Using specific directory servers as the LDAP server

 

Using specific directory servers as the LDAP server

This topic describes considerations for using particular directory server products for WebSphere security.

Using OS/400 Directory Services as the LDAP server

OS/400 Directory Services is included in the base operating system beginning in OS/400 V5R1, and option 32 is no longer available, beginning with OS/400 V5R2. Directory Services is part of the IBM Directory Server family of products and services and is sometimes referred to as Directory Server (formerly SecureWay Directory) for iSeries.

If your LDAP server resides on a system with OS/400 V5R1 installed, select SecureWay as the directory type. For OS/400 V5R2 or V5R3, select either SecureWay or IBM Tivoli Directory Server as the directory type.

Note: If you select IBM Tivoli Directory Server as the LDAP directory type and your LDAP server resides on a system with OS/400 V5R2 installed, you may need to upgrade to LDAP 4.1. With LDAP 4.1, Directory Services is programmed to use the new group membership attributes to improve the performance of group membership searches. For information regarding the PTFs that are required for LDAP 4.1, see iSeries Directory Services (LDAP): New V5R2 Enhancements. (http://www.ibm.com/servers/eserver/iseries/ldap/whatsnew41.htm)

Note: Support for groups that contain other groups (nested groups) depends on specific versions of WebSphere Application Server and LDAP. For more information, see Dynamic groups and nested group support.

Using IBM Tivoli Directory Server as the LDAP server

To use IBM Tivoli Directory Server (formerly IBM Directory Server), choose IBM Tivoli Directory Server as the directory type.

For supported directory servers, refer to the article, Supported directory services. The difference between these two types is group membership lookup. IBM recommends that you choose the IBM Tivoli Directory Server for optimum performance during run time. In the IBM Tivoli Directory Server, the group membership is an operational attribute. With this attribute, a group membership lookup is done by enumerating the ibm-allGroups attribute for the entry, All group memberships, including the static groups, dynamic groups, and nested groups, can be returned with the ibm-allGroups attribute. WebSphere Application Server supports dynamic groups, nested groups, and static groups in IBM Tivoli Directory Server using the ibm-allGroups attribute. To utilize this attribute in a security authorization application, use a case-insensitive match so that attribute values returned by the ibm-allGroups attribute are all in uppercase.

Important: IBM recommends that you do not install IBM Tivoli Directory Server Version 5.2 on the same machine that you install WebSphere Application Server Version 6.0.x. IBM Tivoli Directory Server Version 5.2 includes WebSphere Application Server Express Version 6.0.x, which the directory server uses for its administrative console. Install the Web Administration tool Version 5.2 and WebSphere Application Server Express Version 6.0.x, which are both bundled with IBM Tivoli Directory Server Version 5.2, on a different machine from WebSphere Application Server Version 6.0.x. You cannot use WebSphere Application Server Version 6.0.x as the
administrative console for IBM Tivoli Directory Server. If IBM Tivoli Directory Server Version 5.2 and WebSphere Application Server Version 6..0x are installed on the same machine, you might encounter port conflicts.

If install IBM Tivoli Directory Server Version 5.2 and WebSphere Application Server Version 6.0.x on the same machine, consider the following information:

Using a Lotus Domino Enterprise Server as the LDAP server

If you choose the Lotus Domino Enterprise Server Version 6.0.3 or Version 6.5.1 and the attribute short name is not defined in the schema, you can take either of the following actions:

The userID map filter is changed to use the uid attribute instead of the shortname attribute as the current version of Lotus Domino does not create the shortname attribute by default. If you want to use the shortname attribute, define the attribute in the schema and change the userID map filter. 

User ID Map : person:shortname

Using Sun ONE Directory Server as the LDAP server You can choose Sun ONE Directory Server for your Sun ONE Directory Server system. For supported directory servers, refer to the article, Supported directory services. In Sun ONE Directory Server, the default object class is groupOfUniqueName when you create a group. For better performance, WebSphere Application Server uses the user object to locate the user group membership from the nsRole attribute. Thus, create the group from the role. If you want to use groupOfUniqueName to search groups, specify your own filter setting. Roles unify entries. Roles are designed to be more efficient and easier to use for applications. For example, an application can locate the role of an entry by enumerating all the roles possessed by a given entry, rather than selecting a group and browsing through the members list. When using roles, you can create a group could be created using a:

All of these roles are computable by nsRole attribute.

Using Microsoft Active Directory server as the LDAP server

To set up Microsoft Active Directory as your LDAP server, complete the following steps.

  1. Determine the full distinguished name (DN) and password of an account in the administrators group. For example, if the Active Directory administrator creates an account in the Users folder of the Active Directory Users and Computers Windows control panel and the DNS domain is ibm.com, the resulting DN has the following structure:

    cn=<adminUsername>, cn=users, dc=ibm,
    dc=com

  2. Determine the short name and password of any account in the Microsoft Active Directory. This password does not have to be the same account that is used in the previous step.

  3. Use the WebSphere Application Server administrative console to set up the information needed to use Microsoft Active Directory

    1. Click Security > Global security .

    2. Under Authentication, click Authentication mechanisms > LDAP .

    3. Set up LDAP with Active Directory at the directory type. Based on the information determined in the previous steps, you can specify the following values on the LDAP settings panel:

      Server user ID

      Specify the short name of the account that was chosen in the second step.

      Server user password

      Specify the password of the account that was chosen in the second step.

      Type

      Specify Active Directory

      Host

      Specify the domain name service (DNS) name of the machine that is running Microsoft Active Directory.

      Base distinguished name (DN)

      Specify the domain components of the DN of the account that was chosen in the first step. For example: dc=ibm, dc=com

      Bind distinguished name (DN)

      Specify the full distinguished name of the account that was chosen in the first step. For example: cn=<adminUsername>, cn=users, dc=ibm, dc=com

      Bind password

      Specify the password of the account that was chosen in the first step.

    4. Click OK to save the changes.

    5. Stop and restart the administrative server so that the changes take effect.

  4. Optional: Set ObjectCategory as the filter in the Group member ID map field to improve LDAP performance.

    1. Under Additional properties, click Advanced Lightweight Directory Access Protocol (LDAP) user registry settings .

    2. Add ;objectCategory:group to the end of the Group member ID map field.

    3. Click OK to save the changes

    4. Stop and restart the administrative server so that the changes take effect.


Sub-topics
Supported directory services

Related concepts
Locating a user's group memberships in Lightweight Directory Access Protocol
Lightweight Directory Access Protocol

Related reference
Advanced Lightweight Directory Access Protocol user registry settings
Lightweight Directory Access Protocol settings