Lightweight Directory Access Protocol

Lightweight Directory Access Protocol

Lightweight Directory Access Protocol (LDAP) is a user registry in which authentication is performed using an LDAP binding.

WebSphere Application Server security provides and supports implementation for most major LDAP directory servers (LDAP servers) which can be used as the repository for user and group information. These LDAP servers are called by the product processes (servers) for authenticating a user and other security related tasks (for example, getting user or group information).

This support is provided by using different user and group filters to obtain the user and group information. These filters have default values which can be modified to fit your needs. Also, the Custom LDAP feature enables one to use any other LDAP server (which is not in the product supported list of LDAP servers) for its user registry by using the appropriate filters. Supporting new LDAP servers with the Custom LDAP feature is left to the customer. To accomplish this, you need to understand how the filters are used by the product to obtain the user and group information. See Configure LDAP search filters for more information. It is expected that the customer is responsible for the validity of the filters and testing the configuration and not depend on IBM for support.

To use LDAP as the user registry, you need to know this information about your LDAP server:

A valid user name (ID)

The user password

The server host and port

The base distinguished name (DN)

The bind DN and password (if necessary)

The user can be any valid user in the registry and should be searchable. In some LDAP servers some of the administrative users are not searchable and hence cannot be used (for example, cn=root in SecureWay). This user is referred to as WebSphere Application Server security server ID or server ID or server user ID in the documentation. Being a server ID entails a user to have special privileges when calling some protected internal methods. Normally, this ID and password is used to log into the administrative console when security is enabled (you can use other users to login if those users are part of the administrative roles).

When security is enabled in the product, this server ID and password is authenticated with the registry during the product startup. If authentication fails, the server does not start. It is important to choose an ID and password that would not expire or change often. If the product server user ID or password need to be changed in the registry, make sure the changes are performed when all the product servers are up and running. After the changes to the registery are completed, use the steps that are described in Configure LDAP user registries to change the ID, password, and other configuration information, if any. Save the configuration, stop all of the servers, and restart the servers so that the new ID or password is used by the product.

If you have problems starting the product when security is enabled, security should be disabled before the server can start up (to avoid this in the first place, make sure any changes in this panel are validated in the Global Security panel). After the server starts, you can change the ID, password, and other configuration information, and then enable security.