WAS v8.5 > Secure applications > Secure the Liberty profile and its applications > Authenticate users in the Liberty profile > Configure a user registry for the Liberty profile
Configure an LDAP user registry with the Liberty profile
Overview
To use an existing LDAP server for application authentication on the Liberty profile, edit server.xml and...
- Add the feature appSecurity-1.0
- Specify LDAP server connection info.
To verify syntax, reference the sample LDAP configuration file...
-
${ wlp.install.dir}/templates/config/ldapRegistry.xml
Configure LDAP user registry
- Add the appSecurity-1.0 Liberty feature to server.xml.
- Optional: Add the ssl-1.0 Liberty feature in server.xml.
- Optional: Copy the truststore to the server configuration directory: ${server.config.dir}
For SSL communication with an LDAP server to succeed, the Signer certificate for the LDAP server must be added to the truststore referenced by the sslAlias attribute of the < ldapRegistry> element.
For example, in the following, the LDAP server signer certificate is added to LdapSSLTrustStore.jks.
- Configure the LDAP entry for the server.
If we do not want SSL for the LDAP server, remove all SSL and keystore-related lines from the following examples.
You configure the LDAP server in server.xml or using the WebSphere Application Server Developer Tools for Eclipse.
- For IBM Directory Server:
< ldapRegistry id="ldap" realm="SampleLdapIDSRealm" host="ldapserver.mycity.mycompany.com" port="389" ignoreCase="true" baseDN="o=mycompany,c=us" userFilter="(&amp;(uid=%v)(objectclass=ePerson))" groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))" userIdMap="*:uid" groupIdMap="*:cn" groupMemberIdMap="mycompany-allGroups:member;mycompany-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember" ldapType="IBM Tivoli Directory Server" sslEnabled="true" sslRef="LDAPSSLSettings"> </ldapRegistry> < sslDefault sslRef="LDAPSSLSettings" /> < ssl id="LDAPSSLSettings" keyStoreRef="LDAPKeyStore" trustStoreRef="LDAPTrustStore" /> < keyStore location="${server.config.dir}/LdapSSLKeyStore.jks" type="JKS" password="{xor}CDo9Hgw=" /> < keyStore id="LDAPTrustStore" location="${server.config.dir}/LdapSSLTrustStore.jks" type="JKS" password="{xor}CDo9Hgw=" />
- For Microsoft Active Directory Server:
< ldapRegistry id="ldap" realm="SampleLdapADRealm" host="ldapserver.mycity.mycompany.com" port="389" ignoreCase="true" baseDN="cn=users,dc=adtest,dc=mycity,dc=mycompany,dc=com" bindDN="cn=testuser,cn=users,dc=adtest,dc=mycity,dc=mycompany,dc=com" bindPassword="testuserpwd" userFilter="(&(sAMAccountName=%v)(objectcategory=user))" groupFilter="(&(cn=%v)(objectcategory=group))" userIdMap="user:sAMAccountName" groupIdMap="*:cn" groupMemberIdMap="memberof:member" ldapType="Microsoft Active Directory" sslEnabled="true" sslRef="LDAPSSLSettings"> </ldapRegistry> < sslDefault sslRef="LDAPSSLSettings" /> < ssl id="LDAPSSLSettings" keyStoreRef="LDAPKeyStore" trustStoreRef="LDAPTrustStore" /> < keyStore location="${server.config.dir}/LdapSSLKeyStore.jks" type="JKS" password="{xor}CDo9Hgw=" /> < keyStore id="LDAPTrustStore" location="${server.config.dir}/LdapSSLTrustStore.jks" type="JKS" password="{xor}CDo9Hgw=" />
If we use the WAS Developer Tools for Eclipse, the bindPassword password is encoded for you automatically. If we edit server.xml directly, we can use the securityUtility encode command to encode the bindPassword password for you. The securityUtility command-line tool is available in the $INSTALL_ROOT/bin directory. When you run the securityUtility encode command, you either supply the password to encode as an input from the command line or, if no arguments are specified, the tool prompts you for the password. The tool then outputs the encoded value. Copy the value output by the tool, and use that value for the bindPassword password.
- For IBM Directory Server:
-
Optional: Configure certificate filter mode for the LDAP server.
< ldapRegistry id="ldap" realm="SampleLdapIDSRealm" host="myldap.ibm.com" port="389" ignoreCase="true" baseDN="o=ibm,c=us" certificateMapMode="CERTIFICATE_FILTER" certificateFilter="uid=${SubjectCN}" userFilter="(&(uid=%v)(objectclass=ePerson))" groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))" userIdMap="*:uid" groupIdMap="*:cn" groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember" ldapType="IBM Tivoli Directory Server" searchTimeout="8m" />
- Optional: Configure failover for multiple LDAP
servers.
< ldapRegistry id="ldap" realm="SampleLdapIDSRealm" host="ldapserver1.mycity.mycompany.com" port="389" ignoreCase="true" baseDN="o=ibm,c=us" ldapType="IBM Tivoli Directory Server" idsFilters="ibm_dir_server"> <failoverServers name="failoverLdapServersGroup1"> <server host="ldapserver2.mycity.mycompany.com" port="389" /> <server host="ldapserver3.mycity.mycompany.com" port="389" /> </failoverServers> <failoverServers name="failoverLdapServersGroup2"> <server host="ldapserver4.mycity.mycompany.com" port="389" /> </failoverServers> </ldapRegistry> < idsLdapFilterProperties id="ibm_dir_server" userFilter="(&(uid=%v)(objectclass=ePerson))" groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))" userIdMap="*:uid" groupIdMap="*:cn" groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember"> </idsLdapFilterProperties>
See also
- Liberty profile: LDAP certificate map mode
The certificate map mode is used to specify whether to map X.509 certificates into an LDAP directory by EXTACT_DN or CERTIFICATE_FILTER in the Liberty profile.
Parent topic: Configure a user registry for the Liberty profile
Related concepts:
Liberty profile: Authentication
Standalone Lightweight Directory Access Protocol registries
Reference:
Liberty profile: securityUtility command
|