Follow this topic to configure Lightweight Directory Access Protocol
(LDAP) settings in a federated repository configuration.
You have chosen among various ways to configure LDAP:
- Enter a unique identifier for the repository in the
Repository identifier field. This identifier uniquely identifies the repository
within the cell... LDAP1.
- Select the type of LDAP server that is used from the Directory
type list. The type of LDAP server determines the default filters
that are used by WebSphere Application Server.
IBM Tivoli Directory Server
users can choose either IBM Tivoli Directory Server or SecureWay as the directory
type. Use the IBM Tivoli Directory Server directory type for better performance.
For a list of supported LDAP servers, see Using specific directory servers as the LDAP server.
- Enter the fully qualified host name of the primary LDAP server
in the Primary host name field. You can enter either the IP address
or the domain name system (DNS) name.
- Enter the server port of the LDAP directory in the Port field.
The host name and the port number represent the realm for this LDAP
server in a mixed version nodes cell. If servers in different cells are communicating
with each other using Lightweight Third Party Authentication (LTPA) tokens,
these realms must match exactly in all the cells.
The default value is 389,
which is not a Secure Sockets Layer (SSL) connection. Use port 636 for a Secure
Sockets Layer (SSL) connection. For some LDAP servers, you can specify a different
port for a non-SSL or SSL connection. If you do not know the port to use,
contact your LDAP server administrator.
If multiple WebSphere Application
Servers are installed and configured to run in the same single sign-on domain,
or if WebSphere Application Server interoperates with a previous version of
WebSphere Application Server, then it is important that the port number match
all configurations. For example, if the LDAP port is explicitly specified
as 389 in a V5.x or 6.0.x configuration, and WebSphere Application
Server at V6.1 is going to interoperate with the V5.x or 6.0.x
server, then verify that port 389 is specified explicitly for the
V6.1 server.
- Optional: Enter the host name of the failover LDAP
server in the Failover host name field. You can specify a secondary
directory server to be used in the event that your primary directory server
becomes unavailable. After switching to a secondary directory server, LDAP
repository attempts to reconnect to the primary directory server every 15
minutes.
- Optional: Enter the port of the failover LDAP server
in the Port field and click Add. The default value is 389,
which is not a Secure Sockets Layer (SSL) connection. Use port 636 for a Secure
Sockets Layer (SSL) connection. For some LDAP servers, you can specify a different
port for a non-SSL or SSL connection. If you do not know the port to use,
contact your LDAP server administrator.
- Optional: Select the type of referral.
A referral is an entity that is used to redirect a client request to
another LDAP server. A referral contains the names and locations of other
objects. It is sent by the server to indicate that the information that the
client requested can be found at another location, possibly at another server
or several servers. The default value is ignore.
- ignore
-
Referrals are ignored.
- follow
-
Referrals are followed automatically.
- Optional: Enter the bind DN name in the Bind distinguished
name field, for example, cn=root. The bind DN is required if anonymous
binds are not possible on the LDAP server to obtain user and group information
or for write operations. In most cases, bind DN and bind password are needed.
However, when anonymous bind can satisfy all of the required functions, bind
DN and bind password are not needed. If the LDAP server is set up to use anonymous
binds, leave this field blank. If a name is not specified, the application
server binds anonymously.
- Optional: Enter the password that corresponds to the
bind DN in the Bind password field.
- Optional: Enter the property names to use to log into
WebSphere Application Server in the Login properties field. This
field takes multiple login properties, delimited by a semicolon (;). For example, uid;mail.
All
login properties are searched during login. If multiple entries or no entries
are found, an exception is thrown. For example, if you specify the login properties
as uid;mail and the login ID as Bob, the search filter searches for
uid=Bob or mail=Bob. When the search returns a single entry, then authentication
can proceed. Otherwise, an exception is thrown.
- Optional: Select the certificate map mode in the Certificate
mapping field. You can use the X.590 certificates for user authentication
when LDAP is selected as the repository. The Certificate mapping field is
used to indicate whether to map the X.509 certificates into an LDAP directory
user by EXACT_DN or CERTIFICATE_FILTER. If EXACT_DN is selected, the DN in
the certificate must exactly match the user entry in the LDAP server, including
case and spaces.
- If you select CERTIFICATE_FILTER in the Certificate mapping
field, specify the LDAP filter for mapping attributes in the client certificate
to entries in LDAP.
If more than one LDAP entry matches the
filter specification at run time, authentication fails because the result
is an ambiguous match. The syntax or structure of this filter is:
LDAP
attribute=${Client certificate attribute}
For example, uid=${SubjectCN}.
The
left side of the filter specification is an LDAP attribute that depends on
the schema that your LDAP server is configured to use. The right side of the
filter specification is one of the public attributes in your client certificate.
The right side must begin with a dollar sign ($) and open bracket ({) and
end with a close bracket (}). You can use the following certificate attribute
values on the right side of the filter specification. The case of the strings
is important:
- ${UniqueKey}
- ${PublicKey}
- ${PublicKey}
- ${Issuer}
- ${NotAfter}
- ${NotBefore}
- ${SerialNumber}
- ${SigAlgName}
- ${SigAlgOID}
- ${SigAlgParams}
- ${SubjectCN}
- ${Version}
- Optional: Select the Require SSL communications option
if you want to use Secure Sockets Layer communications with the LDAP server.
If you select the Require SSL communications option, you can
select either the Centrally managed or Use specific SSL alias option.
- Centrally managed
-
Enables you to specify an SSL configuration for a particular scope, such
as the cell, node, server, or cluster in one location. To use the Centrally
managed option, specify the SSL configuration for the particular
set of endpoints. The Manage endpoint security configurations and trust zones
panel displays all of the inbound and outbound endpoints that use the SSL
protocol. If you expand the Inbound or Outbound section of the panel and click
the name of a node, you can specify an SSL configuration that is used for
every endpoint on that node. For an LDAP registry, you can override the inherited
SSL configuration by specifying an SSL configuration for LDAP. To specify
an SSL configuration for LDAP, complete the following steps:
- Click Security > SSL certificate and key management > Manage endpoint
security configurations and trust zones.
- Expand Outbound > cell_name > Nodes > node_name >
Servers > server_name > LDAP.
- Use specific SSL alias
-
Select the Use specific SSL alias option if you intend to select
one of the SSL configurations in the menu that follows the option.This
configuration is used only when SSL is enabled for LDAP. The default is DefaultSSLSettings.
To modify or create a new SSL configuration, complete the following steps:
- Click Security > SSL certificate and key management.
- Under Configuration settings, click Manage endpoint security configurations
and trust zones > configuration_name.
- Under Related items, click SSL configurations.
- Click OK.