Set LDAP in a federated repository configuration

Follow this topic to configure LDAP settings in a federated repository configuration. we have chosen among various ways to configure LDAP:

At this point, we are viewing the LDAP repository configuration page of the admin console.


  1. Enter a unique identifier for the repository in the Repository identifier field. This identifier uniquely identifies the repository within the cell... LDAP1.

  2. Select the type of LDAP server used from the Directory type list. The type of LDAP server determines the default filters that are used by WAS.

    IBM Tivoli Directory Server users can choose either IBM Tivoli Directory Server or SecureWay as the directory type. Use the IBM Tivoli Directory Server directory type for better performance. For a list of supported LDAP servers, see Use specific directory servers as the LDAP server.

  3. Enter the fully qualified host name of the primary LDAP server in the Primary host name field. We can enter either the IP address or the DNS name.

  4. Enter the server port of the LDAP directory in the Port field.

    The host name and the port number represent the realm for this LDAP server in a mixed version nodes cell. If servers in different cells are communicating with each other using LTPA tokens, these realms must match exactly in all the cells.

    The default value is 389, which is not an SSL connection. Use port 636 for an SSL connection. For some LDAP servers, we can specify a different port for a non-SSL or SSL connection. If we do not know the port to use, contact the LDAP server administrator.

    If multiple WASs are installed and configured to run in the same single sign-on domain, or if WAS interoperates with a previous version of WAS, then it is important that the port number match all configurations. For example, if the LDAP port is explicitly specified as 389 in a V5.x or 6.0.x configuration, and WAS at V6.1 is going to interoperate with the V5.x or 6.0.x server, then verify that port 389 is specified explicitly for the V6.1 server.

  5. Enter the host name of the failover LDAP server in the Failover host name field. We can specify a secondary directory server to be used in the event that the primary directory server becomes unavailable. After switching to a secondary directory server, LDAP repository attempts to reconnect to the primary directory server every 15 minutes.

  6. Enter the port of the failover LDAP server in the Port field and click Add. The default value is 389, which is not an SSL connection. Use port 636 for an SSL connection. For some LDAP servers, we can specify a different port for a non-SSL or SSL connection. If we do not know the port to use, contact the LDAP server administrator.

  7. Select the type of referral.

    A referral is an entity used to redirect a client request to another LDAP server. A referral contains the names and locations of other objects. It is sent by the server to indicate that the information that the client requested can be found at another location, possibly at another server or several servers. The default value is ignore.


    Referrals are ignored.


    Referrals are followed automatically.

  8. Enter the bind DN name in the Bind distinguished name field, for example, cn=root. The bind DN is required if anonymous binds are not possible on the LDAP server to obtain user and group information or for write operations. In most cases, bind DN and bind password are needed. However, when anonymous bind can satisfy all of the required functions, bind DN and bind password are not needed. If the LDAP server is set up to use anonymous binds, leave this field blank. If a name is not specified, the application server binds anonymously.

    To create LDAP queries or to browse, an LDAP client must bind to the LDAP server using the distinguished name (DN) of an account that has the authority to search and read the values of LDAP attributes, such as user and group information. The LDAP administrator ensures that read access privileges are set for the bind DN. Read access privileges allow access to the subtree of the base DN and ensure that searches of user and group information are successful.

    The directory server provides an operational attribute in each directory entry (for example, the IBM Directory Server uses ibm-entryUuid as the operational attribute). The value of this attribute is a universally unique identifier (UUID), which is chosen automatically by the directory server when the entry is added, and is expected to be unique: no other entry with the same or different name would have this same value. Directory clients may use this attribute to distinguish objects identified by a distinguished name or to locate an object after renaming. Verify the bind credentials have the authority to read this attribute.

  9. Enter the password that corresponds to the bind DN in the Bind password field.

  10. Enter the property names to use to log into WAS in the Login properties field. This field takes multiple login properties, delimited by a semicolon (;). For example, uid;mail.

    All login properties are searched during login. If multiple entries or no entries are found, an exception is thrown. For example, if specify the login properties as uid;mail and the login ID as Bob, the search filter searches for uid=Bob or mail=Bob. When the search returns a single entry, then authentication can proceed. Otherwise, an exception is thrown.

  11. Select the certificate map mode in the Certificate mapping field. Use the X.590 certificates for user authentication when LDAP is selected as the repository. The Certificate mapping field is used to indicate whether to map the X.509 certificates into an LDAP directory user by EXACT_DN or CERTIFICATE_FILTER. If EXACT_DN is selected, the DN in the certificate must exactly match the user entry in the LDAP server, including case and spaces.

  12. If we select CERTIFICATE_FILTER in the Certificate mapping field, specify the LDAP filter for mapping attributes in the client certificate to entries in LDAP.

    If more than one LDAP entry matches the filter spec at run time, authentication fails because the result is an ambiguous match. The syntax or structure of this filter is:

    LDAP attribute=${Client certificate attribute}

    For example, uid=${SubjectCN}. The left side of the filter spec is an LDAP attribute that depends on the schema that the LDAP server is configured to use. The right side of the filter spec is one of the public attributes in the client certificate. The right side must begin with a dollar sign ($) and open bracket ({) and end with a close bracket (}). Use the following certificate attribute values on the right side of the filter specification. The case of the strings is important:

    • ${UniqueKey}

    • ${PublicKey}

    • ${PublicKey}

    • ${Issuer}

    • ${NotAfter}

    • ${NotBefore}

    • ${SerialNumber}

    • ${SigAlgName}

    • ${SigAlgOID}

    • ${SigAlgParams}

    • ${SubjectCN}

    • ${Version}

  13. Select the Require SSL communications option to use SSL communications with the LDAP server.

    If we select the Require SSL communications option, we can select either the Centrally managed or Use specific SSL alias option.

    Centrally managed

    Enables you to specify an SSL configuration for a particular scope, such as the cell, node, server, or cluster in one location. To use the Centrally managed option, specify the SSL configuration for the particular set of endpoints. The Manage endpoint security configurations and trust zones panel displays all of the inbound and outbound endpoints that use the SSL protocol. If we expand the Inbound or Outbound section of the panel and click the name of a node, we can specify an SSL configuration used for every endpoint on that node. For an LDAP registry, we can override the inherited SSL configuration by specifying an SSL configuration for LDAP. To specify an SSL configuration for LDAP...

    1. Click Security > SSL certificate and key management > Manage endpoint security configurations and trust zones.

    2. Expand Outbound > mycell > Nodes > mynode > Servers > myserver > LDAP.

    Use specific SSL alias

    Select the Use specific SSL alias option if we intend to select one of the SSL configurations in the menu that follows the option.This configuration is used only when SSL is enabled for LDAP. The default is DefaultSSLSettings. To modify or create a new SSL configuration...

    1. Click Security > SSL certificate and key management.

    2. Under Configuration settings, click Manage endpoint security configurations and trust zones > configuration_name.

    3. Under Related items, click SSL configurations.

  14. Click OK.



After completing these steps, the LDAP repository settings are configured.


Next steps

Return to the appropriate task to complete the steps for the federated repository configuration:

LDAP repository settings