Authenticating with LDAP on IBM HTTP Server using mod_ldap

You can configure Lightweight Directory Access Protocol (LDAP) to authenticate and protect files on IBM® HTTP Server.

Before you begin

Best Practice: If you are using the mod_ibm_ldap module for your LDAP configuration, consider migrating your mod_ibm_ldap directives to use the mod_ldap module. The mod_ibm_ldap module is provided with this release of IBM HTTP Server for compatibility with previous releases, however, you must migrate existing configurations to use the mod_authnz_ldap and mod_ldap modules to ensure future support for your LDAP configuration.

The LoadModule directive for LDAP does not load into IBM HTTP Server by default. Without the LoadModule directive, the LDAP features are not available for use.

In order to enable the LDAP function, add a LoadModule directive to the IBM HTTP Server httpd.conf file as follows:

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

About this task

LDAP authentication is provided by the mod_ldap and mod_authnz_ldap Apache modules.

The mod_ldap module provides LDAP connection pooling and caching.
The mod_authnz_ldap makes use of the LDAP connection pooling and caching services to provide Web client authentication.

See the following Web sites to obtain detailed descriptions of the LDAP (ldap_module and authnz_ldap_module) directives:

Procedure

Edit the httpd.conf IBM HTTP Server configuration file.
Determine the resource for which you want to limit access.
For example: <Directory "/secure_info">
Add the LDAPTrustedGlobalCert directive to httpd.conf if the IBM HTTP Server connection to the LDAP server is an SSL connection.
The LDAPTrustedGlobalCert directive specifies the directory path and file name of the trusted certificate authority (CA) that mod_ldap uses when establishing an SSL connection to an LDAP server.

Certificates can be stored in a .kdb file or a SAF key ring. If a .kdb file is used, a .sth file must be located in the same directory path and have the same filename, but the extension must be .sth instead of .kdb.

The LDAPTrustedGlobalCert directive must be a CMS_KEYFILE value type. Use this value if the certificates indicated by the LDAPTrustedGlobalCert directive are stored in a .kdb file.

The LDAPTrustedGlobalCert directive must be a SAF_KEYRING value type. Use this value if the certificates indicated by the LDAPTrustedGlobalCert directive are stored in a SAF key ring. Example when the certificate is stored in a .kdb file:
```
LDAPTrustedGlobalCert CMS_KEYFILE /path/to/keyfile.kdb myKDBpassword
```
Example when the certificate is stored in a SAF key ring.
```
LDAPTrustedGlobalCert SAF saf_keyring
```
For more information on accessing SAF key rings defined in RACF®, see Performing required z/OS system configurations.
Important: The user ID that you use to start IBM HTTP Server must have access to the SAF key ring that you name in this directive. If the user ID does not have access to the SAF key ring, SSL initialization fails.
Important: For SSL connectivity to LDAP on z/OS, it might be necessary to set environment variables to support certain ciphers and protocols.
The following documentation resources are relevant to z/OS v2.5.0. Refer to the documentation for the level of z/OS that you are running.
For more information on using the environment variables to control SSL/TLS settings, see SSL/TLS information for LDAP client utilities.

For more information on ciphers, see Cipher suite definitions.

For more information on the full list of environment variables that are related to SSL processing, see Environment variables.
Add the AuthLDAPUrl directive, which specifies the LDAP search parameters to use.
The syntax of the URL is:
```
ldap://host:port/basedn?attribute?scope?filter
```
Add directives in httpd.conf to the directory location (container) to be protected with values specific to your environment, such as:
- Order deny,allow
- Allow from all
- AuthName Title of your protected Realm
- AuthType Basic
- AuthBasicProvider ldap
- AuthLDAPURL your_ldap_url
- Require valid-user
- AuthLDAPBindDN "cn=Directory Manager"
- AuthLDAPBindPassword auth_password
For each combination of LDAP server, protection setup, and protect directive, code a Location container similar to the following example:
```
<Location /ldapdir>
  AuthName "whatever_LDAP"
  AuthType Basic
  AuthBasicProvider ldap
  AuthLDAPURL ldap://9.27.163.182:389/o=abc.xyz.com?cn?sub?
  Require valid-user
  AuthLDAPBindDN "cn=Directory Manager"
  AuthLDAPBindPassword d44radar
</Location>
```
http://publib.boulder.ibm.com/httpserv/manual70/mod/mod_authnz_ldap.html