Standalone LDAP registry settings
Use this page to configure LDAP settings when users and groups reside in an external LDAP directory.
To view this administrative console page:
- Click Security > Global security.
- Under User account repository, click the Available realm definitions drop-down list, select Standalone LDAP registry, and click Configure.
When security is enabled and any of these properties change, go to the Global security panel and click Apply to validate the changes.
WAS v7 distinguishes between the user identities for administrators who manage the environment and server identities for authenticating server to server communications. In most cases, server identities are automatically generated and are not stored in a repository.
(dist) However, if you are adding a previous version node to the latest version cell and the previous version node used a server identity and password, you must ensure that the server identity and password for the previous version are defined in the repository for this cell. Enter the server user identity and password on this panel.
(zos) Avoid trouble: Any settings related to the System Authorization Facility (SAF) might not be visible on this panel. To modify these settings:
gotcha
- Go to the panel for SAF by clicking Security > Global security > External authorization providers.
- Select System Authorization Facility (SAF) from the drop-down list under the Authorization provider option.
- Click Configure.
The initial profile creation configures WebSphere Application Server to use a federated repositories security registry option with the file-based registry. This security registry configuration can be changed to use other options, including the stand-alone LDAP registry. Instead of changing from the federated repositories option to the stand-alone LDAP registry option under the User account repository configuration, consider employing the federated repositories option, which provides for LDAP configuration. Federated repositories provide a wide range of capabilities, including the ability to have one or multiple user registries. It supports federating one or more LDAPs in addition to file-based and custom registries. It also has improved failover capabilities, and a robust set of member (user and group) management capabilities. Federated repositories is required when we are using the new member management capabilities in WebSphere Portal 6.1 and above, and Process Server 6.1 and above. The use of federated repositories is required for following LDAP referrals, which is a common requirement in some LDAP server environments (such as Microsoft Active Directory).
IBM recommends that you migrate from stand-alone LDAP registries to federated repositories. If we move to WebSphere Portal 6.1 and above, and or WebSphere Process Server 6.1 and above, you should migrate to federated repositories prior to these upgrades. For more information about federated repositories and its capabilities, read the Federated repositories topic. For more information about how to migrate to federated repositories, read the Migrating a stand-alone LDAP repository to a federated repositories LDAP repository configuration topic.
Primary administrative user name
Name of a user with administrative privileges defined in the user registry.
The user name is used to log onto the administrative console when administrative security is enabled. Versions 6.1 and later require an administrative user that is distinct from the server user identity so that administrative actions can be audited.
In WebSphere Application Server, Version 6.x, a single user identity is required for both administrative access and internal process communication. When you migrate to Version 8.x, this identity is used as the server user identity. You need to specify another user for the administrative user identity.
(zos) Note: When you configure LDAP as a user registry and SAF is enabled, if the property com.ibm.security.SAF.authorization, is set to true, then the Primary administrative user name field is not displayed on the administrative console.
Automatically generated server identity
Enables the application server to generate the server identity, which is recommended for environments containing only Version 6.1 or later nodes. Automatically generated server identities are not stored in a user repository.
Information Value Default: Enabled
Server identity stored in the repository
User identity in the repository used for internal process communication. Cells containing Version 6.1 or later nodes require a server user identity defined in the active user repository.
Information Value Default: Enabled
Server user ID or administrative user on a Version 6.0.x node
User ID used to run the application server for security purposes.
Password
Password that corresponds to the server ID.
Type of LDAP server
Type of LDAP server to which you connect.
IBM SecureWay Directory Server is not supported.
(zos) IBM SecureWay Directory Server is supported by the application server for z/OS as well as many other LDAP servers.
Host
Host ID (IP address or domain name service (DNS) name) of the LDAP server.
Port
Host port of the LDAP server.
