Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Select a registry or repository > Configure LDAP user registries


Set directory servers as the LDAP server - Standalone registries


Overview

We can use any LDAP server, as long as it follows the LDAP specification, by setting directory type to custom and filling in the required filters.

The default filters for...

...define search results that contain all relevant information about a user (user ID, groups, and so on). WAS does not have to make multiple LDAP server requests.

To use IBM Directory Server, select the option...

Microsoft AD forests are not supported with the stand-alone LDAP Registry. Forests are supported by the federated repository registry.


Use IBM Tivoli Directory Server as the LDAP server

To use IBM Tivoli Directory Server set directory type to...

Group membership lookup, including...

...is done using ibm-allGroups attribute. Use a case-insensitive match so that attribute values returned are all in uppercase.

IBM recommends not installing IBM TDS v6.0 on the same machine as v8.0. IBM TDS v6.0 includes WAS Express v5.1.1, which the directory server uses for its admin console. Install the Web Administration tool v6.0 and WAS Express V5.1.1 on a different machine from v8.0. We cannot use v8.0 as the administrative console for IBM TDS. If IBM TDS v6.0 and v8.0 are installed on the same machine, you might encounter port conflicts. If install IBM TDS v6.0 and v8.0 on the same machine...


Use a Lotus Domino Enterprise Server as the LDAP server

If you select the Lotus Domino Enterprise Server v6.5.4 or v7.0 and the attribute short name is not defined in the schema, you can take either of the following actions:

The userID map filter is changed to use the uid attribute instead of the shortname attribute as the current version of Lotus Domino does not create the shortname attribute by default. To use the shortname attribute, define the attribute in the schema and change the userID map filter.


Use Sun ONE Directory Server as the LDAP server

You can select Sun ONE Directory Server for your Sun ONE Directory Server system. In Sun ONE Directory Server, the object class is the default groupOfUniqueName when you create a group. For better performance, WAS uses the User object to locate the user group membership from the nsRole attribute. Create the group from the role. To use the groupOfUniqueName attribute to search groups, specify your own filter setting. Roles unify entries. Roles are designed to be more efficient and easier to use for applications. For example, an application can locate the role of an entry by enumerating all the roles that are possessed by a given entry, rather than selecting a group and browsing through the members list. When using roles, you can create a group using a:

All of these roles are computable by the nsRole attribute.


Use Microsoft Active Directory as the LDAP server


  1. Determine the DN and password of an account in the administrators group.

    For example, if the Active Directory administrator uses the control panel to create account adadmin in...

      Active Directory Users and Computers | Users

    ...and the DNS domain is...

      foo.com

    ...the resulting DN could be...

    cn=adadmin, cn=users, dc=foo, dc=com

  2. Determine the short name and password of any account in the AD.

  3. In the WAS console, configure AD...

      Security | Global security | User account repository | Standalone LDAP registry | Configure

    ...setting values for...

      Primary administrative user name User with admin privileges defined in the registry. Used to access administrative console. Default: wsadmin
      Type Active Directory
      Host DNS name of the machine running AD.
      Base DN Domain components of the DN of the account. For example:

        dc=foo, dc=com

      Bind DN Full DN of the admin account determined in the first step above...

        cn=adadmin, cn=users, dc=foo, dc=com

      Bind password Password of the account chosen in the first step.

  4. Click...

    and select either...

    • Automatically generated server identity
    • Server identity stored in the repository

    For the latter, enter...

      Server user ID or administrative user on a v6.0.x node Short name of the account chosen in the second step.
      Server user password Password of the account chosen in the second step.

  5. To improve performance, set ObjectCategory as the filter in the Group member ID map field. Go to...

      Additional properties | Advanced Lightweight Directory Access Protocol (LDAP) user registry settings

    ...and add...

      ;objectCategory:group

    ...to the end of the Group member ID map field.

  6. By default, Microsoft Active Directory does not permit anonymous LDAP queries. To create LDAP queries or to browse the directory, LDAP clients bind to server using the DN of an account with authority to search using the memberof attribute. If the default behavior is changed to allowing browsing, change the field....

      Group Member ID Map

    ...from...

      memberof:member

    ..to...

      group:member

  7. Click OK and Save to save the changes to the master configuration.

  8. Stop and restart the administrative server


Related

Standalone LDAP registries
Locate user group memberships in a LDAP registry
Configure LDAP user registries
Advanced LDAP user registry settings
Standalone LDAP registry settings

+

Search Tips   |   Advanced Search