Lightweight Directory Access Protocol settings

Use this page to configure Lightweight Directory Access Protocol (LDAP) settings when users and groups reside in an external LDAP directory.

To view this administrative console page, click Security > Global security. Under User registries, click LDAP.

When security is enabled and any of these properties change, go to the Global security panel and click Apply to validate the changes.

 

Configuration tab

Server user ID

Specifies the user ID that is used to run the WebSphere Application Server for security purposes.

Although this ID is not the LDAP administrator user ID, specify a valid entry in the LDAP directory located under the Base Distinguished Name.

Server user password

Specifies the password corresponding to the security server ID.

Type

Specifies the type of LDAP server to which you connect.

IBM SecureWay Directory Server is not supported.

For a list of supported LDAP servers, see "Supported directory services." in the documentation.

Host

Specifies the host ID (IP address or domain name service (DNS) name) of the LDAP server.

Port

Specifies the host port of the LDAP server.

If multiple WAS appservers are installed and configured to run in the same single signon domain, or if the WebSphere Application Server interoperates with a previous version of the WebSphere Application Server, then it is important that the port number match all configurations. For example, if the LDAP port is explicitly specified as 389 in a V4.0.x configuration, and a WAS at V5 is going to interoperate with the V4.0.x server, then verify that port 389 is specified explicitly for the V5 server.

Default: 389

Base distinguished name (DN)

Specifies the base distinguished name of the directory service, indicating the starting point for LDAP searches of the directory service.

For example, for a user with a distinguished name (DN) of cn=John Doe, ou=Rochester, o=IBM, c=US, one can specify the base DN as (assuming a suffix of c=us): ou=Rochester, o=IBM, c=us. For authorization purposes, this field is case sensitive. This specification implies that if a token is received (for example, from another cell or Domino) the base DN in the server must match the base DN from the other cell or Domino server exactly. If case sensitivity is not a consideration for authorization, enable the Ignore case field. This field is required for all Lightweight Directory Access Protocol (LDAP) directories except for the Domino Directory, where this field is optional.

If we need to interoperate between WAS Version 5 and a V5.0.1 or later server, enter a normalized base distinguished name. A normalized base distinguished name does not contain spaces before or after commas and equal symbols. An example of a non-normalized base distinguished name is o = ibm, c = us or o=ibm, c=us. An example of a normalized base distinguished name is o=ibm,c=us. In WebSphere Application Server, V5.0.1 or later, the normalization occurs automatically during run time

Bind distinguished name (DN)

Distinguished name for the application server to use when binding to the directory service.

If no name is specified, the application server binds anonymously. See the Base Distinguished Name field description for examples of distinguished names.

Bind password

Specifies the password for the application server to use when binding to the directory service.

Search timeout

Specifies the timeout value in seconds for an Lightweight Directory Access Protocol (LDAP) server to respond before aborting a request.

Default: 120

Reuse connection

Specifies whether the server reuses the Lightweight Directory Access Protocol (LDAP) connection. Clear this option only in rare situations where a router is used to spray requests to multiple LDAP servers and when the router does not support affinity.

Default: Enabled
Range: Enabled or Disabled

Ignore case for authorization

Specifies that a case insensitive authorization check is performed when using the default authorization.

This field is required when IBM Tivoli Directory Server is selected as the LDAP directory server.

This field is required when Sun ONE Directory Server is selected as the LDAP directory server. For more information, see "Using specific directory servers as the LDAP server" in the documentation.

Otherwise, this field is optional and can be enabled when a case-sensitive authorization check is required. For example, use this field when the certificates and the certificate contents do not match the case used for the entry in the LDAP server. We can enable the Ignore case field when using single signon (SSO) between WAS and Lotus Domino.

Default: Enabled
Range: Enabled or Disabled

SSL enabled

Specifies whether secure socket communication is enabled to the LDAP server. When enabled, the LDAP SSL settings are used, if specified.

SSL configuration

Specifies the Secure Sockets Layer configuration to use for the LDAP connection. This configuration is used only when SSL is enabled for LDAP.

Default: DefaultSSLSettings


 

Related Tasks


Using specific directory servers as the LDAP server