Use specific directory servers as the LDAP server
Using a IBM Tivoli Directory Server as the LDAP server
To use IBM Tivoli Directory Server, choose IBM Directory Server as the directory type.
In the IBM Tivoli Directory Server, the group membership is an operational attribute. With this attribute, a group membership lookup is done using the ibm-allGroups attribute for the entry. To utilize this attribute in a security authorization application, use a case-insensitive match so that attribute values returned by the ibm-allGroups attribute are all in uppercase.
For other supported directory servers, refer to the Supported directory services article.
It is recommended that you do not install IBM Tivoli Directory Server v5.2 on the same machine that you install WAS, v5.1.x. IBM Tivoli Directory Server, v5.2 includes WAS Express, v5.0.2, which the directory server uses for its administrative console. Install the Web Administration tool v5.2 and WAS Express, v5.0.2, which are both bundled with IBM Tivoli Directory Server, v5.2, on a different machine from WAS, v5.1.x. You cannot use WAS, v5.1.x as the administrative console for IBM Tivoli Directory Server. If IBM Tivoli Directory Server, v5.2 and WAS, v5.1.x are installed on the same machine, you might encounter port conflicts.
If install IBM Tivoli Directory Server v5.2 and WAS v5.1.x on the same machine, consider the following information:
- During the IBM Tivoli Directory Server installation process, select both the Web Administration tool and WAS Express, v5.0.2.
- Install WAS, v5.1.x.
- When you install WAS, v5.1.x, change the port number for the appserver. For more information, see Changing HTTP transport ports.
- You might need to adjust the WAS environment variables on the version 5.1.x appserver for WAS_HOME and WAS_INSTALL_ROOT. To change the variables using the administrative console, click...
Environment | Manage WebSphere Variables.
Using a Lotus Domino Server as the LDAP server
If you choose the Lotus Domino LDAP server V6 and the attribute short name is not defined in the schema, you can take either of the following actions:
- Change the schema to add the short name attribute.
- Change the user ID map filter to replace the short name with any other defined attribute (preferably to UID). For example, change person:shortname to person:uid.
The userID map filter is changed to use the uid attribute instead of the shortname attribute as the current version of Lotus Domino does not create the shortname attribute by default. If you want to use the shortname attribute, define the attribute in the schema and change the userID map filter to the following value:
User ID Map : person:shortname
Roles unify entries. Roles are designed to be more efficient and easier to use for applications. For example, an application can locate the role of an entry by enumerating all the roles that are possessed by a given entry, rather than selecting a group and browsing through the members list. With the iPlanet Directory Server directory, WebSphere Application Server security supports groups that are defined by nsRole only. If you plan to use traditional grouping methods to group entries in the iPlanet Directory Server, select Netscape as the directory type.
Using Sun ONE Directory Server as the LDAP server
You can choose Sun ONE Directory Server for your Sun ONE Directory Server system. For supported directory servers, refer to the article, Supported directory services. In Sun ONE Directory Server, the groupOfUniqueName object class is the default when you create a group. For better performance, WAS uses the user object to locate the user group membership from the nsRole attribute. Create the group from the role. If you want to use the groupOfUniqueName to search groups, specify your own filter setting. Roles unify entries. Roles are designed to be more efficient and easier to use for applications. For example, an application can locate the role of an entry by enumerating all the roles that are possessed by a given entry, rather than selecting a group and browsing through the members list. When using roles, you can create a group using a:
- Managed role
- Filtered role
- Nested role
All of these roles are computable by the nsRole attribute.
Using Microsoft Active Directory server as the LDAP server
By default, Microsoft Active Directory does not permit anonymous LDAP queries. To create LDAP queries or to browse the directory, an LDAP client must bind to the LDAP server using the distinguished name (DN) of an account that belongs to the administrator group of the Windows system. A group membership search in the Active Directory is done by enumerating the memberof attribute that is possessed by a given user entry, rather than browsing through the member list in each group. If you change this default behavior to browse each group, you can change the Group Member ID Map field from memberof:member to group:member.
To set up Microsoft Active Directory as your LDAP server, complete the following steps.
- Determine the full distinguished name (DN) and password of an account in the administrators group.For example, if the Active Directory administrator creates an account in the Users folder of the Active Directory Users and Computers Windows control panel and the DNS domain is ibm.com, the resulting DN has the following structure:
cn=<adminUsername>, cn=users, dc=ibm, dc=com- Determine the short name and password of any account in the Microsoft Active Directory.This password does not have to be the same account that is used in the previous step.
- Use the WAS administrative console to set up the information that is needed to use Microsoft Active Directory:
- Start the administrative server for the domain, if necessary.
- On the administrative console, click Security on the left navigation panel.
- Click the Authentication mechanisms tabbed page. Select Lightweight Third Party Authentication (LTPA) as the authentication mechanism.
- Enter the following information in the LDAP settings fields:
- Security Server ID: The short name of the account that is chosen in step 2
- Security Server Password: The password of the account that is chosen in step 2
- Directory Type: Active Directory
- Host: The domain name service (DNS) name of the machine that runs Microsoft Active Directory
- Base Distinguished Name: The domain components of the DN of the account that is chosen in step 1. For example: dc=ibm, dc=com Bind
- Distinguished Name: The full DN of the account chosen in step 1. For example: cn=<adminUsername>, cn=users, dc=ibm, dc=com
- Bind Password: The password of the account that is chosen in step 1
- Click OK to save the changes.
- Stop and restart the administrative server so that the changes take effect.
- (Optional) Set ObjectCategory as the filter in the Group member Id map field to improve LDAP performance.
- Select Security > User Registries > LDAP > Advanced LDAP Settings .
- Add ;objectCategory:group to the end of the Group member ID map field.
- Click OK to save the changes
- Stop and restart the administrative server so that the changes take effect.
Locating a user's group memberships in Lightweight Directory Access Protocol Lightweight Directory Access Protocol
Changing HTTP transport ports
Lightweight Directory Access Protocol advanced settings
Lightweight Directory Access Protocol settings
Supported directory services