Configure LDAP search filters: WAS v5.1

Configure LDAP search filters

The WAS uses filters to search LDAP directories.
A default set of filters is provided for each supported LDAP server. You can develop filters for non-supported LDAP servers.

Go to...
Console | Security | User Registries | LDAP | Advanced LDAP Setting

Modify the User filter, if necessary.
The user filter is used for searching the registry for users and is typically used for the security role to user assignment. Also, the filter is used to authenticate a user using the attribute specified in the filter. The filter specifies the property used to look up users in the directory service.
In the following example, the property that is assigned to %v, which is the short name of the user, must be a unique key. Two LDAP entries with the same object class cannot have the same short name. To look up users based on their user IDs (uid) and to use the inetOrgPerson object class, specify the following syntax:
(&(uid=%v)(objectclass=inetOrgPerson)

Modify the Group filter, if necessary.
The group filter is used in searching the registry for groups and is typically used for the security role to group assignment. Also, the filter is used to specify the property by which to look up groups in the directory service.
In the following example, the property that is assigned to %v, which is the short name of the group, must be a unique key. Two LDAP entries with the same object class cannot have the same short name. To look up groups based on their common names (CN) and to use either the groupOfNames or the groupOfUniqueNames object class, specify the following syntax...
(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))

Modify the User ID map filter, if necessary.
This filter maps the short name of a user to an LDAP entry. It specifies the piece of information that represents users when these users are displayed with their short names.
For example, to display entries of the type object class = inetOrgPerson by their IDs, specify inetOrgPerson:uid.
This field takes multiple objectclass:property pairs delimited by a semicolon (;). To provide a consistent value for methods like getCallerPrincipal( ), getUserPrincipal() the short name obtained by using this filter is used.
For example, the user CN=Bob Smith, ou=amsterdam.setgetweb.com, o=IBM, c=US can log in using any attributes that are defined (for example, e-mail address, social security number, and so on) but when these methods are called, the user ID bob is returned no matter how the user logs in.
Modify the Group ID Map filter, if necessary.
This filter maps the short name of a group to an LDAP entry. It specifies the piece of information that represents groups when groups display.
For example, to display groups by their names, specify *:cn. The (*) is a wildcard character that searches on any object class in this case. This field takes multiple objectclass:property pairs delimited by a semicolon (;).
Modify the Group Member ID Map filter, if necessary.
This filter identifies user to group memberships. For SecureWay, Netscape, and Domino directory types, this field is used to query all the groups that match the specified object classes to find if the user is contained in the attribute specified.
For example, to get all the users belonging to groups with the groupOfNames object class and the users contained in the member attributes, specify groupOfNames:member. This syntax which property of an objectclass stores the list of members belonging to the group represented by the objectclass. This field takes multiple objectclass:property pairs delimited by a semicolon (;). For more information about this syntax, see LDAP directory service documentation.
For the IBM Directory Server, iPlanet Directory Server, and Active Directory, this field is used to query all users in a group by using the information stored in the user object (instead of querying all the groups individually to find if the user exists in that group).
For example, the memberof:member filter (for Active Directory) is used to get the memberof attribute of the user object to get all the groups to which the user belongs. The member attribute is used to get all the users in a group using the group object. Using the user object to obtain the group information is expected to improve performance.
Modify the Certificate Map Mode, if necessary.
You can use the X.590 certificates for user authentication when LDAP is selected as the user registry. This field is used to indicate whether to map the X.509 certificates into an LDAP directory user by EXACT_DN or CERTIFICATE_FILTER. If EXACT_DN is selected, the DN in the certificate must exactly match the user entry in the LDAP server (including case and spaces).
Use the Ignore Case field in the LDAP settings to make the authorization case insensitive. If you select CERTIFICATE_FILTER, fill in the appropriate certificate filter (in the next field) to use for mapping the certificate to a user in LDAP.
If you specify the filter certificate mapping in step 7, use this property to specify the LDAP filter for mapping attributes in the client certificate to entries in LDAP.
If more than one LDAP entry matches the filter specification at run time, authentication fails because an ambiguous match results. The syntax of this filter is:
LDAP attribute=${Client certificate attribute}

For example...
uid=${SubjectCN}

The left side of the filter specification is an LDAP attribute that depends on the schema that your LDAP server is configured to use. The right side of the filter specification is one of the public attributes in your client certificate. Note that the right side must begin with a dollar sign ($), open bracket ({), and end with a close bracket ({).
Use the following certificate attribute values on the right side of the filter specification. The case of the strings is important.

${UniqueKey}
${PublicKey}
${Issuer}
${NotAfter}
${NotBefore}
${SerialNumber}
${SigAlgName}
${SigAlgOID}
${SigAlgParams}
${SubjectDN}
${Version}

To enable this field, select CERTIFICATE_FILTER for the certificate mapping.
Click Apply.
When any LDAP user or group filter is modified in the Advanced LDAP Settings panel click Apply.
Clicking OK navigates you to the LDAP User Registry panel, which contains the previous LDAP directory type, rather than the custom LDAP directory type. Clicking OK or Apply in the LDAP User Registry panel saves the back-level LDAP directory type and the default filters of that directory. This action overwrites any changes to the filters that you made. To avoid overwriting changes, you can take either of the following actions:

Click Apply in the Advanced LDAP Settings panel. To proceed to another panel, use the left navigation. Using the navigation to access the LDAP User Registry panel changes the directory type to Custom.
Choose Custom type from the LDAP User Registry panel. Click Apply and then change the filters by clicking the Advanced LDAP Settings panel.
After you complete your changes, click Apply or OK.

The validation of the changes (if any) does not take place in this panel. Validation is done when you click OK or Apply in the Global Security panel. If you are in the process of enabling security for the first time, complete the remaining steps and go to the Global Security panel. Select LDAP as the Active User Registry. If security already is enabled and any information on this panel changes, go to the Global Security panel and click OK or Apply to validate your changes. If your changes are not validated, the server might not come up.

Sets the LDAP search filters.

Usage Scenario

If you are enabling security, complete the remaining steps. As the final step make sure that you validate this setup by clicking OK or Apply in the Global Security panel.
Save, stop, and start all the product servers (cell, nodes and all the appservers) for any changes in this panel to become effective.
After the server comes up, go through all the security-related tasks (getting users, getting groups and so on) to verify that the changes to the filters function.