+

Search Tips | Advanced Search

For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.


Configure administration security with LDAP

Configure the MobileFirst administration security with an external LDAP registry

The configuration process includes the following steps:


Procedure

LDAP repository

  1. Create users and groups in the LDAP repository. For groups, authorization is enforced based on user membership.

Registry file

  1. Open registry.xml and find the basicRegistry element. Replace the basicRegistry element with code that is similar to the following snippet:

      <ldapRegistry id="ldap"
      host="1.234.567.8910" port="1234" ignoreCase="true"
      baseDN="dc=worklight,dc=com"
      ldapType="Custom"
      sslEnabled="false"
      bindDN="uid=admin,ou=system"
      bindPassword="secret">
      <customFilters userFilter="(&amp;(uid=%v)(objectclass=inetOrgPerson))"
      groupFilter="(&amp;(member=uid=%v)(objectclass=groupOfNames))"
      userIdMap="*:uid"
      groupIdMap="*:cn"
      groupMemberIdMap="groupOfNames:member"/>
      </ldapRegistry>

    Table 1. Descriptions of the ldapRegistry entries
    Entry Description
    host and port Host name (IP address) and port number of your local LDAP server.
    baseDN The domain name (DN) in LDAP that captures all details about a specific organization.
    bindDN="uid=admin,ou=system" Binding details of the LDAP server. For example, the default values for an Apache Directory Service would be uid=admin,ou=system.
    bindPassword="secret" Binding password for the LDAP server. For example, the default value for an Apache Directory Service is secret.
    <customFilters userFilter="(&amp;(uid=%v)(objectclass=inetOrgPerson))" groupFilter="(&amp;(member=uid=%v)(objectclass=groupOfNames))" userIdMap="*:uid" groupIdMap="*:cn" groupMemberIdMap="groupOfNames:member"/> The custom filters that are used for querying the directory service (such as Apache) during authentication and authorization.

  2. Ensure that the following features are enabled for appSecurity-2.0 and ldapRegistry-3.0:

      <featureManager>
      <feature>appSecurity-2.0</feature>
      <feature>ldapRegistry-3.0</feature>
      </featureManager>

    For details about configuring various LDAP server repositories, see the WebSphere® Application Server Liberty Knowledge Center.

    After you complete the registry.xml changes, configure a secure gateway to connect to the local LDAP server.

Secure gateway

To configure a secure gateway connection to our LDAP server, we must create an instance of the Secure Gateway service on Bluemix and then obtain the IP information for the LDAP registry. We need your local LDAP host name and port number for this task.

  1. Log on to Bluemix and navigate to Catalog, Category > Integration, and then click Secure Gateway.
  2. Under Add Service, select an app and then click CREATE. Now the service is bound to our app.
  3. Go to the Bluemix dashboard for the app, click on the Secure Gateway service instance, and then click ADD GATEWAY.
  4. Name the gateway and click ADD DESTINATIONS and enter the name, IP address, and port for our local LDAP server.
  5. Follow the prompts to complete the connection. To see the destination initialized, navigate to the Destination screen of the LDAP gateway service.
  6. To obtain the host and port information that you need, click the Information icon on the LDAP gateway service instance (located on the Secure Gateway dashboard). The details displayed are an alias to our local LDAP server.
  7. Capture the Destination ID and Cloud Host : Port values. Go to the registry.xml file and add these values, replacing any existing values. See the following example of an updated code snippet in the registry.xml file:

      <ldapRegistry id="ldap"
      host="cap-sg-prd-5.integration.ibmcloud.com" port="15163" ignoreCase="true"
      baseDN="dc=worklight,dc=com"
      ldapType="Custom"
      sslEnabled="false"
      bindDN="uid=admin,ou=system"
      bindPassword="secret">
      <customFilters userFilter="(&amp;(uid=%v)(objectclass=inetOrgPerson))"
      groupFilter="(&amp;(member=uid=%v)(objectclass=groupOfNames))"
      userIdMap="*:uid"
      groupIdMap="*:cn"
      groupMemberIdMap="groupOfNames:member"/>
      </ldapRegistry>

Parent topic: LDAP configuration for containers