Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Select a registry or repository
Configure standalone LDAP user registries
- In the admin console, click...
Security | Global security | User account repository | Available realm definitions | Standalone LDAP registry | Configure
- Enter a valid user name in the Primary administrative user name field.
Typically, the user name is the short name of the user and is defined by the user filter in the Advanced LDAP settings panel.
When administrative security is enabled, the user ID and password for administrative functions is authenticated with the registry. If authentication fails, access to the administrative console and wsadmin scripts is denied. Choose an ID and password that do not expire or change often. If changed in the registry, perform changes when all application servers are up and running.
- Optional. Set user identity for internal process communication.
Cells that contain v5.1 or 6.x nodes require a server user identity that is defined in the active user repository. By default, the option...
Automatically generated server identity
...is enabled, and the appserver generates the server identity. However, you can select the Server identity stored in the repository option to specify both the server identity and its associated password.
- Select the type of LDAP server to use from the Type list.
The type of LDAP server determines the default filters that are used by WAS. These default filters change the Type field to Custom, which indicates that custom filters are used. This action occurs after you click OK or Apply in the Advanced LDAP settings panel. Choose the Custom type from the list and modify the user and group filters to use other LDAP servers, if required.
Use the IBM Tivoli Directory Server directory type for better performance.
- Enter the fully qualified host name of the LDAP server in the Host field.
We can enter either the IP address or DNS name.
- Enter the LDAP server port number in the Port field.
The host name and the port number represent the realm for this LDAP server in the WAS cell. So, if servers in different cells are communicating with each other using LTPA tokens, these realms must match exactly in all the cells.
The default value is 389. If multiple WASs are installed and configured to run in the same single sign-on domain, or if the WAS interoperates with a previous version of the WAS, then it is important that the port number match all configurations. For example, if the LDAP port is explicitly specified as 389 in a version 5.x configuration, and a WAS at version 6.0.x is going to interoperate with the version 5.x server, then verify that port 389 is specified explicitly for the version 6.0.x server.
To change the value of the realm name placed in the token, set custom property...
- Enter the base distinguished name (DN) to set the starting point for LDAP searches. For example, for a user with a DN of...
cn=John Doe, ou=Rochester, o=IBM, c=US
...specify the base DN as any of the following...
- ou=Rochester, o=IBM, c=us
- o=IBM, c=us
- c=us
For authorization purposes, this field is case sensitive by default. Match the case in your directory server. If a token is received (for example, from another cell or Lotus Domino) the base DN in the server must match exactly the base DN from the other cell or Domino. If case sensitivity is not a consideration for authorization, enable the option...
Ignore case for authorization option
In WAS, the DN is normalized according to the LDAP specification. Normalization consists of removing spaces in the base DN before or after commas and equal symbols. An example of a non-normalized base DN is...
o = ibm, c = us or o=ibm, c=us
An example of a normalized base DN is...
o=ibm,c=us
To interoperate between WAS v6.0 and later versions, enter a normalized base DN in the Base DN field. In WAS, v6.0 or later, the normalization occurs automatically during runtime.
This field is required for all LDAP directories except the Lotus Domino Directory.
The Base DN field is optional for the Domino server.
- Optional: Enter the bind DN name in the Bind DN field.
The bind DN is required if anonymous binds are not possible on the LDAP server to obtain user and group information. If the LDAP server is set up to use anonymous binds, leave this field blank. If a name is not specified, the appserver binds anonymously.
- Optional: Enter the password corresponding to the bind DN in the Bind password field.
- Optional: Modify the Search time out value.
This timeout value is the maximum amount of time that the LDAP server waits to send a response to the product client before stopping the request. The default is 120 seconds.
- To specify that the server should reuse the LDAP connection, select...
Reuse connection
Clear this option only in rare situations where a router is used to send requests to multiple LDAP servers and when the router does not support affinity. Leave this option selected for all other situations.
- If using IBM Directory Server or Sun ONE Directory Server, group authorization check information is inconsistent in case. To remediate, select...
Ignore case for authorization
Otherwise, this field is optional and can be enabled when a case sensitive authorization check is required, when using certificates, and certificate contents do not match case of entry in the LDAP server.
We can also enable if we use SSO between WAS v8 and Lotus Domino.
- To use SSL communications with the LDAP server...
- Add the LDAP signer certificate to the WAS v8 truststore
- Select: SSL enabled
If the Signer certificate from the LDAP is not added to the truststore, the dmgr SystemOut.log will show:
CWPKI0022E: SSL HANDSHAKE FAILURE
To avoid this error, extract to a file the Signer certificate of the LDAP and send that file to the WAS machine. We can then add the certificate to the truststore being defined for the LDAP. In this way, you are assured that the remaining actions for this step will be successful.
You can select either...
Centrally managed Specify SSL configuration for the particular set of endpoints, overriding the inherited SSL configuration.
Security | SSL certificate and key management | Manage endpoint security configurations and trust zones | Outbound | cell_name | Nodes | node_name | Servers | server_name | LDAP
Use specific SSL alias If you intend to select one of the SSL configurations, select...
Use specific SSL alias
This configuration is used only when SSL is enabled for LDAP. The default is...
DefaultSSLSettings
We can click the name of an existing configuration to modify it or complete the following steps to create a new SSL configuration:
Security | SSL certificate and key management | Configuration settings | Manage endpoint security configurations | Scope | SSL_configuration_name | Related items | SSL configurations | New
- Click OK and either Apply or Save until you return to the Global security panel.
- If you are enabling security, complete the remaining steps
- Save, stop, and restart dmgrs, nodes and appservers
If the server comes up without any problems the setup is correct.
Related
High Performance Extensible Logging
Standalone LDAP registry settings
Standalone LDAP registry wizard settings
Advanced LDAP user registry settings
Configure LDAP search filters
Use specific directory servers as the LDAP server
Locate user group memberships in a LDAP registry
Configure multiple LDAP servers for user registry failover
Test an LDAP server for user registry failover
Delete LDAP endpoints using wsadmin
Update LDAP binding information
Local operating system registries
Enable security
Enable security for the realm
Select a registry or repository
Security custom properties