldap.url
  • ldap.cache.timeout
  • Ldap.user.authType
  • ldap.group.memberAttributes
  • ldap.user.cert.filter
  • ldap.group.name.filter
  • ldap.user.name.fieldSep
  • ldap.group.URL
  • ldap.user.name.filter
  • ldap.idleConnection.timeout
  • ldap.waitToRetryConnection.interval
  • ldap.key.file.password.stashfile
  • ldap.version
  • ldap.key.fileName
  • Related Information
  • LdapConfigFile directive

    Name of the LDAP properties file associated with a group of LDAP parameters. Default value:
    c:\program files\ibm http server\conf\ldap.prop.sample. Used in the httpd.conf file.


    Used in the httpd.conf file to specify the group when LDAP authentication is used. Possible values:
    LDAPRequire filter "(&(objectclass=person)(cn=*)(ou=IHS)(o=IBM))" or LDAPRequire group "sample group".


    Server Authentication Type: Specify the method for authenticating the Web server to the LDAP server. Possibilities are:

    • None: If the LDAP server does not require the Web server to authenticate.
    • Basic: The distinguished name of the Web server is used as the userid, and the password stored in the stash file is the password.


    The Server Distinguished Name: Distinguished name of the Web server. This name is used as the username when accessing an LDAP server using Basic authentication. Use the entry specified in the LDAP server to access the directory server.
    For example: ldap.application.DN=cn=ldapadm,ou=ihs test,o=IBM,c=US


    Name of the stash file containing the encrypted password for the application to authenticate to the LDAP server when Server Authentication type is Basic. This stash file can be created with the 'ldapstash' command.

    ldap.cache.timeout= <secs>

    Cache Time-out: Responses from the LDAP server are cached. This is the maximum length of time (in seconds) a response returned from the LDAP server remains valid. If the Web server is configured to run as multiple processes, each process will manage its own copy of the cache.

    ldap.group.memberAttributes= <Group Member Attributes>

    Group Member Attributes: Once a group entry is found in an LDAP directory, the group members are extracted by using these attribute names. The values of these attributes must be the distinguished names of the members of the group. More than one attribute can be used to contain member information. The default attributes are member and uniqueMember.

    ldap.group.name.filter= <group name filter>

    Group Name Filter: Filter LDAP uses to search for group names. The default is (&(cn=%v1)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))


    This property is only required if the LDAP URL for groups differs from the URL specified by the ldap.URL property.

    • Host Name - Hostname of the LDAP server.
    • Port Number - Optional port number on which the LDAP server is listening. The default for TCP connections is 389. If you are using SSL, the port number must be specified.
    • BaseDN - Provides the root of the LDAP tree in which to perform the search for groups.


    This directive may only be used to specify a different location for a group on the same LDAP server. It may not be used to specify a different LDAP server from that specified in ldap.URL.

    ldap.idleConnection.timeout= <secs>

    Idle Connection Time-out: Connections to the LDAP server are cached for performance. This is the length of time (in seconds) before an idle LDAP server connection is closed because of inactivity.

    ldap.key.file.password.stashfile=d:\<Key password file name>

    Key password file name: The stash file containing the encrypted keyfile password; use the 'ldapstash' command to create this stash file.

    ldap.key.fileName=d:\<Key file name>

    Key file name: Filename of the key file database. This is required if you are using SSL.


    Key Label: Name of the certificate label the Web server uses to authenticate to the LDAP server. This label is only required when doing SSL and the LDAP server is set up to request client authentication from the Web server.
    For example: My Server Certificate

    ldap.realm=<Protection Realm>

    Protection realm: Name of the protected area as seen by the requesting client.
    For example: Administrator Access

    ldap.search.timeout= <secs>

    Search Time-out: The maximum time (in seconds) to wait for an LDAP server to complete a search operation.


    The transport method used to communicate with the LDAP server.
    (Possible Values:TCP or SSL)


    • Host Name: Hostname of the LDAP server.
    • Port Number: Optional port number on which the LDAP server is listening. The default for TCP connections is 389. If you are using SSL, the port number must be specified.
    • BaseDN
    • : Provides the root of the LDAP tree in which to perform the search for users.

      For example: ldap.URL=ldap://<ldap.ibm.com:489/o=Ace Industry, c=US


    The method for authenticating the user requesting a Web server. This name is used as the username when accessing an LDAP server. Possible values: Basic, Cert, BasicIfNoCert


    Filter used to convert the information in the client certificate passed over SSL to a search filter for an LDAP entry. The default is "(&(objectclass=person) (cn=%v1, ou=%v2, o=%v3,c=%v4))". SSL certificates include the following fields, all of which can be converted to a search filter:

    Certificate field Variable
    common name %v1
    organizational unit %v2
    organization %v3
    country %v4
    locality %v5
    state or country %v6
    serial number %v7
    Note: When the search filter is generated, the values in the fields are placed into the matching variable fields (%v1, %v2). The following table shows the conversion:
    User Certificate Filter Conversion
    cn=Road Runner
    o=Acme Inc
    (cn=%v1, o=%v3, c=%v4)
    Resulting Query
    (cn=RoadRunner, o=Acme, Inc, c=US)


    The characters which are considered valid field separator characters when parsing the user name into fields. For example, if '/' is the only field separator character and the user inputs "Joe Smith/Acme," then '%v1' equals "Joe Smith" and '%v2' equals "Acme." The default characters are the space, comma, and the tab (/t) character.

    ldap.user.name.filter=<User Name Filter>

    User Name Filter: Filter used to convert the username as input by the user to a search filter for an LDAP entry. The default is "((objectclass=person) (cn=%v1 %v2))" where %v1 and %v2 are the words typed by the user.

    For example, if the user types "Paul Kelsey", the resulting search filter is "((objectclass=person)(cn=Paul Kelsey))". Search filter syntax is described in "LDAP search filters".

    However, because the Web server cannot differentiate between multiple returned entries, authentication fails when the LDAP server returns more than one entry. For example, if the user makes the ldap.user.name.filter= "((objectclass=person)(cn=%v1* %v2*))" and types in "Pa Kel", the resulting search filter is "(cn=Pa* Kel*)". The filter finds multiple entries such as (cn=Paul Kelsey) and (cn=Paula Kelly) and authentication fails. You must modify your search filter.


    The version of the LDAP protocol used to connect to the LDAP server. The LDAP version is determined by the protocol version used by the LDAP server. This directive is optional. The default is LDAP Version 3. (Possible values are: 2 or 3.)

    ldap.waitToRetryConnection.interval= <secs>

    Connection retry interval: If an LDAP server is down, the Web server continually thrashes, trying to connect. When a connection must be reestablished because of a down server, this is the time (in seconds) the Web server waits between failed attempts to connect.

    Related information...

         (Back to Top)