For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.

Configure LDAP ACL management for WebSphere Application Server V8.x

Use LDAP to define the users and groups who can install mobile applications with the Application Center with the Virtual Member Manager (VMM) API.


To configure ACL with LDAP, you define three properties: uid, sn, and cn. These properties enable the login name and the full name of users and the name of user groups to be identified in the Application Center. Then you enable ACL management with VMM. We can configure LDAP based on the federated repository configuration only.


  1. Log in to the WebSphere® Application Server console.
  2. Select Security > Global security.
  3. In the User account repository section, select Configure.
  4. Select your LDAP repository entry.
  5. Under Additional Properties, select LDAP attributes (WebSphere Application Server V8.0) or Federated repositories property names to LDAP attributes mapping (WebSphere Application Server V8.5).
  6. Select Add > Supported.
  7. Enter these property values:
    1. For Name enter your LDAP login attribute.
    2. For Property name enter uid.
    3. For Entity types enter the LDAP entity type.
    4. Click OK.

    Figure 1. Associating LDAP login with uid property (WebSphere Application Server V8.0)

    LDAP login attribute associated with the uid property and the PersonAccount LDAP entity type.

  8. Select Add > Supported.
    1. For Name enter your LDAP attribute for full user name.
    2. For Property name enter sn.
    3. For Entity types enter the LDAP entity type.
    4. Click OK.

    Figure 2. Associating LDAP full user name with sn property (WebSphere Application Server V8.0)

    LDAP attribute for full user name associated with the sn property and the PersonAccount LDAP entity type.

  9. Select Add > Supported to configure a group name:
    1. For Name enter the LDAP attribute for our group name.
    2. For Property name enter cn.
    3. For Entity types enter the LDAP entity type.
    4. Click OK.
  10. Enable ACL management with LDAP:
    1. Select Servers > Server Types > WebSphere application servers.
    2. Select the appropriate application server.

      In a clustered environment we must configure all the servers in the cluster in the same way.

    3. In the Configuration tab, under "Server Infrastructure", click the Java and Process Management tab and select Process definition.
    4. In the Configuration tab, under Additional Properties, select Java Virtual Machine,
    5. In the Configuration tab, under Additional Properties, select Custom properties.
    6. Enter the required property-value pairs in the form. To enter each pair, click New, enter the property and its value, and click OK.

      Property-value pairs:

      • = true
      • = true
      • ibm.appcenter.ldap.cache.expiration.seconds = delay_in_seconds
    7. Enter the delay in seconds before the LDAP cache expires. If you do not enter a value, the default value is 86400, which is equal to 24 hours.

      Changes to users and groups on the LDAP server become visible to the Application Center after a delay, which is specified by ibm.appcenter.ldap.cache.expiration.seconds. The Application Center maintains a cache of LDAP data and the changes become visible only after the cache expires. By default, the delay is 24 hours. If you do not want to wait for this delay to expire after changes to users or groups, we can call this command to clear the cache of LDAP data: -clearLdapCache -s serverurl -c context -u user -p password See Using the stand-alone tool to clear the LDAP cache for details.


The following figure shows an example of custom properties with the correct settings.

Figure 3. ACL management for Application Center with LDAP on WebSphere Application Server V8

Custom properties set to true for ACL management with LDAP.

What to do next

  1. Save the configuration and restart the server.
  2. To use the VMM API, we must assign the IdMgrReader role to the users who run the VMM code, or to the group owners of these users. You must assign this role to all users and groups who have the appcenteruser or appcenteradminroles.
  3. In the <was_home>\bin directory, where <was_home> is the home directory of your WebSphere Application Server, run the wsadmin command.
  4. After connecting with the WebSphere Application Server administrative user, run the following command:

    $AdminTask mapIdMgrGroupToRole {-roleName IdMgrReader -groupId your_LDAP_group_id}

  5. Run the same command for all the groups mapped to the appcenteruser and appcenteradminroles.

    For individual users who are not members of groups, run the following command:

    $AdminTask mapIdMgrUserToRole {-roleName IdMgrReader -userId your_LDAP_user_id}

    We can assign the special subject "All Authenticated in Application's Realm" as roles for appcenteruser and appcenteradmin. If you choose to assign this special subject, IdMgrReader must be configured in the following way:

    $AdminTask mapIdMgrGroupToRole {-roleName IdMgrReader -groupId ALLAUTHENTICATED}

  6. Enter exit to end wsadmin.

Parent topic: LDAP with WebSphere Application Server V8.x