Get started with LDAP: IBM HTTP Server
System Administration IBM HTTP Server documentation

Getting started with LDAP - Not valid on HP or Linux


Protecting Files or Directories Using User or Group Information on an LDAP Server

To define by user:

Launch the IBM Administration Server. Go to Access Permissions > General Access and insert the LdapConfigFile (C:/Program Files/IBM HTTP Server/conf/ldap.prop) in the LDAP: Configuration File field. This is a required file.

Enter the authentication realm name for the directory in the Authentication Realm Name field.

To define by group:

LDAPRequire group "group_name"
Example: LDAPRequire group "Administrative Users"

To define by filter:

LDAPRequire filter "ldap_search_filter"
Example: LDAPRequire filter "(&(objectclass=person)(cn=*)(ou=IHS)(o=IBM))"

Note: LDAPRequire only works if it is manually inserted into httpd.conf.

Using Keyring Files

In order to use mod_ibm_ssl and mod_IBM_ldap when configuring LDAP to use SSL for communicating with the LDAP server, both mod_IBM_ssl and mod_IBM_ldap must use the same keyring file. If you allow SSL connections to the Web server and are also using SSL as the transport between the Web server and the LDAP server, the keyring files (which are used for both modules) can merge into one keyring file. The configuration of each module can specify a different default certificate.

SSL and the LDAP Module

When using SSL between the LDAP module and the LDAP Directory Server, the key database file must have write permission. The key database file contains the certificates which establish identity, and in a secure environment, the LDAP server may require the Web server to provide a certificate to query the LDAP server for authentication information. The key database file must be writable by the UNIX user ID on which the Web server is running. For example, if the Web server is running as UNIX ID "user ID", then the key database file should be owned by user "user ID" and must have write permission.

Certificates establish identity, so it is important to prevent your certificates from being stolen or overwritten by other certificates. If someone has read permission to the key database file, they can retrieve the user's certificates and masquerade as that user. Read or write permission should only be granted to the owner of the key database file.

The LDAP module requires the password to the user's key database, even if a stash file exists. The user must use the ldapstash command to create an LDAP stash file containing the key database file password.

Creating an LDAP connection

To create an LDAP connection, provide information about the LDAP server being used. Edit your ldap properties file (sample ldap.prop found in the HTTP Server conf directory) and insert the applicable directives.
  • Enter the Web server connection information.
  • Enter client connection information.
  • Enter timeout settings.

Supported LDAP Servers on IBM HTTP Server

  • Netscape Directory Server
  • IBM SecureWay Directory Server

Related information...

     (Back to Top)