LDAP repository configuration settings
Use this page to configure secure access to a Lightweight Directory Access Protocol (LDAP) repository with optional failover servers. To view this console page...
- In the console, click Security > Secure administration, applications, and infrastructure.
- Under User account repository, select Federated repositories from the Available realm definitions field and click Configure.
- Under Related items, click Manage repositories.
- Click Add to specify a new external repository or select an external repository that is preconfigured.
When you finish adding or updating your federated repository configuration, go to the Security > Secure administration, applications, and infrastructure panel and click Apply to validate the changes.
Configuration tab
- Repository identifier
Specify a unique identifier for the LDAP repository. This identifier uniquely identifies the repository within the cell... LDAP1.
- Directory type
Timeype of LDAP server to which you connect.
Expand the drop-down list to display a list of LDAP directory types.
- Primary host name
Specify the host name of the primary LDAP server. This host name is either an IP address or a domain name service (DNS) name.
- Port
Specify the LDAP server port.
The default value is 389, which is not a SSL connection. Use port 636 for a SSL connection. For some LDAP servers, you can specify a different port for a non-SSL or SSL connection. If you do not know the port to use, contact your LDAP server administrator.
Data type: Integer Default: 389 Range: 389, which is not a SSL connection 636, which is a SSL connection
- Failover host name
Specify the host name of the failover LDAP server.
You can specify a secondary directory server to be used in the event that your primary directory server becomes unavailable. After switching to a secondary directory server, the LDAP repository attempts to reconnect to the primary directory server every 15 minutes.
- Port
Port of the failover LDAP server.
The default value is 389, which is not a SSL connection. Use port 636 for a SSL connection. For some LDAP servers, you can specify a different port for a non-SSL or SSL connection. If you do not know the port to use, contact your LDAP server administrator.
Data type: Integer Range: 389, which is not a SSL connection 636, which is a SSL connection
- Support referrals to other LDAP servers
Specify how referrals that are encountered by the LDAP server are handled.
A referral is an entity that is used to redirect a client request to another LDAP server. A referral contains the names and locations of other objects. It is sent by the server to indicate that the information that the client requested can be found at another location, possibly at another server or several servers. The default value is ignore.
Default: ignore Range:
- ignore
- Referrals are ignored.
- follow
- Referrals are followed automatically.
- Bind distinguished name
Specify the distinguished name (DN) for the appserver to use when binding to the LDAP repository.
If no name is specified, the appserver binds anonymously. In most cases, bind DN and bind password are needed. However, when anonymous bind can satisfy all of the required functions, bind DN and bind password are not needed.
- Bind password
Password for the appserver to use when binding to the LDAP repository.
- Login properties
Property names to use to log into the appserver.
This field takes multiple login properties, delimited by a semicolon (;). For example, uid;mail. All login properties are searched during login. If multiple entries or no entries are found, an exception is thrown. For example, if you specify the login properties as uid;mail and the login ID as Bob, the search filter searches for uid=Bob or mail=Bob. When the search returns a single entry, then authentication can proceed. Otherwise, an exception is thrown.
- Certificate mapping
Specify whether to map X.509 certificates into an LDAP directory by EXACT_DN or CERTIFICATE_FILTER. Specify CERTIFICATE_FILTER to use the specified certificate filter for the mapping.
- Certificate filter
Filter certificate mapping property for the LDAP filter. The filter is used to map attributes in the client certificate to entries in the LDAP repository.
If more than one LDAP entry matches the filter specification at run time, authentication fails because the result is an ambiguous match. The syntax or structure of this filter is:
LDAP attribute=${Client certificate attribute}
For example, uid=${SubjectCN}. The left side of the filter specification is an LDAP attribute that depends on the schema that your LDAP server is configured to use. The right side of the filter specification is one of the public attributes in your client certificate. The right side must begin with a dollar sign ($) and open bracket ({) and end with a close bracket (}). You can use the following certificate attribute values on the right side of the filter specification. The case of the strings is important:
- ${UniqueKey}
- ${PublicKey}
- ${PublicKey}
- ${Issuer}
- ${NotAfter}
- ${NotBefore}
- ${SerialNumber}
- ${SigAlgName}
- ${SigAlgOID}
- ${SigAlgParams}
- ${SubjectCN}
- ${Version}
- Require SSL communications
Specify whether secure socket communication is enabled to the LDAP server.
When enabled, the SSL settings for LDAP are used, if specified.
- Centrally managed
Specify that the selection of an SSL configuration is based upon the outbound topology view for the Java Naming and Directory Interface (JNDI) platform.
Centrally managed configurations support one location to maintain SSL configurations, rather than spreading them across the configuration documents.
Default: Enabled Range: Enabled or Disabled
- Use specific SSL alias
Specify the SSL configuration alias to use for LDAP outbound SSL communications.
This option overrides the centrally managed configuration for the JNDI platform.
Related tasks
Configure a property extension repository in a federated repository configuration
Manage the realm in a federated repository configuration
Configure LDAP in a federated repository configuration
Reference topic