Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Select a registry or repository > Configure LDAP user registries
Set directory servers as the LDAP server - Standalone registries
Overview
We can use any LDAP server, as long as it follows the LDAP specification, by setting directory type to custom and filling in the required filters.
The default filters for...
- IBM Tivoli Directory Server
- Sun ONE
- Microsoft Active Directory
...define search results that contain all relevant information about a user (user ID, groups, and so on). WAS does not have to make multiple LDAP server requests.
To use IBM Directory Server, select the option...
Ignore case for authorization
Microsoft AD forests are not supported with the stand-alone LDAP Registry. Forests are supported by the federated repository registry.
Use IBM Tivoli Directory Server as the LDAP server
To use IBM Tivoli Directory Server set directory type to...
IBM Tivoli Directory Server
Group membership lookup, including...
- static
- dynamic
- nested
...is done using ibm-allGroups attribute. Use a case-insensitive match so that attribute values returned are all in uppercase.
IBM recommends not installing IBM TDS v6.0 on the same machine as v8.0. IBM TDS v6.0 includes WAS Express v5.1.1, which the directory server uses for its admin console. Install the Web Administration tool v6.0 and WAS Express V5.1.1 on a different machine from v8.0. We cannot use v8.0 as the administrative console for IBM TDS. If IBM TDS v6.0 and v8.0 are installed on the same machine, you might encounter port conflicts. If install IBM TDS v6.0 and v8.0 on the same machine...
- During install, select both...
- Web Administration tool
- WAS Express v5.1.1
- Install v8.0.
- For v8.0, change the port number for the application server.
- For v8.0, set WAS environment variables for WAS_HOME and WAS_INSTALL_ROOT...
Environment | WebSphere Variables
Use a Lotus Domino Enterprise Server as the LDAP server
If you select the Lotus Domino Enterprise Server v6.5.4 or v7.0 and the attribute short name is not defined in the schema, you can take either of the following actions:
- Change the schema to add the short name attribute.
- Change the user ID map filter to replace the short name with any other defined attribute (preferably to UID). For example, change person:shortname to person:uid.
The userID map filter is changed to use the uid attribute instead of the shortname attribute as the current version of Lotus Domino does not create the shortname attribute by default. To use the shortname attribute, define the attribute in the schema and change the userID map filter.
User ID Map: person:shortname
Use Sun ONE Directory Server as the LDAP server
You can select Sun ONE Directory Server for your Sun ONE Directory Server system. In Sun ONE Directory Server, the object class is the default groupOfUniqueName when you create a group. For better performance, WAS uses the User object to locate the user group membership from the nsRole attribute. Create the group from the role. To use the groupOfUniqueName attribute to search groups, specify your own filter setting. Roles unify entries. Roles are designed to be more efficient and easier to use for applications. For example, an application can locate the role of an entry by enumerating all the roles that are possessed by a given entry, rather than selecting a group and browsing through the members list. When using roles, you can create a group using a:
- Managed role
- Filtered role
- Nested role
All of these roles are computable by the nsRole attribute.
Use Microsoft Active Directory as the LDAP server
- Determine the DN and password of an account in the administrators group.
For example, if the Active Directory administrator uses the control panel to create account adadmin in...
Active Directory Users and Computers | Users
...and the DNS domain is...
foo.com
...the resulting DN could be...
cn=adadmin, cn=users, dc=foo, dc=com
- Determine the short name and password of any account in the AD.
- In the WAS console, configure AD...
Security | Global security | User account repository | Standalone LDAP registry | Configure
...setting values for...
Primary administrative user name User with admin privileges defined in the registry. Used to access administrative console. Default: wsadmin Type Active Directory Host DNS name of the machine running AD. Base DN Domain components of the DN of the account. For example:
dc=foo, dc=com
Bind DN Full DN of the admin account determined in the first step above...
cn=adadmin, cn=users, dc=foo, dc=com
Bind password Password of the account chosen in the first step.
- Click...
Security | Global security | User account repository | Available realm definitions | Standalone LDAP registry | Configure
and select either...
- Automatically generated server identity
- Server identity stored in the repository
For the latter, enter...
Server user ID or administrative user on a v6.0.x node Short name of the account chosen in the second step. Server user password Password of the account chosen in the second step.
- To improve performance, set ObjectCategory as the filter in the Group member ID map field. Go to...
Additional properties | Advanced Lightweight Directory Access Protocol (LDAP) user registry settings
...and add...
;objectCategory:group
...to the end of the Group member ID map field.
- By default, Microsoft Active Directory does not permit anonymous LDAP queries. To create LDAP queries or to browse the directory, LDAP clients bind to server using the DN of an account with authority to search using the memberof attribute. If the default behavior is changed to allowing browsing, change the field....
Group Member ID Map
...from...
memberof:member
..to...
group:member
- Click OK and Save to save the changes to the master configuration.
- Stop and restart the administrative server
Related
Standalone LDAP registries
Locate user group memberships in a LDAP registry
Configure LDAP user registries
Advanced LDAP user registry settings
Standalone LDAP registry settings