Standalone LDAP registries


A Standalone LDAP registry performs authentication using an LDAP binding.

WebSphere Application WAS security provides and supports the implementation of most major LDAP directory servers, which can act as the repository for user and group information. These LDAP servers are called by WAS processes for authenticating a user and other security-related tasks. For example, the servers are used to retrieve user or group information. This support is provided by using different user and group filters to obtain the user and group information. These filters have default values that we can modify to fit the needs. The custom LDAP feature enables you to use any other LDAP server, which is not in WAS ND-supported list of LDAP servers, for its user registry by using the appropriate filters.

To use LDAP as the user registry, we need to know an admin user name that is defined in the registry, the server host and port, the base distinguished name (DN) and, if necessary, the bind DN and the bind password. We can choose any valid user in the registry that is searchable and have administrative privileges. In some LDAP servers, the admin users are not searchable and cannot be used, for example, cn=root in SecureWay. This user is referred to as WAS security server ID, server ID, or server user ID in the documentation. Being a server ID means a user has special privileges when calling some protected internal methods. Normally, this ID and password are used to log into the admin console after security is turned on. Use other users to log in if those users are part of the admin roles.

When security is enabled in WAS ND, the primary admin user name and password are authenticated with the registry during WAS startup. If authentication fails, the server does not start. Choose an ID and password that do not expire or change often. If WAS server user ID or password need to change in the registry, make sure that the changes are performed when all WAS servers are up and running.

When the changes are done in the registry, use the steps that are described in Set LDAP user registries. Change the ID, password, and other configuration information, save, stop, and restart all the servers so that the new ID or password is used by WAS ND. If any problems occur starting WAS when security is enabled, disable security before the server can start up. To avoid these problems, make sure that any changes in this panel are validated in the Global security panel. When the server is up, we can change the ID, password, and other configuration information and then enable security.

Use the custom LDAP feature to support any LDAP server by setting up the correct configuration. However, support is not extended to these custom LDAP servers because many configuration possibilities exist.

The users and groups and security role mapping information is used by the configured authorization engine to perform access control decisions.



Subtopics


Dynamic groups and nested group support
Security failover among multiple LDAP servers

 

Related tasks


Select a registry or repository
Use specific directory servers as the LDAP server
Set LDAP user registries

 

Related


Standalone LDAP registry settings
Security: Links