Use this page to configure Lightweight Directory Access Protocol (LDAP) settings when users and groups reside in an external LDAP directory. To view this administrative console page, complete the following steps:
When security is enabled and any of these properties change, go to the
Global security panel and click Apply to validate the changes.
Configuration tab
The user ID that is used to run WebSphere Application Server for security purposes.
Although this ID is not the LDAP administrator user ID, specify a valid entry in the LDAP directory that is located under the base distinguished name.
The password that corresponds to the security server ID.
The type of LDAP server to which you connect.
IBM SecureWay Directory Server is not supported.
The host ID (IP address or domain name service (DNS) name) of the LDAP server.
The host port of the LDAP server. If multiple WebSphere Application Servers are installed and configured to run in the same single sign-on domain, or if WebSphere Application Server interoperates with a previous version of the WebSphere Application Server, then it is important that the port number match all configurations. For example, if the LDAP port is explicitly specified as 389 in a Version 4.0.x configuration, and a WebSphere Application Server at Version 5 is going to interoperate with the Version 4.0.x server, verify that port 389 is specified explicitly for the Version 5 server.
| Default: | 389 |
The base distinguished name of the directory service, which indicates the starting point for LDAP searches of the directory service.
For example, for a user with a distinguished name (DN) of cn=John Doe, ou=Rochester, o=IBM, c=US, you can specify the base DN as, which assumes a suffix of c=us: ou=Rochester, o=IBM, c=us. For authorization purposes, this field is case sensitive. This specification implies that if a token is received, for example, from another cell or Lotus Domino, the base DN in the server must match the base DN from the other cell or Lotus Domino server exactly. If case sensitivity is not a consideration for authorization, enable the Ignore case option. This option is required for all Lightweight Directory Access Protocol (LDAP) directories except for the Lotus Domino Directory, where this field is optional.
If you need to interoperate between WebSphere Application Server Version 5 and a Version 5.0.1 or later server, enter a normalized base distinguished name. A normalized base distinguished name does not contain spaces before or after commas and equal symbols. An example of a non-normalized base distinguished name is o = ibm, c = us or o=ibm, c=us. An example of a normalized base distinguished name is o=ibm,c=us. In WebSphere Application Server, Version 5.0.1 or later, the normalization occurs automatically during runtime.
The distinguished name for the application server to use when binding to the directory service.
If no name is specified, the application server binds anonymously. See the Base Distinguished Name field description for examples of distinguished names.
The password for the application server to use when binding to the directory service.
The timeout value in seconds for an Lightweight Directory Access Protocol (LDAP) server to respond before stopping a request.
| Default: | 120 |
Whether the server reuses the Lightweight Directory Access Protocol (LDAP) connection. Clear this option only in rare situations where a router is used to distribute requests to multiple LDAP servers and when the router does not support affinity.
| Default: | Enabled |
| Range: | Enabled or Disabled |
Important: Disabling the Reuse connection option causes WebSphere Application Server to create a new LDAP connection for every LDAP search request. This situation impacts system performance if your environment requires extensive LDAP calls. This option is provided because the router is not sending the request to the same LDAP server. The option is also used when the idle connection timeout value or firewall timeout value between WebSphere Application Server and LDAP is too small.
If you are using WebSphere Edge Server for LDAP failover, enable TCP resets with the Edge server.
A TCP reset causes the connection to be immediately closed, and a failover to the backup server. For more information, please see "Sending TCP resets when server is down" at
http://www-3.ibm.com/software/webservers/appserv/doc/v50/ec/infocenter/edge/LBguide.htm#HDRRESETSERVER and the Edge Server V2 - TCP Reset feature in PTF
#2 described in: ftp://ftp.software.ibm.com/software/websphere/edgeserver/info/doc/v20/en/updates.pdf.
That a case insensitive authorization check is performed when using the default authorization.
This option is required when IBM Tivoli Directory Server is selected as the LDAP directory server.
This option is required when Sun ONE Directory Server is selected as the LDAP directory server. For more information, see "Using specific directory servers as the LDAP server" in the documentation.
Otherwise, this option is optional and can be enabled when a case-sensitive authorization check is required. For example, use this option when the certificates and the certificate contents do not match the case that is used for the entry in the LDAP server. You can enable the Ignore case option when using single sign-on (SSO) between WebSphere Application Server and Lotus Domino.
| Default: | Enabled |
| Range: | Enabled or Disabled |
Whether secure socket communication is enabled to the Lightweight Directory Access Protocol (LDAP) server. When enabled, the LDAP
Secure Sockets Layer (SSL) settings are used, if specified.
The Secure Sockets Layer configuration to use for the Lightweight Directory Access Protocol (LDAP) connection. This configuration is used only when SSL is enabled for LDAP.
| Default: | DefaultSSLSettings |