This section discusses the functions involved in getting started with Lightweight Directory Access Protocol (LDAP). Links to related topics appear at the end of this section.
Protecting files or directories with user or group information on a Lightweight Directory Access Protocol server
You can protect files and directories with user or group information by defining through a user, group, or filter:
To define by user:
Manualy insert the following directives into your configuration file, under a directory or Location stanza:
To define by group:
LDAPRequire group "group_name"
To define by filter:
LDAPRequire filter "ldap_search_filter"
LDAPRequire only works if manually inserted into the httpd.conf file.
To use the mod_ibm_ssl and mod_ibm_ldap files when configuring LDAP to use SSL for communicating with the LDAP server, both the mod_ibm_ssl and mod_ibm_ldap files must use the same key ring file. If you enable SSL connections to the Web server and also use SSL as the transport between the Web server and the LDAP server, the key ring files used for both modules can merge into one key ring file. The configuration of each module can specify a different default certificate.
When using Secure Sockets Layer (SSL) between the Lightweight Directory Access Protocol (LDAP) module and the LDAP directory server, the key database file must have write permission. The key database file contains the certificates which establish identity, and in a secure environment, the LDAP server can require the Web server to provide a certificate for querying the LDAP server for authentication information. The key database file must have write permission by the UNIX user ID on which the Web server runs.
Certificates establish identity, to prevent other certificates from stealing or overwriting your certificates. If someone has read permission to the key database file, they can retrieve the user's certificates and masquerade as that user. Grant read or write permission only to the owner of the key database file.
The LDAP module requires the password to the user's key database, even if a stash file exists. Use the ldapstash command to create an LDAP stash file, containing the key database file password.
To create an LDAP connection, provide information about the LDAP server.
The IBM HTTP Server supports the following LDAP servers: