#Omit TLSv1.2 export LDAP_OPT_SECURITY_PROTOCOL=SSLV3,TLS10,TLS11
require ldap-group
and large groupsSearching for nested groups in large groups is inefficient due to the common structure of nested groups in LDAP (both users and subgroups are 'members' of the parent group). If your target group only has direct members, set AuthLDAPMaxSubGroupDepth to zero.
In 6.1 and earlier, it may be necessary to change the order of the LoadModule for mod_ibm_ldap relative to the LoadModule for mod_auth. Usually, having mod_ibm_ldap earlier is what's desired (in which case it can check the certificate before mod_auth triggers the 401 response).
When an LDAP server on z/OS is configured to use the SDBM (or RACF) backend, the LDAP functionality is greatly diminished. This limits the ability of IBM HTTP Server to use such an LDAP server for access control.
The mod_ldap module has a number of directives that can be used for performance tuning. The mod_ldap module and its directives are described at: http://publib.boulder.ibm.com/httpserv/manual70/mod/mod_ldap.html.
If you are seeing symptoms such as the following, then you may need to tune your ldap cache:
LDAPSharedCacheSize
directive. For example,
to increase the size from the 100K default to 1M, use the following in your confiuration file (the size is in bytes):
LDAPSharedCacheSize 1000000
The size of the cache should be set based on the number of entries you expect to be added to the cache. The more logins that are cached, the
larger you will want to make the size.
To help make this determination, you can enable the ldap-status handler as instructed by the 'Monitoring the Cache'
section
of the
mod_ldap documentation page.
Once enabled, the cache status can then be viewed by using a browser to access http://<servername>/cache-info
You should do some initial monitoring to determine how many entries are being cached (number of rows in the output) and adjust the cache size
as needed.
A suggested cache size for x number entries can't be provided, but with some initial monitoring, you should be able to evaluate and
determine an appropriate cache size for your expected usage patterns. Some situations may need a vastly bigger cache than the default - perhaps
1M or 10M in size, but that has to be evaluated per situation by the customer. Even those are rather small in terms of memory usage.
If you start experiencing ldap performance issues at a later date, then you should probably do some new monitoring to determine if the number of entries being cached has increased since your initial assessment. If so, its probably time to increase the cache again.
Does LDAP authentication work with Active Directory?
Yes, but for reasonable performance either the "global catalog" port must be used or Active Directory must be front-ended by the Active Directory Application Mode daemon
Can IHS require a user to be a member of two groups?
The two LDAP modules behave differently, and neither is configurable.
mod_ibm_ldap
only grants access when all LDAPRequire
directives are satisfied.
mod_ldap/mod_authnz_ldap
, as well as most standard Apache HTTP Server modules, grants access
when any Require
directive is satisfied.
Can I change what SSL protocols ldaps (LDAP over SSL) uses?
No, there is no way to configure SSL protocols. In IHS 8.0 and above, SSLv3, TLSv1.0, and TLSv1.1 are enabled by default. In IHS 7.0, only SSLv3 and TLSv1.0 are enabled.
Collecting data for problems with the IBM HTTP Server for LDAP authentication problems. Gathering this MustGather information before calling IBM support will help you understand the problem and save time analyzing the data.
There are two possible modules that IHS might be using for LDAP authentication.
If using IHS before version 7.0 on non-z/OS platforms, you are using mod_ibm_ldap. If using IHS on z/OS, or version 7.0 or later, you might be using mod_ibm_ldap, or mod_ldap and mod_authnz_ldap; check the IHS configuration file to see which modules are loaded.
The following list of files are needed. Include the SSL information if the HTTP request is being received over SSL, or the LDAP server is being accessed over SSL.
LDAP_TRACE_FILE=/path/ldaptrace.log export LDAP_TRACE_FILE LDAP_DEBUG=65535 export LDAP_DEBUG
GSK_TRACE_FILE=/path/gskit.log export GSK_TRACE_FILE