Configure LDAP authentication (Liberty profile) - Application Center

We configure LDAP authentication by defining one or more LDAP registries in the server.xml file, and map LDAP users and groups to Application Center roles.

We can configure LDAP authentication of users and groups in the server.xml file by defining an LDAP registry or, since WAS Liberty profile V8.5.5, a federated registry that uses several LDAP registries. Then you map users and groups to Application Center roles. The mapping configuration is the same for LDAP authentication and basic authentication.

1. To open the server.xml descriptor file, enter {server.config.dir}/server.xml

2. Insert one or several LDAP registry definitions after the <httpEndpoint> element.

   Example for the LDAP registry:

   <ldapRegistry baseDN="o=ibm.com" host="employees.com" id="Employees"
                 ldapType="IBM Tivoli Directory Server" port="389" realm="AppCenterLdap"
                 recursiveSearch="true">
     <idsFilters 
         groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))) " id="Employees" 
         userFilter="(&amp;(emailAddress=%v)(objectclass=ibmPerson))" 
         groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember" 
         userIdMap="*:emailAddress"/>
   </ldapRegistry>

   For information about the parameters used in this example, see the WAS v8.5 user documentation.

3. Insert a security role definition after each Application Center application definition (applicationcenter and appcenterconsole).

   Example for security role definition: this example includes two sets of sample code that show how to code when the group names are unique within LDAP and how to code when the group names are not unique within LDAP.

   Group names unique within LDAP

   This sample code shows how to use the group names ldapGroupForAppcenteruser and ldapGroupForAppcenteradmin when they exist and are unique within LDAP.

         <application-bnd> 
            <security-role name="appcenteruser" id="appcenteruser"> 
              <group name="ldapGroupForAppcenteruser" /> 
            </security-role> 
            <security-role name="appcenteradmin" id="appcenteradmin"> 
              <group name="ldapGroupForAppcenteradmin" /> 
            </security-role> 
         </application-bnd>

   Group names not unique within LDAP

   This sample code shows how to code the mapping when the group names are not unique within LDAP. The groups must be specified with the access-id attribute.

         <application-bnd> 
            <security-role name="appcenteruser" id="appcenteruser"> 
              <group name="ldapGroup" 
                     id="ldapGroup"
                     access-id="group:AppCenterLdap/CN=ldapGroup,OU=myorg,                          DC=mydomain,DC=AD,DC=myco,DC=com"/>
            </security-role> 
            ...
         </application-bnd>

   The access-id attribute must refer to the realm name used to specify the LDAP realm. In this sample code, the realm name is AppCenterLdap. The remainder of the access-id attribute specifies one of the LDAP groups named ldapGroup in a way that makes it unique.

   If required, use similar code to map the appcenteradmin role.

Parent topic: LDAP with Liberty profile