WAS v8.5 > Secure applications > Authenticate users > Select a registry or repository > Configure LDAP user registries

Use specific directory servers as the LDAP server

This article provides information about the directory servers supported as LDAP servers in WebSphere Application Server. We can use other directory servers by using the custom directory type in the list and by filling in the filters required for that directory.

To improve performance for LDAP searches, the default filters for IBM Tivoli Directory Server (TDS), Sun ONE, and Active Directory return results containing all relevant information about the user (user ID, groups, and so on). By using these results WAS does not have to call the LDAP server multiple times.

If we use IBM TDS, select the Ignore case for authorization option. This is required because when the group information is obtained from the user object attributes, the case is not the same as when we get the group information directly. perform a case insensitive check and verify the requirement for the Ignore case for authorization option.

• To use IBM TDS (formerly IBM Directory Server), select IBM Tivoli Directory Server as the directory type.

  The difference between these two types is group membership lookup. IBM recommends choosing the IBM TDS for optimum performance during runtime. In the IBM TDS, the group membership is an operational attribute. With this attribute, a group membership lookup is done by enumerating the ibm-allGroups attribute for the entry. All group memberships, including the static groups, dynamic groups, and nested groups, can be returned with the ibm-allGroups attribute.

  WAS supports dynamic groups, nested groups, and static groups in IBM TDS using the ibm-allGroups attribute. To utilize this attribute in a security authorization application, use a case-insensitive match so that attribute values returned by the ibm-allGroups attribute are all in uppercase.

  It is recommended that we do not install IBM TDS v6.0 on the same machine that you install v8.5. IBM TDS v6.0 includes WAS, Express v5.1.1, which the directory server uses for its dmgr console. Install the Web Administration tool v6.0 and WAS, Expressv5.1.1, which are both bundled with IBM TDS v6.0, on a different machine from v8.5. We cannot use v8.5 as the dmgr console for IBM TDS. If IBM TDS v6.0 and v8.5 are installed on the same machine, you might encounter port conflicts.

  If install IBM TDS v6.0 and v8.5 on the same machine, consider the following information:

  • During the IBM TDS installation process, select both the Web Administration tool and WAS, Express v5.1.1.

  • Install v8.5.

  • When you install v8.5, change the port number for the application server.

  • You might need to adjust the WAS environment variables on v8.5 for WAS_HOME and WAS_INSTALL_ROOT (or APP_SERVER_ROOT for IBM i). To change the variables using the dmgr console, click Environment > WebSphere Variables.

• Use a Lotus Domino Enterprise Server as the LDAP server

  If you select the Lotus Domino Enterprise Server v6.5.4 or v7.0 and the attribute short name is not defined in the schema, we can take either of the following actions:

  • Change the schema to add the short name attribute.
  • Change the user ID map filter to replace the short name with any other defined attribute (preferably to UID). For example, change person:shortname to person:uid.

  The userID map filter is changed to use the uid attribute instead of the shortname attribute as the current version of Lotus Domino does not create the shortname attribute by default. To use the shortname attribute, define the attribute in the schema and change the userID map filter.

  User ID Map : person:shortname

• Use Sun ONE Directory Server as the LDAP server

  We can select Sun ONE Directory Server for the Sun ONE Directory Server system. In Sun ONE Directory Server, the object class is the default groupOfUniqueName when we create a group. For better performance, WAS uses the User object to locate the user group membership from the nsRole attribute. Create the group from the role. To use the groupOfUniqueName attribute to search groups, specify our own filter setting. Roles unify entries. Roles are designed to be more efficient and easier to use for applications. For example, an application can locate the role of an entry by enumerating all the roles that are possessed by a given entry, rather than selecting a group and browsing through the members list. When using roles, we can create a group using a:

  • Managed role
  • Filtered role
  • Nested role

  All of these roles are computable by the nsRole attribute.

• Use Microsoft Active Directory server as the LDAP server

  To use Microsoft Active Directory as the LDAP server for authentication with WAS you must take specific steps. By default, Microsoft Active Directory does not permit anonymous LDAP queries. To create LDAP queries or to browse the directory, an LDAP client must bind to the LDAP server using the distinguished name (DN) of an account that has the authority to search and read the values of LDAP attributes, such as user and group information, needed by the Application Server. A group membership search in the Active Directory is done by enumerating the memberof attribute for a given user entry, rather than browsing through the member list in each group. If you change the default behavior to browse each group, we can change the Group Member ID Map field from memberof:member to group:member.

  Microsoft Active Directory forests are not supported with the stand-alone LDAP Registry. The Federated Repository Registry, when configured to use an Active Directory LDAP does support the use of forests.

Set up Microsoft Active Directory as the LDAP server.

1. Determine the full distinguished name (DN) and password of an account in the administrators group. For example, if the Active Directory administrator creates an account in the Users folder of the Active Directory Users and Computers Windows control panel and the DNS domain is ibm.com, the resulting DN has the following structure:
   cn=<adminUsername>, cn=users, dc=ibm, dc=com

2. Determine the short name and password of any account in the Microsoft Active Directory.

3. Use the dmgr console to set up the information needed to use Microsoft Active Directory.

   1. Click...
      Security > Global security > User account repository > Standalone LDAP registry > Configure

   2. Set up LDAP with Active Directory as the type of LDAP server. Based on the information that is determined in the previous steps, we can specify the following values on the LDAP settings panel:

      Primary administrative user name	Name of a user with administrative privileges defined in the registry. This user name is used to access the dmgr console or used by wsadmin.
      Type	Specify Active Directory
      Host	Domain name service (DNS) name of the machine that is running Microsoft Active Directory.
      Base distinguished name (DN)	Domain components of the DN of the account chosen in the first step. For example: dc=ibm, dc=com
      Bind distinguished name (DN)	Full distinguished name of the account chosen in the first step. For example: cn=adminUsername, cn=users, dc=ibm, dc=com
      Bind password	Password of the account chosen in the first step.

   3. Click OK and Save to save the changes to the master configuration.

4. Click...
   Security > Global security > User account repository > Available realm definitions > drop-down list > Standalone LDAP registry > Configure

5. Select either the Automatically generated server identity or Server identity stored in the repository option. If you select the Server identity stored in the repository option, enter the following information:

   Server user ID or administrative user on a v6.0.x node	Short name of the account chosen in the second step.
   Server user password	Password of the account chosen in the second step.

6. Optional: Set ObjectCategory as the filter in the Group member ID map field to improve LDAP performance.

   1. Under Additional properties, click Advanced Lightweight Directory Access Protocol (LDAP) user registry settings .

   2. Add ;objectCategory:group to the end of the Group member ID map field.

7. Click OK and Save to save the changes to the master configuration.

8. Stop and restart the administrative server so the changes take effect.

Related concepts:

Standalone LDAP registries
Configure LDAP user registries
Locating user group memberships in a LDAP registry
Advanced LDAP user registry settings
Standalone LDAP registry settings

+

Search Tips   |   Advanced Search