Lightweight Directory Access Protocol settings
Use this page to configure LDAP settings when users and groups reside in an external LDAP directory.
To view this administrative console page, click...
Security | User Registries | LDAP
When security is enabled and any of these properties change, go to the Global Security panel and click Apply to validate the changes.
Configuration tab
- Server User ID
- Specifies the user ID under which the server runs, for security purposes.
Although this ID is not the LDAP administrator user ID, specify a valid entry in the LDAP directory located under the Base Distinguished Name.
- Server User Password
- Specifies the password corresponding to the security server ID.
- Type
- Specifies the type of LDAP server to which you connect.
The type is used to preload default LDAP properties. IBM Directory Server users can choose either IBM_Directory_Server or SecureWay as the directory type. Use the IBM_Directory_server directory type for better performance. Users of the iPlanet Directory Server can choose either iPlanet Directory Server or NetScape as the directory type. Use the iPlanet Directory Server directory type for better performance after configuring iPlanet to use role (nsRole) as the grouping method.
IBM SecureWay Directory Server is not supported.
For a list of supported LDAP servers, see "Supported directory services." in the documentation.
- Host
- Specifies the host ID (IP address or DNS name) of the LDAP server.
- Port
- Specifies the host port of the LDAP server.
If multiple WAS are installed and configured to run in the same single signon domain, or if the WAS interoperates with a previous version of the WAS, then it is important that the port number match all configurations. For example, if the LDAP port is explicitly specified as 389 in a V4.0.x configuration, and a WAS at V5 is going to interoperate with the V4.0.x server, then verify that port 389 is specified explicitly for the V5 server.
Default: 389
- Base Distinguished Name
- Specifies the base distinguished name of the directory service, indicating the starting point for LDAP searches of the directory service.
For example, for a user with a distinguished name (DN) of cn=John Doe, ou=Rochester, o=IBM, c=US, you can specify the base DN as (assuming a suffix of c=us): ou=Rochester,o=IBM,c=us or o=IBM,c=us. For authorization purposes, this field is case sensitive. This specification implies that if a token is received (for example, from another cell or Domino) the base DN in the server must match the base DN from the other cell or Domino server exactly. If case sensitivity is not a consideration for authorization, enable the Ignore Case field.
To interoperate between WAS V5 and a V5.0.1 or later server, enter a normalized base distinguished name. A normalized base distinguished name does not contain spaces before or after commas and equal symbols. An example of a non-normalized base distinguished name is o = ibm, c = us or o=ibm, c=us. An example of a normalized base distinguished name is o=ibm,c=us. In WAS, V5.0.1 or later, the normalization occurs automatically at the run time
This field is required for all LDAP directories except for the Domino Directory, where this field is optional.
- Bind Distinguished Name
- Specifies the distinguished name for the appserver to use when binding to the directory service.
If no name is specified, the appserver binds anonymously. See the Base Distinguished Name field description for examples of distinguished names.
- Bind Password
- Specifies the password for the appserver to use when binding to the directory service.
- Search Timeout
- Specifies the timeout value in seconds for an LDAP server to respond before aborting a request.
Default: 120
- Reuse connection
- Specifies whether the server reuses the LDAP connection. Clear this option only in rare situations where a router is used to spray requests to multiple LDAP servers and when the router does not support affinity.
Default: Enabled Range: Enabled or Disabled
- Ignore Case
- Specifies that a case insensitive authorization check is performed.
This field is required when IBM Directory Server is selected as the LDAP directory server.
This field is required when Sun ONE Directory Server is selected as the LDAP directory server. For more information, see "Using specific directory servers as the LDAP server" in the documentation.
Otherwise, this field is optional and can be enabled when a case-sensitive authorization check is required. For example, use this field when the certificates and the certificate contents do not match the case used for the entry in the LDAP server. You can enable the Ignore Case field when using single signon (SSO) between WAS and Lotus Domino.
Default: Disabled Range: Enabled or Disabled
- SSL Enabled
- Specifies whether secure socket communication is enabled to the LDAP server. When enabled, the LDAP SSL settings are used, if specified.
- SSL Configuration
- Specifies the Secure Sockets Layer configuration to use for the LDAP connection. This configuration is used only when SSL is enabled for LDAP.
Default: DefaultSSLSettings
- Use Tivoli Access Manager for Account Policies
- Select this option to indicate that the Tivoli Access Manager is used for authentication to honor password and account policies. This option requires that you have previously installed the Tivoli Access Manager.
Do not select this option unless you have a Tivoli Access Manager Server installed and configured to be used by WAS. The LDAP directory server used by the Tivoli Access Manager must be the same LDAP directory server that is used by WAS.
Note: When you select this option, IBM SecureWay Directory Server is not supported as an LDAP directory server.
Using specific directory servers as the LDAP server
Administrative console buttons
Administrative console page features
Administrative console scope settings
Administrative console filter settings
Administrative console preference settings