Module mod_authn_core
Module mod_authn_core supports directives for the IBM® HTTP Server for i Web server.
Summary
The mod_authn_core module provides core authentication capabilities to allow or deny access to portions of the web site. mod_authn_core provides directives that are common to all authentication providers.
AuthName
| Syntax: AuthName auth-domain | |
| Default: none | |
| Context: directory, .htaccess | |
| Override: AuthConfig | |
| Origin: Modified | |
| Example: AuthName "IBM Server" |
The AuthName directive sets the name of the authorization realm for a directory. This realm is given to the client during basic authentication to inform the user about which username and password to send. To work properly this directive must be accompanied by AuthType Basic, and directives such as PasswdFile.
- Parameter: auth-domain
- Auth-domain takes a single argument; If the realm name contains spaces, it must be enclosed in double quotation marks.
AuthType
| Module: mod_authn_core | |
| Syntax: AuthType type | |
| Default: none | |
| Context: directory, .htaccess | |
| Override: AuthConfig | |
| Origin: Modified | |
| Example: AuthType None | |
| Example: AuthType Basic | |
| Example: AuthType SSL | |
| Example: AuthType Kerberos | |
| Example: AuthType KerberosOrBasic |
The AuthType directive selects the type of user authentication for a directory. For Basic authentication to work properly this directive must be accompanied by AuthName. If Kerberos is specified, the Require directive must be specified and the PasswdFile directive should be included and set to %%KERBEROS%%. The AuthName, LDAPConfigFile, and LDAPRequire directives may be configured in the same container, but will be ignored.
- Parameter: type
- The type parameter value specifies the type of user authentication
for a directory. Valid values include:
- None
- Configuring "AuthType None" disables authentication. When authentication
is enabled, it is normally inherited by each subsequent configuration
section, unless a different authentication type is specified. If no
authentication is desired for a subsection of an authenticated section,
the authentication type None may be used; in the following example,
clients may access the /www/webserver/htdocs/public directory without
authenticating:
<Directory /www/webserver/htdocs> AuthType Basic AuthName Documents PasswdFile %%SYSTEM%% Require valid-user </Directory><Directory /www/webserver/htdocs/public> AuthType None Require all granted </Directory>
- Basic
- Configuring "AuthType Basic" specifies that the server
protects resources based on a user ID and password. The user will
be prompted for a user ID and password the first time a request is
made for a resource protected by this directive. This directive may
be used on either a secure or a non-secure HTTP session. On a non-secure
HTTP session, the user ID and password are encoded, but not encrypted.Note: Note: In order to use the directive "SSLAuthType CertOrBasic", the AuthType directive must be specified with a value of type Basic.
- SSL
- Configuring "AuthType SSL" specifies that the server will
protect resources based on a SSL client certificate that is associated
with a user ID. See the SSLAuthType directive for more information. Note: In order to use the directive "SSLAuthType Cert", the AuthType directive must be specified with a value of type SSL.
- Kerberos
- Configuring "AuthType Kerberos" specifies that the server will accept a server ticket from a Kerberos-enabled client to authenticate a user.
- KerberosOrBasic
- Configuring "AuthType KerberosOrBasic" specifies that the
server will give a basic authentication prompt to those browsers who
are either not in a kerberos enabled domain, not using Microsoft Internet Explorer, or if kerberos
authentication fails for a Microsoft Internet
Explorer browser in a kerberos realm. If the browser is Microsoft Internet Explorer configured
for kerberos, and in a kerberos domain with the correct kerberos principal
and keytab entries, there will be no prompt (uses kerberos HTTP negotiation).
To work correctly the intersection of directives for "Kerberos" and
"Basic" authority must be used. Kerberos specific directives will
not work, because basic authentication can not use kerberos validation.
These directives are required when using KerberosOrBasic:
- AuthName
- PasswdFile %%SYSTEM%%
- Require: The parameter valid-user, user or group may be specified. For example: Require user kerbuser@DOMAIN.COM as400userid
Notes®:- The group file must include both the kerberos principal and the as400userid. For example Groupfile: productionusers: johndoe@WIN2003.DOMAIN.COM, jdoe
- If you do not use the valid-user you must include both the kerberos client principal and the as400 userid to which it maps.
- The type parameter value specifies the type of user authentication
for a directory. Valid values include:
If you want to have SSL certificate checking, it is recommended that AuthType be set to type SSL.