Convert directives that use the mod_ibm_ldap module to
use the mod_ldap Apache module to ensure continued IBM® HTTP
Server support for your LDAP configuration.
Before you begin
Determine which directives to convert.Complete these steps
to convert your directives.
Procedure
- Edit the LoadModule directive in the httpd.conf or ldap.prop configuration
file to remove mod_ibm_ldap.
LoadModule ibm_ldap_module modules/mod_ibm_ldap.so
- Add the mod_ldap LoadModule directive to the httpd.conf configuration
file.
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
- Convert one or more of the following directives.
For
more information about converting your directives, see the topic about
mod_ibm_ldap migration.
Note: A one to one correlation might not exist
for some directives.
Table 1. LDAP
configuration directives conversion
mod_ibm_ldap |
mod_ldap |
ldapCodePageDir |
None. The codepages directory cannot be moved
from its installed location. |
LdapConfigFile |
include |
LdapRequire |
require |
ldap.application.authType |
None. If the mod_ldap directive, AuthLDAPBindDN,
is specified, then you will get Basic auth. If no AuthLDAPBindDN is
specified, then you get what would have been the None auth type (anonymous).
If the mod_ldap configuration specifies an LDAPTrustedClientCert value
then you will get the Cert auth type. |
ldap.application.DN |
AuthLDAPBindDN |
ldap.application.password |
AuthLDAPBindPassword |
ldap.application.password.stashFile |
None. The mod_ldap module does not provide a
directive for using stashed passwords. |
ldap.cache.timeout |
LDAPCacheTTL |
ldap.group.dnattributes |
AuthLDAPSubGroupClass |
ldap.group.memberattribute |
AuthLDAPSubGroupAttribute |
ldap.group.memberattributes |
AuthLDAPGroupAttribute |
ldap.group.name.filter |
None. The mod_ldap module uses the filter provided
at the end of the AuthLDAPURL directive. |
ldap.group.search.depth |
AuthLDAPMaxSubGroupDepth |
ldap.group.URL |
AuthLDAPURL |
ldap.idleConnection.timeout |
None. The mod_ldap module does not provide a
directive for connection timeouts. |
ldap.key.file.password.stashfile |
None. The mod_ldap module does not provide a
directive for using stashed passwords. Specify the keyfile password,
in clear text, at the end of the LDAPTrustedGlobalCert directive.
Alternatively, omit the password on the LDAPTrustedGlobalCert directive
and the mod_ldap module automatically looks for a /path/to/keyfile.sth
file, assuming /path/to/keyfile.kdb was the specified value of the
LDAPTrustedGlobalCert directive. |
ldap.key.fileName |
LDAPTrustedGlobalCert |
ldap.key.label |
LDAPTrustedClientCert |
ldap.ReferralHopLimit |
LDAPReferralHopLimit |
ldapReferrals |
LDAPReferrals |
ldap.realm |
None. The mod_ibm_ldap value of this directive
was only used for logging purposes. No equivalent directive is required
in mod_ldap. |
ldap.search.timeout |
LDAPSearchTimeout |
ldap.transport |
LDAPTrustedMode |
ldap.URL |
AuthLDAPURL |
ldap.user.authType |
None. The mod_ldap module authenticates users
based on the user ID and password credentials provided. |
ldap.user.cert.filter |
None. The mod_ldap module does not work directly
with client certificates. Authorization directives use the environment
values set by the SSL module. |
ldap.user.name.fieldSep |
None. The mod_ldap module does not provide support
for parsing the provided credentials into subcomponents. |
ldap.user.name.filter |
None. The mod_ldap module specifies the user
name filter as part of the AuthLDAPURL directive. |
ldap.version |
None. The mod_ldap module uses only LDAP version
3. |
ldap.waitToRetryConnection.interval |
None. The mod_ldap module does not have a timed
delay between connection retries when a connection attempt fails.
