Lightweight Directory Access Protocol settings
To configure Lightweight Directory Access Protocol (LDAP) settings when users and groups reside in an external LDAP directory.
To view this administrative console page, click Security > User Registries > LDAP.
When security is enabled and any of these properties change, go to the Global Security panel and click Apply to validate the changes.
Configuration tab
Server User ID Specifies the user ID under which the server runs, for security purposes. Although this ID is not the LDAP administrator user ID, specify a valid entry in the LDAP directory located under the Base Distinguished Name.
Server User Password Specifies the password corresponding to the security server ID.
Type Specifies the type of LDAP server to which you connect. The type is used to preload default LDAP properties. IBM Directory Server users can choose either IBM_Directory_Server or SecureWay as the directory type. Use the IBM_Directory_server directory type for better performance. Users of the iPlanet Directory Server can choose either iPlanet Directory Server or NetScape as the directory type. Use the iPlanet Directory Server directory type for better performance after configuring iPlanet to use role (nsRole) as the grouping method.
IBM SecureWay Directory Server is not supported..
For a list of supported LDAP servers, see "Supported directory services." in the documentation.
Host Specifies the host ID (IP address or domain name service (DNS) name) of the LDAP server.
Port Specifies the host port of the LDAP server. If multiple WASs are installed and configured to run in the same single signon domain, or if the WAS interoperates with a previous version of the WAS, then it is important that the port number match all configurations. For example, if the LDAP port is explicitly specified as 389 in a Version 4.0.x configuration, and a WAS at Version 5 is going to interoperate with the Version 4.0.x server, then verify that port 389 is specified explicitly for the Version 5 server.
Default... 389
Base Distinguished Name Specifies the base distinguished name of the directory service, indicating the starting point for LDAP searches of the directory service. For example, for a user with a distinguished name (DN) of cn=John Doe, ou=Rochester, o=IBM, c=US, you can specify the base DN as (assuming a suffix of c=us): ou=Rochester, o=IBM, c=us o=IBM, c=us c=us. For authorization purposes, this field is case sensitive. This specification implies that if a token is received (for example, from another cell or Domino) the base DN in the server must match the base DN from the other cell or Domino server exactly. If case sensitivity is not a consideration for authorization, enable the Ignore Case field. This field is required for all Lightweight Directory Access Protocol (LDAP) directories except for the Domino Directory, where this field is optional.
Bind Distinguished Name Specifies the distinguished name for the appserver to use when binding to the directory service. If no name is specified, the appserver binds anonymously. See the Base Distinguished Name field description for examples of distinguished names.
Bind Password Specifies the password for the appserver to use when binding to the directory service.
Search Timeout Specifies the timeout value in seconds for an Lightweight Directory Access Protocol (LDAP) server to respond before aborting a request.
Default... 120
Reuse connection Specifies whether the server reuses the Lightweight Directory Access Protocol (LDAP) connection. Clear this option only in rare situations where a router is used to spray requests to multiple LDAP servers and when the router does not support affinity.
Default... Enabled Range... Enabled or Disabled
Ignore Case Specifies that a case insensitive authorization check is performed. This field is required when IBM Directory Server is selected as the LDAP directory server.
This field is required when Sun ONE Directory Server is selected as the LDAP directory server. For more information, see "Using specific directory servers as the LDAP server" in the documentation.
Otherwise, this field is optional and can be enabled when a case-sensitive authorization check is required. For example, use this field when the certificates and the certificate contents do not match the case used for the entry in the LDAP server. You can enable the Ignore Case field when using single signon (SSO) between WAS and Lotus Domino.
Default... Disabled Range... Enabled or Disabled
SSL Enabled Specifies whether secure socket communication is enabled to the LDAP server. When enabled, the LDAP SSL settings are used, if specified.
SSL Configuration Specifies the SSL configuration to use for the LDAP connection. This configuration is used only when SSL is enabled for LDAP.
Default: DefaultSSLSettings
Use Tivoli Access Manager for Account Policies Select this option to indicate that the Tivoli Access Manager is used for authentication to honor password and account policies. This option requires that you have previously installed the Tivoli Access Manager. Do not select this option unless you have a Tivoli Access Manager Server installed and configured to be used by WAS. The Lightweight Directory Access Protocol (LDAP) directory server used by the Tivoli Access Manager must be the same LDAP directory server that is used by WebSphere Application Server.
When you select this option, IBM SecureWay Directory Server is not supported as an LDAP directory server.