Convert directives that use the mod_ibm_ldap module to use the mod_ldap Apache module to
ensure continued IBM®
HTTP Server support for your LDAP configuration.
Before you begin
Determine which directives to convert.Complete these steps to convert your
directives.
Procedure
-
Edit the LoadModule directive in the httpd.conf or
ldap.prop configuration file to remove mod_ibm_ldap.
LoadModule ibm_ldap_module modules/mod_ibm_ldap.so
-
Add the mod_ldap LoadModule directive to the httpd.conf configuration
file.
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
-
Convert one or more of the following directives.
For more information about converting your directives, see the topic about mod_ibm_ldap
migration.
Note: A one to one correlation might not exist for some directives.
Table 1. LDAP configuration directives conversion
mod_ibm_ldap |
mod_ldap |
ldapCodePageDir |
None. The codepages directory cannot be moved from its installed
location. |
LdapConfigFile |
include |
LdapRequire |
require |
ldap.application.authType |
None. If the mod_ldap directive, AuthLDAPBindDN, is specified, then you will
get Basic auth. If no AuthLDAPBindDN is specified, then you get what would have been the None auth
type (anonymous). If the mod_ldap configuration specifies an LDAPTrustedClientCert value then you
will get the Cert auth
type. |
ldap.application.DN |
AuthLDAPBindDN |
ldap.application.password |
AuthLDAPBindPassword |
ldap.application.password.stashFile |
None. The mod_ldap module does not provide a directive for using stashed
passwords. |
ldap.cache.timeout |
LDAPCacheTTL |
ldap.group.dnattributes |
AuthLDAPSubGroupClass |
ldap.group.memberattribute |
AuthLDAPSubGroupAttribute |
ldap.group.memberattributes |
AuthLDAPGroupAttribute |
ldap.group.name.filter |
None. The mod_ldap module uses the filter provided at the end of the
AuthLDAPURL directive. |
ldap.group.search.depth |
AuthLDAPMaxSubGroupDepth |
ldap.group.URL |
AuthLDAPURL |
ldap.idleConnection.timeout |
None. The mod_ldap module does not provide a directive for connection
timeouts. |
ldap.key.file.password.stashfile |
None. The mod_ldap module does not provide a directive for using stashed
passwords. Specify the keyfile password, in clear text, at the end of the LDAPTrustedGlobalCert
directive. Alternatively, omit the password on the LDAPTrustedGlobalCert directive and the mod_ldap
module automatically looks for a /path/to/keyfile.sth file, assuming /path/to/keyfile.kdb was the
specified value of the LDAPTrustedGlobalCert
directive. |
ldap.key.fileName |
LDAPTrustedGlobalCert |
ldap.key.label |
LDAPTrustedClientCert |
ldap.ReferralHopLimit |
LDAPReferralHopLimit |
ldapReferrals |
LDAPReferrals |
ldap.realm |
None. The mod_ibm_ldap value of this directive was only used for logging
purposes. No equivalent directive is required in
mod_ldap. |
ldap.search.timeout |
LDAPTimeout Directive
Description: Specifies the timeout for LDAP search and bind operations, in seconds
Syntax: LDAPTimeout seconds
Default: LDAPTimeout 60
Context: server config
Status: Extension
Module: mod_ldap
Compatibility: Apache HTTP Server 2.3.5 and later
|
ldap.transport |
LDAPTrustedMode |
ldap.URL |
AuthLDAPURL |
ldap.user.authType |
None. The mod_ldap module authenticates users based on the user ID and
password credentials provided. |
ldap.user.cert.filter |
None. The mod_ldap module does not work directly with client certificates.
Authorization directives use the environment values set by the SSL module. |
ldap.user.name.fieldSep |
None. The mod_ldap module does not provide support for parsing the provided
credentials into subcomponents. |
ldap.user.name.filter |
None. The mod_ldap module specifies the user name filter as part of the
AuthLDAPURL directive. |
ldap.version |
None. The mod_ldap module uses only LDAP version 3. |
ldap.waitToRetryConnection.interval |
None. The mod_ldap module does not have a timed delay between connection
retries when a connection attempt fails. The connection attempt is retried for a maximum of 10 times
before request fails. |
-
Run the Apache control with the verify flag to verify the configuration.
