For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.


Configure LDAP ACL management (Apache Tomcat)

Use LDAP to define the users and groups who can install mobile applications with the Application Center by defining the Application Center LDAP properties through JNDI.


Purpose

To configure LDAP ACL management of the Application Center; add an entry for each property in the <context> section of the IBM® Application Center Services application in the server.xml file. This entry should have the following syntax:

<Environment name="JNDI_property_name" value="property_value" type="java.lang.String" override="false"/>

Where:

JNDI_property_name is the name of the property you are adding.

property_value is the value of the property you are adding.

Table 1. Properties for configuring ACL management for LDAP in the server.xml file on Apache Tomcat
Property Description
ibm.appcenter.ldap.active Set to true to enable LDAP; set to false to disable LDAP.
ibm.appcenter.ldap.connectionURL LDAP connection URL.
ibm.appcenter.ldap.user.base Search base of users.
ibm.appcenter.ldap.user.loginName LDAP login attribute.
ibm.appcenter.ldap.user.displayName LDAP attribute for the user name to be displayed, for example, a person's full name.
ibm.appcenter.ldap.group.base Search base of groups.
ibm.appcenter.ldap.group.name LDAP attribute for the group name.
ibm.appcenter.ldap.group.uniquemember LDAP attribute that identifies the members of a group.
ibm.appcenter.ldap.user.groupmembership LDAP attribute that identifies the groups to which a user belongs.
ibm.appcenter.ldap.group.nesting Management of nested groups: if nested groups are not managed, set the value to false.
ibm.appcenter.ldap.user.filter LDAP user search filter for the attribute of user login name. Use %v as the placeholder for the login name attribute.

This property is only required when LDAP users and groups are defined in the same subtree; that is, when the properties ibm.appcenter.ldap.user.base and ibm.appcenter.ldap.group.base have the same value.

ibm.appcenter.ldap.displayName.filter LDAP user search filter for the attribute of user display name. Use %v as the placeholder for the display name attribute.

This property is only required when LDAP users and groups are defined in the same subtree; that is, when the properties ibm.appcenter.ldap.user.base and ibm.appcenter.ldap.group.base have the same value.

ibm.appcenter.ldap.group.filter LDAP group search filter. Use %v as the placeholder for the group attribute.

This property is only required when LDAP users and groups are defined in the same subtree; that is, when the properties ibm.appcenter.ldap.user.base and ibm.appcenter.ldap.group.base have the same value.

ibm.appcenter.ldap.security.sasl The value of the security authentication mechanism when the LDAP external SASL authentication mechanism is required to bind to the LDAP server. The value depends on the LDAP server; usually, it is set to "EXTERNAL".
ibm.appcenter.ldap.security.binddn Property that identifies the distinguished name of the user permitted to search the LDAP directory. Use this property only if security binding is required.
ibm.appcenter.ldap.security.bindpwd Property that identifies the password of the user permitted to search the LDAP directory. Use this property only if security binding is required.
ibm.appcenter.ldap.cache.expiration.seconds Delay in seconds before the LDAP cache expires. If no value is entered, the default value is 86400, which is equal to 24 hours.

Changes to users and groups on the LDAP server become visible to the Application Center after a delay, which is specified by ibm.appcenter.ldap.cache.expiration.seconds. The Application Center maintains a cache of LDAP data and the changes only become visible after the cache expires. By default, the delay is 24 hours. If you do not want to wait for this delay to expire after changes to users or groups, we can call this command to clear the cache of LDAP data:

acdeploytool.sh -clearLdapCache -s serverurl c context -u user -p password

See Using the stand-alone tool to clear the LDAP cache for details.

ibm.appcenter.ldap.referral Property that indicates whether referrals are supported by the JNDI API. If no value is given, the JNDI API will not handle LDAP referrals. Possible values are:

  • ignore: ignores referrals found in the LDAP server.
  • follow: automatically follows any referrals found in the LDAP server.
  • throw: causes an exception to occur for each referral found in the LDAP server.

See JNDI properties for Application Center for a complete list of LAPD properties that we can set.

The example shows properties defined in the server.xml file.

<Environment name="ibm.appcenter.ldap.active" value="true" type="java.lang.String" override="false"/> <Environment name="ibm.appcenter.ldap.connectionURL" value="ldaps://employees.com:636" type="java.lang.String" override="false"/> <Environment name="ibm.appcenter.ldap.user.base" value="dc=ibm,dc=com" type="java.lang.String" override="false"/> <Environment name="ibm.appcenter.ldap.user.loginName" value="uid" type="java.lang.String" override="false"/> <Environment name="ibm.appcenter.ldap.user.displayName" value="cn" type="java.lang.String" override="false"/> <Environment name="ibm.appcenter.ldap.user.groupmembership" value="ibm-allGroups" type="java.lang.String" override="false"/> <Environment name="ibm.appcenter.ldap.group.base" value="dc=ibm,dc=com" type="java.lang.String" override="false"/> <Environment name="ibm.appcenter.ldap.group.name" value="cn" type="java.lang.String" override="false"/> <Environment name="ibm.appcenter.ldap.group.uniquemember" value="uniquemember" type="java.lang.String" override="false"/> <Environment name="ibm.appcenter.ldap.cache.expiration.seconds" value="43200" type="java.lang.String" override="false"/> <Environment name="ibm.appcenter.ldap.security.sasl" value="EXTERNAL" type="java.lang.String" override="false"/> <Environment name="ibm.appcenter.ldap.security.referral" value="follow" type="java.lang.String" override="false"/> <Environment name="ibm.appcenter.ldap.user.filter" value="(&amp;(uid=%v)(objectclass=inetOrgPerson))" type="java.lang.String" override="false"/> <Environment name="ibm.appcenter.ldap.user.displayName.filter" value="(&amp;(cn=%v)(objectclass=inetOrgPerson))" type="java.lang.String" override="false"/> <Environment name="ibm.appcenter.ldap.group.filter" value="(&amp;(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))" type="java.lang.String" override="false"/>

Parent topic: LDAP with Apache Tomcat