For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.


Configure LDAP authentication for the Liberty profile

You configure LDAP authentication by defining one or more LDAP registries in the server.xml file and you map LDAP users and groups to Application Center roles.


Overview

We can configure LDAP authentication of users and groups in the server.xml file by defining an LDAP registry or, since WebSphere® Application Server Liberty profile V8.5.5, a federated registry that uses several LDAP registries. Then, you map users and groups to Application Center roles. The mapping configuration is the same for LDAP authentication and basic authentication.


Procedure

  1. To open the server.xml descriptor file, enter {server.config.dir}/server.xml
  2. Insert one or several LDAP registry definitions after the <httpEndpoint> element. Example for the LDAP registry:

    <ldapRegistry baseDN="o=ibm.com" host="employees.com" id="Employees" ldapType="IBM Tivoli Directory Server" port="389" realm="AppCenterLdap" recursiveSearch="true"> <idsFilters groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))) " id="Employees" userFilter="(&amp;(emailAddress=%v)(objectclass=ibmPerson))" groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember" userIdMap="*:emailAddress"/> </ldapRegistry>

    For information about the parameters that are used in this example, see the WebSphere Application Server V8.5 user documentation.

  3. Insert a security role definition after each Application Center application definition.
    • If you deployed WAR files: applicationcenter and appcenterconsole
    • If you deployed an EAR file:applicationcenter

    Group names unique within LDAP
    This sample code shows how to use the group names ldapGroupForAppcenteruser and ldapGroupForAppcenteradmin when they exist and are unique within LDAP.

    <application-bnd> <security-role name="appcenteruser" id="appcenteruser"> <group name="ldapGroupForAppcenteruser" /> </security-role> <security-role name="appcenteradmin" id="appcenteradmin"> <group name="ldapGroupForAppcenteradmin" /> </security-role> </application-bnd>

    Group names not unique within LDAP
    This sample code shows how to code the mapping when the group names are not unique within LDAP. The groups must be specified with the access-id attribute. The access-id attribute must refer to the realm name that is used to specify the LDAP realm. In this sample code, the realm name is AppCenterLdap. The remainder of the access-id attribute specifies one of the LDAP groups named ldapGroup in a way that makes it unique.

    <application-bnd> <security-role name="appcenteruser" id="appcenteruser"> <group name="ldapGroup" id="ldapGroup" access-id="group:AppCenterLdap/CN=ldapGroup,OU=myorg, DC=mydomain,DC=AD,DC=myco,DC=com"/> </security-role> ... </application-bnd>

    If applicable, use similar code to map the appcenteradmin role.

Parent topic: LDAP with Liberty profile