System Administration IBM HTTP Server documentation

Getting started with the Lightweight Directory Access Protocol

This section discusses the functions involved in getting started with Lightweight Directory Access Protocol (LDAP). Links to related topics appear at the end of this section.

Protecting files or directories with user or group information on a Lightweight Directory Access Protocol server

You can protect files and directories with user or group information by defining through a user, group, or filter:

To define by user:

Manualy insert the following directives into your configuration file, under a directory or Location stanza:

  • LdapConfigFile | path to ldap configuration file |
  • AuthName | name |
  • AuthType: basic
  • Require valid -user

To define by group:

LDAPRequire group "group_name"
For example: LDAPRequire group "Administrative Users"

To define by filter:

LDAPRequire filter "ldap_search_filter"
For example: LDAPRequire filter"(&(objectclass=person)(cn=*)(ou=IHS)(o=IBM)) "

Tip: LDAPRequire only works if manually inserted into the httpd.conf file.

Using key ring files

To use the mod_ibm_ssl and mod_ibm_ldap files when configuring LDAP to use SSL for communicating with the LDAP server, both the mod_ibm_ssl and mod_ibm_ldap files must use the same key ring file. If you enable SSL connections to the Web server and also use SSL as the transport between the Web server and the LDAP server, the key ring files used for both modules can merge into one key ring file. The configuration of each module can specify a different default certificate.

Using Secure Sockets Layer and the Lightweight Directory Access Protocol module

When using Secure Sockets Layer (SSL) between the Lightweight Directory Access Protocol (LDAP) module and the LDAP directory server, the key database file must have write permission. The key database file contains the certificates which establish identity, and in a secure environment, the LDAP server can require the Web server to provide a certificate for querying the LDAP server for authentication information. The key database file must have write permission by the UNIX user ID on which the Web server runs.

Certificates establish identity, to prevent other certificates from stealing or overwriting your certificates. If someone has read permission to the key database file, they can retrieve the user's certificates and masquerade as that user. Grant read or write permission only to the owner of the key database file.

The LDAP module requires the password to the user's key database, even if a stash file exists. Use the ldapstash command to create an LDAP stash file, containing the key database file password.

Creating a Lightweight Directory Access Protocol connection

To create an LDAP connection, provide information about the LDAP server.

  1. Edit your sample LDAP properties file, ldap.prop, located in the IBM HTTP Server conf directory. Insert the applicable directives.
  2. Enter the Web server connection information.
  3. Enter client connection information.
  4. Enter timeout settings.

Identifying supported Lightweight Directory Access Protocol servers on the IBM HTTP Server

The IBM HTTP Server supports the following LDAP servers:

  • iPlanet/Netscape Directory Server
  • IBM SecureWay Directory Server

 
Finding related information

     (Back to the top)