If multiple application servers are installed and configured to run in the same single sign-on domain or if the application server interoperates with a previous version, it is important that the port number match all configurations. For example, if the LDAP port is explicitly specified as 389 in a Version 6.1 and above configuration, and a WAS at Version 8.x is going to interoperate with the Version 6.1 and above server, verify that port 389 is specified explicitly for the Version 8.x server.
Information Value Default: 389 Type: Integer
Base distinguished name (DN)
Base distinguished name (DN) of the directory service, which indicates the starting point for LDAP searches of the directory service. In most cases, bind DN and bind password are needed. However, when anonymous bind can satisfy all of the required functions, bind DN and bind password are not needed.
For example, for a user with a DN of cn=John Doe , ou=Rochester, o=IBM, c=US, specify the Base DN as any of the following options: ou=Rochester, o=IBM, c=US or o=IBM c=US or c=US. For authorization purposes, this field is case sensitive. This specification implies that if a token is received, for example, from another cell or Lotus Domino , the base DN in the server must match the base DN from the other cell or Lotus Domino server exactly. If case sensitivity is not a consideration for authorization, enable the Ignore case for authorization option. This option is required for all LDAP directories, except for the Lotus Domino Directory, IBM Tivoli Directory Server V6.0, and Novell eDirectory, where this field is optional.
Bind distinguished name (DN)
Specifies the DN for the application server to use when binding to the directory service.
If no name is specified, the application server binds anonymously. See the Base distinguished name (DN) field description for examples of distinguished names.
Bind password
Password for the application server to use when binding to the directory service.
Search timeout
Timeout value in seconds for a LDAP server to respond before stopping a request.
Information Value Default: 120
Reuse connection
Whether the server reuses the LDAP connection. Clear this option only in rare situations where a router is used to distribute requests to multiple LDAP servers and when the router does not support affinity.
Information Value Default: Enabled Range: Enabled or Disabled Important: Disabling the Reuse connection option causes the application server to create a new LDAP connection for every LDAP search request. This situation impacts system performance if the environment requires extensive LDAP calls. This option is provided because the router is not sending the request to the same LDAP server. The option is also used when the idle connection timeout value or firewall timeout value between the application server and LDAP is too small.
If we are using WebSphere Edge Server for LDAP failover, enable TCP resets with the Edge server. A TCP reset causes the connection to immediately closed and a backup server to failover. For more information, see "Sending TCP resets to a down server" at http://pic.dhe.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.edge.doc/pdf/LBguide.pdf and the Edge Server V2 - TCP Reset feature in PTF #2 described in: http://publibfp.dhe.ibm.com/epubs/pdf/i1032540.pdf.
Ignore case for authorization
Specifies that a case insensitive authorization check is performed when using the default authorization.
This option is required when IBM Tivoli Directory Server is selected as the LDAP directory server.
This option is required when Sun ONE Directory Server is selected as the LDAP directory server. For more information, see "Using specific directory servers as the LDAP server" in the documentation.
This option is optional and can be enabled when a case-sensitive authorization check is required. For example, use this option when the certificates and the certificate contents do not match the case used for the entry in the LDAP server. We can enable the Ignore case for authorization option when using SSO between the application server and Lotus Domino.
Information Value Default: Enabled Range: Enabled or Disabled
SSL enabled
Whether secure socket communication is enabled to the LDAP server.
When enabled, the LDAP SSL settings are used, if specified.
Centrally managed
The selection of an SSL configuration is based upon the outbound topology view for the Java Naming and Directory Interface (JNDI) platform.
Centrally managed configurations support one location to maintain SSL configurations rather than spreading them across the configuration documents.
Information Value Default: Enabled
Use specific SSL alias
SSL configuration alias to use for LDAP outbound SSL communications.
This option overrides the centrally managed configuration for the JNDI platform.
Related concepts
Federated repositories
Related tasks
Use specific directory servers as the LDAP server Migrate a stand-alone LDAP repository to a federated repositories LDAP repository configuration
Standalone LDAP registry wizard settings