Lightweight Directory Access Protocol

Lightweight Directory Access Protocol is a user registry in which authentication is performed using an LDAP binding.

WAS security provides and supports implementation of most major LDAP directory servers, which can act as the repository for user and group information. These LDAP servers are called by the WAS servers for authenticating a user and other security related tasks (for example, getting user or group information).

This support is provided by using different user and group filters to obtain the user and group information. These filters have default values which you can modify to fit your needs. The Custom LDAP feature enables you to use any other LDAP server (which is not in the product supported list of LDAP servers) for its user registry by using the appropriate filters.

To use LDAP as the user registry, you need to know a valid user name (ID), the user password, the server host and port, the base distinguished name (DN) and if necessary the bind DN and the bind password. One can choose any valid user in the registry that is searchable.

In some LDAP servers, the administrative users are not searchable and cannot be used (for example, cn=root in SecureWay). This user is referred to as WAS security server ID, server ID, or server user ID in the documentation. Being a server ID means a user has special privileges when calling some protected internal methods. Normally, this ID and password is used to log into the administrative console once security is turned on. One can use other users to log in if those users are part of the administrative roles.

When security is enabled in the product, this server ID and password are authenticated with the registry during the product startup. If authentication fails, the server does not start. It is important to choose an ID and password that do not expire or change often. If the product server user ID or password need to change in the registry, make sure the changes are performed when all the product servers are up and running.

Once the changes are saved, restart all the servers so that the new ID or password is used by the product.

See Also:

Using specific directory servers as the LDAP server
Configure Lightweight Directory Access Protocol user registries
Supported directory services
Lightweight Directory Access Protocol settings
Lightweight Directory Access Protocol advanced settings
Security: Links