Standalone LDAP registry settings



Overview

To configure LDAP settings when users and groups reside in an external LDAP directory.

When security is enabled and any of these properties change, go to the Global security panel and click Apply to validate the changes.


WAS v5.0 and v6.0 server identities

WAS V6.1 distinguishes between the user identities for administrators who manage the environment and server identities for authenticating server to server communications. In most cases, server identities are automatically generated and are not stored in a repository.

However, if we are adding a V5.0.x or 6.0.x node to a V 6.1 cell, verify server identity and password are defined in the repository for this cell.


Standalone LDAP registry settings

Primary administrative user name

Name of a user with admin privileges that is defined in the custom user registry.

The user name is used to log onto the admin console when administrative security is enabled. V6.1 requires an administrative user that is distinct from the server user identity so that administrative actions can be audited.

In WAS, Vs 5.x and 6.0.x, a single user identity is required for both admin access and internal process communication. When migrating to V6.1, this identity is used as the server user identity. we need to specify another user for the administrative user identity.

Automatically generated server identity

Enables the appserver to generate the server identity, which is recommended for environments that contain only V6.1 or later nodes. Automatically generated server identities are not stored in a user repository.

We can change this server identity on the Authentication mechanisms and expiration panel. To access the Authentication mechanisms and expiration panel, click...

Change the value of the Internal server ID field.

Default: Enabled

Server identity that is stored in the repository

User identity in the repository used for internal process communication. Cells that contain V5.x or 6.0.x nodes require a server user identity that is defined in the active user repository.

Default: Enabled

Server user ID or admin user on a V6.0.x node

User ID used to run the appserver for security purposes.

that corresponds to the server ID.

Type of LDAP server

Type of LDAP server to which you connect.

IBM SecureWay Directory Server is not supported.

Host

Specifies the host ID (IP address or DNS name) of the LDAP server.

Port

Specifies the host port of the LDAP server.

If multiple appservers are installed and configured to run in the same single sign-on domain or if the appserver interoperates with a previous version, it is important that the port number match all configurations. For example, if the LDAP port is explicitly specified as 389 in a V4.0.x configuration, and a WAS at V5 is going to interoperate with the V 4.0.x server, verify that port 389 is specified explicitly for the V5 server.

Default: 389
Type: Integer

Base distinguished name (DN)

Base distinguished name (DN) of the directory service, which indicates the starting point for LDAP searches of the directory service. In most cases, bind DN and bind password are needed. However, when anonymous bind can satisfy all of the required functions, bind DN and bind password are not needed.

For example, for a user with a DN of cn=John Doe , ou=Rochester, o=IBM, c=US, specify the Base DN as any of the following options: ou=Rochester, o=IBM, c=US or o=IBM c=US or c=US. For authorization purposes, this field is case sensitive. This specification implies that if a token is received, for example, from another cell or Lotus Domino, the base DN in the server must match the base DN from the other cell or Lotus Domino server exactly. If case sensitivity is not a consideration for authorization, enable the Ignore case for authorization option. This option is required for all LDAP directories, except for the Lotus Domino Directory, IBM Tivoli Directory Server V6.0, and Novell eDirectory, where this field is optional.

If we need to interoperate between the appserver V5 and a V5.0.1 or later server, enter a normalized base DN. A normalized base DN does not contain spaces before or after commas and equal symbols. An example of a non-normalized base DN is o = ibm, c = us or o=ibm, c=us. An example of a normalized base DN is o=ibm,c=us. In WAS, V5.0.1 or later, the normalization occurs automatically during runtime.

Bind distinguished name (DN)

Specifies the DN for the application server to use when binding to the directory service.

If no name is specified, the appserver binds anonymously. See the Base distinguished name (DN) field description for examples of distinguished names.

Bind password

for the appserver to use when binding to the directory service.

Search timeout

Timeout value in seconds for a LDAP server to respond before stopping a request.

Default: 120

Reuse connection

Whether the server reuses the LDAP connection. Clear this option only in rare situations where a router is used to distribute requests to multiple LDAP servers and when the router does not support affinity.

Default: Enabled
Range: Enabled or Disabled

Disable the Reuse connection option causes the appserver to create a new LDAP connection for every LDAP search request. This situation impacts system performance if the environment requires extensive LDAP calls. This option is provided because the router is not sending the request to the same LDAP server. The option is also used when the idle connection timeout value or firewall timeout value between the appserver and LDAP is too small.

If using WebSphere Edge Server for LDAP failover, enable TCP resets with the Edge server. A TCP reset causes the connection to immediately closed and a backup server to failover.

See "Sending TCP resets when server is down" at http://www.ibm.com/software/webservers/appserv/doc/v50/ec/infocenter/edge/LBguide.htm#HDRRESETSERVER and the Edge Server V2 - TCP Reset feature in PTF #2 described in: ftp: //ftp.software.ibm.com/software/websphere/edgeserver/info/doc/v20/en/updates.pdf.

Ignore case for authorization

A case insensitive authorization check is performed when using the default authorization.

This option is required when IBM Tivoli Directory Server is selected as the LDAP directory server.

This option is required when Sun ONE Directory Server is selected as the LDAP directory server.

See "Using specific directory servers as the LDAP server" in the documentation.

This option is optional and can be enabled when a case-sensitive authorization check is required. For example, use this option when the certificates and the certificate contents do not match the case used for the entry in the LDAP server. We can enable the option...

    Ignore case for authorization

...when using SSO between the appserver and Lotus Domino.

Default: Enabled
Range: Enabled or Disabled

SSL enabled

Whether secure socket communication is enabled to the LDAP server.

When enabled, the LDAP SSL settings are used, if specified.

Centrally managed

The selection of an SSL configuration is based upon the outbound topology view for the Java™ Naming and Directory Interface (JNDI) platform.

Centrally managed configurations support one location to maintain SSL configurations rather than spreading them across the configuration documents.

Default: Enabled

Use specific SSL alias

SSL configuration alias to use for LDAP outbound SSL communications.

This option overrides the centrally managed configuration for the JNDI platform.





 

Related tasks

Use specific directory servers as the LDAP server
Set LDAP user registries
Standalone LDAP registry wizard settings