WAS v8.5 > Secure applications > Authenticate users > Select a registry or repository > Configure LDAP user registries

Update LDAP binding information

Use this information to dynamically update security LDAP binding information by switching to a different binding identity. We can dynamically update LDAP binding information without first stopping and restarting WebSphere Application Server using the wsadmin tool.

The resetLdapBindInfo method in SecurityAdmin MBean is used to dynamically update LDAP binding information at WAS security runtime, and it takes the bind distinguished name (DN) and bind password parameters as input. The resetLdapBindInfo method validates the bind information against the LDAP server. If validation passes, new binding information is stored in security.xml, and a copy of the information is placed in WAS security runtime.

If the new binding information is null, null, the resetLdapBindInfo method first extracts LDAP binding information, including bind DN, bind password, and target binding host from WAS security configuration in security.xml. It then pushes the binding information to WAS security runtime.

There are two ways to dynamically update WAS security LDAP binding information using the SecurityAdmin MBean through wsadmin:

• Switching to a different binding identity
• Switching to a failover LDAP host

Switching to a different binding identity

About this task

To dynamically update security LDAP binding information by switching to a different binding identity:

Procedure

1. In the dmgr console, click Security > Global security.

2. Under User account repository, click the Available realm definitions drop-down list, select Standalone LDAP registry, and click Configure.

3. Create a new bind DN. It must have the same access authority as the current bind DN.

4. Run the SecurityAdmin MBean across all of the application server processes to validate the new binding information, to save it to security.xml, and to push the new binding information to the runtime.

Example

The following is a sample Jacl file for step 4:

proc LDAPReBind {args} {
  global AdminConfig AdminControl ldapBindDn ldapBindPassword 
  set ldapBindDn [lindex $args 0]
  set ldapBindPassword [lindex $args 1]        
       set secMBeans [$AdminControl queryNames type=SecurityAdmin,*]
       set plist  [list $ldapBindDn $ldapBindPassword]        
       foreach secMBean $secMBeans {
             set result [$AdminControl invoke $secMBean resetLdapBindInfo $plist] 
       } 
 }

Switching to a failover LDAP host

About this task

To dynamically update security LDAP binding information by switching to a failover LDAP host:

Procedure

1. In the dmgr console, click Security > Global security.

2. Under User account repository, select Standalone LDAP registry and click Configure.

3. Change the password for bind DN on one LDAP server (it can be the primary or the backup).
4. Update the new bind DN password to WebSphere Application security runtime by calling resetLdapBindInfo with the bind DN and using its new password as a parameter.

5. Use the new bind DN password for all of the other LDAP servers. The binding information is now consistent across WAS and the LDAP servers.

   If you call resetLdapBindInfo with null, null as input parameters, WAS security runtime completes the following steps:

   1. Reads the bind DN, bind password, and target LDAP hosts from security.xml.
   2. Refreshes the cached connection to the LDAP server.

   If you configure security to use multiple LDAP servers, this MBean call forces WAS security to reconnect to the first available LDAP host in the list. For example, if three LDAP servers are configured in the order of L1, L2, and L3, the reconnection process always starts with the L1 server.

   When LDAP failover is configured by associating a single hostname to multiple IP addresses, entering an invalid password can cause multiple LDAP bind retries. With the default settings, the number of LDAP bind retries is equal to one more than the number of associated IP addresses. This means a single invalid login attempt can cause the LDAP account to be locked. If the com.ibm.websphere.security.registry.ldap.singleLDAP custom property is set to false, LDAP bind calls are not retried.

   When LDAP failover is configured by registering backend LDAP server hostnames using wsadmin command, set the com.ibm.websphere.security.ldap.retryBind property to false.

   Federated repository does not support failover by associating a single hostname to multiple IP addresses. This feature is only available in stand-alone LDAP.

Related

Configure LDAP user registries

+

Search Tips   |   Advanced Search