Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Use Microsoft Active Directory for authentication
Authentication using Microsoft Active Directory
Overview
WAS integration with Microsoft Active Directory requires handling data spread across domain controllers in forests....
A tree in a forest contains domains made up of the primary components of the distinguished name (DN), for example...
-
dc=acme, dc=com
A forest can leverage Kerberos to extend trust to other forests.
Simple configuration
Stand-alone LDAP registry representing a single domain, with Microsoft AD accessed using either...
- WAS stand-alone LDAP user registry
- WAS federated repositories registry containing a single LDAP repository
Typical Configuration
Single tree in a forest where each branch of the tree is a domain. For example, a single tree of four domains (A, B, C, D)...
Configurations frequently have domains organized by either...
- geography
- organizational unit
Configure using the WAS federated repositories.
Map entries from multiple individual user repositories into a single virtual repository.
These configurations create...
- Federated user repository with a single named realm
- LDAP subtree within the single repository
The root of the repository is mapped to a base entry within the federated repository, which is the starting point within the hierarchical namespace of the virtual realm.
LDAP searches in this configuration proceed with...
- binding to the top domain object
- LDAP referrals
The stand-alone LDAP registry in WAS does not support LDAP referrals.
Less typical configurations
For multiple trees, use the federated repositories registry with separate LDAP repositories mapped to the top of each tree.
If a Microsoft AD tree exists under the top-level domain, enable LDAP referrals.
Rare configurations
Rare configurations consist of Microsoft AD domains configured with a combination of a user forest and a group forest. Users are imported as ForeignSecurityPrincipals objects in the group forest. The groups contain the DNs of the ForeignSecurityPrincipals objects as members.
In this form of configuration, direct group lookups do not occur. Lookups are relegated to a static group query across multiple registries.
This configuration requires a custom user registry. WAS registries do not support this type of configuration
Forests and user filters
The default unique ID in the Microsoft AD is the sAMAccountName attribute of a user. User IDs are guaranteed to be unique within a single domain, but not a across a tree or a forest. In any search of the whole registry, authentication fails if there is more than one match at run time.
Microsoft AD Global Catalog
Options for finding group membership within a Microsoft AD forest
Groups spanning domains with Microsoft AD
Locate user group memberships in a LDAP registry
Authenticate users with LDAP registries in a Microsoft AD forest
Use Microsoft AD for authentication
http://www.ibm.com/developerworks/websphere/services/