Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Use Microsoft Active Directory for authentication


Options for finding group membership within a Microsoft Active Directory forest


Overview

Example of group membership with the Microsoft Active Directory forest...


Option 1 - Do not use nested groups

To locate group membership using a hypothetical organizational structure...

  1. Create a global group of NA employees

  2. Create a global group of EU employees

  3. Map the Java EE role to...

      NA employees + EU employees

    This mapping can become unmanageable if there are too many sub domains

  4. Enable referrals.

    In WAS v6.1, use federated repositories, specifically:

    • Use a federated realm.

    • Add the Microsoft Active Directory top-level domain controller to the repository. Do not add sub-domain controllers. Doing this results in multiple matches when searches for user IDs occur. The multiple matches cause user logins to fail.

    • Select...

        Support referrals to other LDAP servers = follow


Option 2 - Use universal groups

  1. Put individual users into the universal group, Employees.

    Requirements:

    • The Windows 2003 Native domain functional levels is required.

    • Userids must be directly contained within universal groups.

  2. Map Java EE role to Employees.

  3. Connect to any global catalog in the forest.

    Tip: This option reduces the amount of directory lookup traffic. WAS does not have to follow all the referrals across the directory tree. That is, each domain controller can fully resolve the group information locally.


Option 3 - Use nested groups

  1. Create the universal group, Employees.

  2. Create NA Employees and EU Employees as global groups and make them members in the Employees universal group.

    Requirements: Windows Native Domain functional levels.

  3. Map Java JEE role to "Employees".

  4. Enable referrals.

    For WAS v6.1, use federated repositories, specifically:

    • Use a federated realm.

    • Add the Active Directory top-level domain controller to the repository. Do not add sub-domain controllers, as this will result in multiple matches when searches for userids occur, and logins will fail.

    • Select...

        Support referrals to other LDAP servers = follow

  5. Enable nested groups.

This option offers the optimal approach when using WAS Versions 6.1 or later. Before WAS version 6.1, referrals were not officially supported.

Group Membership Map Java EE Roles To Bind to Which LDAP Enable Supported in WAS Version Comments
Global Groups Collection of global groups Top domain controller using port 389/636 Referrals Federated repositories in WAS  
Universal groups Universal groups Any Global catalog, using port 3268   All  
Global groups in universal groups Universal groups Top domain controller using port 389/636 referrals, nesting Federated repositories in WAS Cannot use Windows mixed domain functional level


Configure to use objectCategory attribute

A federated repository uses the objectCategory attribute by default for Active Directory user search filters. The federated repositories configuration file, wimconfig.xml, should be as shown below...

Configure the user filter and group filter (advanced properties) like the following example:

To complete the search filter with the objectCategory attribute.

In a multiple security domain environment, click...

Fill in the search filter.

Authentication using Microsoft Active Directory
Groups spanning domains with Microsoft Active Directory
Options for finding group membership within a Microsoft Active Directory forest
Locate user group memberships in a LDAP registry
Authenticate users with LDAP registries in a Microsoft Active Directory forest
Use Microsoft Active Directory for authentication

+

Search Tips   |   Advanced Search