<ihsinst>bin/apachectl -t
Attention: This configuration check confirms that the syntax is correct, but you must
verify any configuration changes for a directive using the documentation for that directive to
ensure an optimal configuration.
Attention: All mod_ibm_ldap directives that use the form
ldap.* used to optionally display in the LDAPConfigFile configuration file without
the ldap prefix.
A mod_ldap SSL configuration
The following configuration directives show a sample SSL-enabled LDAP configuration. Some of the
directives specify default values and would not typically need to be specified, but are retained to
provide context. Those directives are included, but are commented out with '##" symbols.
##LDAPReferrals On
##LDAPReferralHopLimit 5
LDAPTrustedGlobalCert CMS_KEYFILE /full/path/to/ldap_client.kdb clientkdbPassword
#default cert in this kdb is my_cert1
# Alternatively, you can specify a SAF-based keyring, on systems that support it, as follows:
#LDAPTrustedGlobalCert SAF saf_keyring
<VirtualHost *>
ServerAdmin admin@my.address.com
DocumentRoot /path/to/htdocs
# Ignored because LDAP URLs use ldaps:, where needed
##LDAPTrustedMode SSL
<Directory /minimal_ldap_config>
AuthBasicProvider ldap
AuthLDAPURL ldap://our_ldap.server.org/o=OurOrg,c=US
AuthName "Private root access"
require valid-user
</Directory>
<Directory /path/to/htdocs>
##AuthzLDAPAuthoritative on
AuthBasicProvider ldap
# This LDAPTrustedClientCert is required to use a different certificate
# than the default
LDAPTrustedClientCert CMS_LABEL my_cert2
AuthLDAPURL ldaps://our_ldap.server.org:636/o=OurOrg,c=US?cn?sub? (objectclass=person)
AuthLDAPBindDN "cn=ldapadm,ou=OurDirectory,o=OurCompany,c=US"
AuthLDAPBindPassword mypassword
AuthName "Private root access"
require ldap-group cn=OurDepartment,o=OurOrg,c=us
</Directory>
<Directory "/path/to/htdocs/employee_of_the_month">
##AuthzLDAPAuthoritative on
AuthBasicProvider ldap
#Uses default cert (my_cert1)
##LDAPTrustedClientCert CMS_LABEL my_cert1
AuthLDAPURL ldaps://our_ldap.server.org:636/o=OurOrg,c=US?cn?sub?(objectclass=person)
AuthLDAPBindDN "cn=ldapadm,ou=OurDirectory,o=OurCompany,c=US"
AuthLDAPBindPassword mypassword
AuthName "Employee of the month login"
require ldap-attribute description="Employee of the Month."
</Directory>
<Directory "/path/to/htdocs/development_groups">
#These are the default values for the subgroup-related directives and only need to be
#specified when the LDAP structure differs.
##AuthzLDAPAuthoritative on
AuthBasicProvider ldap
# This LDAPTrustedClientCert is required to use a different certificate
# than the default LDAPTrustedClientCert CMS_LABEL my_cert3
AuthLDAPURL ldaps://groups_ldap.server.org:636/o=OurOrg,c=US?cn?sub?
(|(objectclass=groupofnames)(object class=groupo1 funiquenames))
AuthLDAPBindDN "cn=ldapadm,ou=OurDirectory,o=OurCompany,c=US"
AuthLDAPBindPassword mypassword
AuthName "Developer Access"
AuthLDAPGroupAttribute member
AuthLDAPMaxSubGroupDepth 2
AuthLDAPSubGroupClass groupOfUniqueNames
##AuthLDAPSubGroupClass groupOfNames
##AuthLDAPSubGroupAttribute uniqueMember
##AuthLDAPSubGroupAttribute member
require ldap-group cn=Developers_group,o=OurOrg,c=us
</Directory>
</VirtualHost>
LDAPTrustedMode None