The connection attempt is retried for a maximum of 10 times before
request fails. |
- Run the Apache control with the verify flag to verify the
configuration.
<ihsinst>bin/apachectl -t
Attention: This configuration check confirms that the syntax
is correct, but you must verify any configuration changes for a directive
using the documentation for that directive to ensure an optimal configuration.
Attention: All mod_ibm_ldap directives that
use the form ldap.* used to optionally display in
the LDAPConfigFile configuration file without the ldap prefix.
A mod_ldap SSL configuration
The
following configuration directives show a sample SSL-enabled LDAP
configuration. Some of the directives specify default values and would
not typically need to be specified, but are retained to provide context.
Those directives are included, but are commented out with '##" symbols.
##LDAPReferrals On
##LDAPReferralHopLimit 5
LDAPTrustedGlobalCert CMS_KEYFILE /full/path/to/ldap_client.kdb clientkdbPassword
#default cert in this kdb is my_cert1
# Alternatively, you can specify a SAF-based keyring, on systems that support it, as follows:
#LDAPTrustedGlobalCert SAF saf_keyring
<VirtualHost *>
ServerAdmin admin@my.address.com
DocumentRoot /path/to/htdocs
# Ignored because LDAP URLs use ldaps:, where needed
##LDAPTrustedMode SSL
<Directory /minimal_ldap_config>
AuthBasicProvider ldap
AuthLDAPURL ldap://our_ldap.server.org/o=OurOrg,c=US
AuthName "Private root access"
require valid-user
</Directory>
<Directory /path/to/htdocs>
##AuthzLDAPAuthoritative on
AuthBasicProvider ldap
# This LDAPTrustedClientCert is required to use a different certificate
# than the default
LDAPTrustedClientCert CMS_LABEL my_cert2
AuthLDAPURL ldaps://our_ldap.server.org:636/o=OurOrg,c=US?cn?sub? (objectclass=person)
AuthLDAPBindDN "cn=ldapadm,ou=OurDirectory,o=OurCompany,c=US"
AuthLDAPBindPassword mypassword
AuthName "Private root access"
require ldap-group cn=OurDepartment,o=OurOrg,c=us
</Directory>
<Directory "/path/to/htdocs/employee_of_the_month">
##AuthzLDAPAuthoritative on
AuthBasicProvider ldap
#Uses default cert (my_cert1)
##LDAPTrustedClientCert CMS_LABEL my_cert1
AuthLDAPURL ldaps://our_ldap.server.org:636/o=OurOrg,c=US?cn?sub?(objectclass=person)
AuthLDAPBindDN "cn=ldapadm,ou=OurDirectory,o=OurCompany,c=US"
AuthLDAPBindPassword mypassword
AuthName "Employee of the month login"
require ldap-attribute description="Employee of the Month."
</Directory>
<Directory "/path/to/htdocs/development_groups">
#These are the default values for the subgroup-related directives and only need to be
#specified when the LDAP structure differs.
##AuthzLDAPAuthoritative on
AuthBasicProvider ldap
# This LDAPTrustedClientCert is required to use a different certificate
# than the default LDAPTrustedClientCert CMS_LABEL my_cert3
AuthLDAPURL ldaps://groups_ldap.server.org:636/o=OurOrg,c=US?cn?sub?
(|(objectclass=groupofnames)(object class=groupo1 funiquenames))
AuthLDAPBindDN "cn=ldapadm,ou=OurDirectory,o=OurCompany,c=US"
AuthLDAPBindPassword mypassword
AuthName "Developer Access"
AuthLDAPGroupAttribute member
AuthLDAPMaxSubGroupDepth 2
AuthLDAPSubGroupClass groupOfUniqueNames
##AuthLDAPSubGroupClass groupOfNames
##AuthLDAPSubGroupAttribute uniqueMember
##AuthLDAPSubGroupAttribute member
require ldap-group cn=Developers_group,o=OurOrg,c=us
</Directory>
</VirtualHost>
LDAPTrustedMode None