You can link to the directory service (hereafter called the LDAP server), and can perform the user authentication without creating a password file. You can also control the access with the LDAP server attributes.
This functionality cannot be used for the HP-UX (IPF) version.
The mod_hws_ldap module must be embedded for user authentication via the LDAP server. To embed the mod_hws_ldap module, specify the following directives in the configuration file (httpsd.conf):
When performing the user authentication, specify the AuthType directive and AuthName directive in a way similar to that of using a password file in <Directory>, .htaccess. By specifying the Require valid-user and the LDAPRequire directives, you can authenticate the user integrated with LDAP server.
The following is an example of user authentication when CGI of <Cosminexus-installation-directory>/httpsd/cgi-bin/ is used and the User Id and password are entered:
LDAPServerName ldap.server.hitachi.com
LDAPServerPort 389
<Directory "<Cosminexus-installation-directory>/httpsd/cgi-bin">
AuthName LDAP-TASK
AuthType Basic
Require valid-user
LDAPRequire
</Directory>
You can also control the access with LDAP server attributes.
For example, you can also allow access only to users with the employee registration number from 100 to 200.
You can define whether an authenticated user can use the relevant contents.
LDAPRequire [%DN attribute%] [LDAP-search-folder] |
In LDAP-search-folder, the access permissions are defined on the basis of information registered in the LDAP server.
For example, among the authenticated users if you want to give access only to taro and hanako, define the access control as shown below. In advance register the defined information in the LDAP server.
Example:
LDAPRequire %cn% (|(cn=taro)(cn=hanako)) |
In the following example, user name is registered as cn in the LDAP server. When SSL client authentication and LDAPRequire directive are combined, Cosminexus HTTP Server checks whether the client is registered in the LDAP server after authentication depending upon the certificate. In such cases, Cosminexus HTTP Server treats the Common Name (CN) of subject in the client certificate as a user name, accesses the LDAP server as an anonymous access without using a password and checks. If Cosminexus HTTP Server cannot access the LDAP server, it responds with the status code 500 Internal Server Error.
The following figure shows the relationship between the user authentication and access control:
Figure 4-5 Relationship between the user authentication and access control
You can specify multiple LDAP servers in parallel. Accordingly, you can simultaneously use LDAP servers with different registered users and can authenticate these users. Note that you can change the LDAP server as per contents since directory-wise specification is also possible.
You can specify the server name, port name and DN of multiple LDAP servers in the LDAPServerName, LDAPServerPort, and LDAPBaseDN directives. The LDAP server that was specified first has the highest priority, however the priority goes down in the specified order.
You can specify the following directives related to the LDAP for each directory. Inherit the specified directives from the top directory to the lower directories in the order of httpsd.conf, <VirtualHost>, and <Directory>.