+

Search Tips   |   Advanced Search

Use specific directory servers as the LDAP server


Overview

Microsoft Active Directory forests are not supported with the stand-alone LDAP Registry. The Federated Repository Registry, when configured to use an Active Directory LDAP does support the use of forests.

It is expected that other LDAP servers follow the LDAP specification. Support is limited to these specific directory servers only. Use any other directory server using the custom directory type in the list and by filling in the filters required for that directory.

To improve performance for LDAP searches, the default filters for IBM Security Directory Server, Sun ONE, and Active Directory are defined such that when you search for a user, the result contains all the relevant information about the user (user ID, groups, and so on). As a result, the product does not call the LDAP server multiple times. This definition is possible only in these directory types, which support searches where the complete user information is obtained.

If we use the IBM Directory Server, select the Ignore case for authorization option. This option is required because when the group information is obtained from the user object attributes, the case is not the same as when we get the group information directly. For the authorization to work in this case, perform a case insensitive check and verify the requirement for the Ignore case for authorization option.

Support for groups that contain other groups or nested groups depends upon the specific versions of WAS and LDAP. See Dynamic groups and nested group support for LDAP.


Use IBM Security Directory Server as the LDAP server

To use IBM Security Directory Server, formerly IBM Directory Server, select IBM Security Directory Server as the directory type.

We can select either the IBM Security Directory Server or SecureWay directory type for the IBM Directory Server.

The difference between these two types is group membership lookup. IBM recommends choosing the IBM Security Directory Server for optimum performance during runtime. In the IBM Security Directory Server, the group membership is an operational attribute. With this attribute, a group membership lookup is done by enumerating the ibm-allGroups attribute for the entry. All group memberships, including the static groups, dynamic groups, and nested groups, can be returned with the ibm-allGroups attribute.

WAS supports dynamic groups, nested groups, and static groups in IBM Security Directory Server using the ibm-allGroups attribute. To utilize this attribute in a security authorization application, use a case-insensitive match so that attribute values returned by the ibm-allGroups attribute are all in uppercase.

IBM recommends that we do not install IBM Security Directory Server v6.0 on the same machine that we install v9.0. We cannot use v9.0 as the administrative console for IBM Security Directory Server. If IBM Security Directory Server v6.0 and v9.0 are installed on the same machine, we might encounter port conflicts.

If install IBM Security Directory Server v6.0 and v9.0 on the same machine, consider the following information:


Use a Lotus Domino Enterprise Server as the LDAP server

If we select the Lotus Domino Enterprise Server v6.5.4 or v7.0 and the attribute short name is not defined in the schema, we can take either of the following actions:

The userID map filter is changed to use the uid attribute instead of the shortname attribute as the current version of Lotus Domino does not create the shortname attribute by default. To use the shortname attribute, define the attribute in the schema and change the userID map filter.

User ID Map : person:shortname


Use Sun ONE Directory Server as the LDAP server

We can select Sun ONE Directory Server for our Sun ONE Directory Server system. In Sun ONE Directory Server, the object class is the default groupOfUniqueName when we create a group. For better performance, WAS uses the User object to locate the user group membership from the nsRole attribute. Create the group from the role. To use the groupOfUniqueName attribute to search groups, specify our own filter setting. Roles unify entries. Roles are designed to be more efficient and easier to use for applications. For example, an application can locate the role of an entry by enumerating all the roles that are possessed by a given entry, rather than selecting a group and browsing through the members list. When using roles, we can create a group using a:

All of these roles are computable by the nsRole attribute.


Use Microsoft Active Directory server as the LDAP server

By default, Microsoft Active Directory does not permit anonymous LDAP queries. To create LDAP queries or to browse the directory, an LDAP client must bind to the LDAP server using the distinguished name (DN) of an account that has the authority to search and read the values of LDAP attributes, such as user and group information, needed by the Application Server. A group membership search in the Active Directory is done by enumerating the memberof attribute for a given user entry, rather than browsing through the member list in each group. If we change the default behavior to browse each group, we can change the Group Member ID Map field from memberof:member to group:member.

  1. Determine the full distinguished name (DN) and password of an account in the administrators group.

    For example, if the Active Directory administrator creates an account in the Users folder of the Active Directory Users and Computers Windows control panel and the DNS domain is ibm.com, the resulting DN has the following structure:

      cn=<adminUsername>, cn=users, dc=ibm, dc=com

  2. Determine the short name and password of any account in the Microsoft Active Directory.

  3. Use the WAS administrative console to set up the information needed to use Microsoft Active Directory.

    1. Click...

        Security | Global security | User account repository | Standalone LDAP registry | Configure

    2. Set up LDAP with Active Directory as the type of LDAP server.

      Based on the information determined in the previous steps, we can specify the following values on the LDAP settings panel:

      Primary administrative user name

      Name of a user with administrative privileges defined in the registry. This user name is used to access the administrative console or used by wsadmin.

      Type

      Specify Active Directory

      Host

      Domain name service (DNS) name of the machine running Microsoft Active Directory.

      Base distinguished name (DN)

      Domain components of the DN of the account that is chosen in the first step. For example: dc=ibm, dc=com

      Bind distinguished name (DN)

      Full distinguished name of the account that is chosen in the first step. For example: cn=adminUsername, cn=users, dc=ibm, dc=com

      Bind password

      Password of the account that is chosen in the first step.

    3. Click OK and Save to save the changes to the master configuration.

  4. Click Security > Global security.

  5. Under User account repository, click the Available realm definitions drop-down list, select Standalone LDAP registry, and click Configure.

  6. Select either the Automatically generated server identity or Server identity stored in the repository option. If we select the Server identity stored in the repository option, enter the following information:

    Server user ID or administrative user on a v6.0.x node

    Specify the short name of the account that is chosen in the second step.

    Server user password

    Password of the account that is chosen in the second step.

  7. Optional: Set ObjectCategory as the filter in the Group member ID map field to improve LDAP performance.

    1. Under Additional properties, click Advanced LDAP user registry settings .

    2. Add ;objectCategory:group to the end of the Group member ID map field.

  8. Click OK and Save to save the changes to the master configuration.

  9. Stop and restart the administrative server so that the changes take effect.


Related:

  • Standalone LDAP registries
  • Configure LDAP user registries
  • Locating user group memberships in a LDAP registry
  • Advanced LDAP user registry settings
  • Standalone LDAP registry settings