Module mod_as_auth

Setting the AsAuthAuthoritative directive explicitly to off allows for both authentication and authorization to be passed on to lower level modules (if there is no userid or rule matching the supplied userid).

Parameter: On | Off

• When On is specified, both authentication and authorization are not allowed to be passed on to lower level modules (if there is no userid or rule matching the supplied userid).
• When Off is specified, allows for both authentication and authorization to be passed on to lower level modules (if there is no userid or rule matching the supplied userid).

If a userid appears in an authentication realm other than those supported by IBM i (for example, System Userid), or if a valid Require directive applies to more than one module, the first module verifies the credentials and no access is passed on regardless of the AsAuthAuthoritative setting.

The GroupFile directive sets the name of a GroupFile to use for a protection setup. Group files are used to classify users into various groups. A protection setup can use groups on limit directives. If a protected directory contains an ACL file, the rules in the ACL file can also use the groups that you define in the group file.

Parameter: filename

• The filename parameter is any valid filename.

To work correctly this directive must be accompanied by PasswdFile, AuthType, and Require.

The PasswdFile directive specifies where the passwords (or certificates) are stored for authentication.

Parameter: passfile

The different values supported by the passfile parameter value are:

%%SYSTEM%%

The passfile parameter can be in the %%SYSTEM%% format. Using this value indicates that the server should use the IBM i User Profile support to validate username/password.

%%LDAP%%

The passfile can also be in the %%LDAP%% format to validate the LDAP server that has been defined to the server.

%%KERBEROS%%

The passfile parameter should be set to %%KERBEROS%% when the directive AuthType Kerberos is configured.

passfile [passfile passfile ...]

The passfile parameter can be formatted to fit the Internet user list. To use this format, specify QUSRSYS/MY_USERS as the filename. The HTTP Server allows a space separated list of Internet User lists (for example: 'library/vldl library/fort').

This directive may be configured multiple times in a container. The directives are processed from the first to the last occurrence.

To work correctly this directive must be accompanied by AuthType, AuthName, and Require.

The UserID directive specifies the IBM i system profile to the server. For a protected resource (one for which Protection directives are defined), the UserID directive specifies which IBM i system profile the server temporarily swaps to while serving that resource. The directive must be a valid user profile.

Parameter: user-profile | %%SERVER%% | %%CLIENT%%

• For user-profile, a valid IBM i system profile must be specified. The value 'QSECOFR' cannot be specified on the directive. The profile that issued the STRTCPSVR command to start HTTP Server must have *USE authority to the profile specified on all of the UserID directives and other directives. All UserID directives (and directives specified for a protected resource) are verified during startup. If any UserID directive, or any other directive, does not satisfy the rules listed here, the server instance does not start and a message is sent to the user's interactive job log.
• Entering %%SERVER%% uses the default profile QTMHHTTP unless the ServerUserId directive is specified.
• Entering %%CLIENT%% causes the user profile from the request to be used on the swap. If Kerberos is specified for the AuthType directive, the server will use Enterprise Identity Mapping (EIM) to attempt to match the user ID associated with the server ticket with an IBM i system profile. If there is no IBM i system profile associated with the server ticket user ID, the HTTP request will fail. This value cannot be used for LDAP or Validation lists authentication. If is valid for IBM i profiles, client certificates, and Kerberos.

The profile that issued the STRTCPSVR command to start HTTP Server must have *USE authority to the profile specified on all of the UserID directives and other directives. All UserID directives (and directives specified for a protected resource) are verified during startup. If any UserID directive, or any other directive, does not satisfy the rules, the server instance does not start and a message is sent to the user's interactive joblog.

When HTTP Server is running under the QTMHHTTP profile (the QTMHHTTP profile is the default) and a UserID directive is not in effect, the server switches to the QTMHHTP1 profile before starting a CGI program. However, when a CGI program is running on servers where the UserID directive is in effect or within a protection setup where the UserID directive has been specified, the program is run under the specified profile, unless the profile is QTMHHTTP. In which case, QTMHHTP1 is used. If the profile does not have authority to the specified program, the request is rejected.

There are two special values you can use on the UserID directive. Entering %%SERVER%% uses the default profile QTMHHTTP unless a protection setup has a different UserID specified. Entering %%CLIENT%% causes the server to challenge the client on each and every request for a user ID and password.

See also ServerUserID.

To work correctly, this directive must be accompanied by the PasswdFile, AuthType, AuthName, and Require directives.