WebSphere Enterprise Service Bus, Version 6.2.0 Operating Systems: AIX, HP-UX, i5/OS, Linux, Solaris, Windows


Configuring Lightweight Directory Access Protocol (LDAP) as the user registry

By default, the user registry is the local operating system registry. If you prefer, you can use an external Lightweight Directory Access Protocol (LDAP) as the user registry.

Before you begin

This task assumes that you have administrative security turned on.

To access a user registry using LDAP, you must know a valid user name (ID) and password, the server host and port of the registry server, the base distinguished name (DN) and, if necessary, the bind DN and the bind password.

In a network deployment environment, you must use LDAP.

You can choose any valid user in the user registry that is searchable. You can use any user ID that has the administrative role to log in.

Procedure
  1. Start the administrative console.
    • If security is currently disabled, you are prompted for a user ID. Log in with any user ID.
    • If security is currently enabled, you are prompted for both a user ID and a password. Log in with a predefined administrative user ID and password.
  2. Expand Security and click Secure administration, applications, and infrastructure.
  3. From the Secure administration, applications, and infrastructure page, perform the following steps:
    1. Make sure Enable administrative security is selected.
    2. From the Available realm definitions list, select Standalone LDAP registry.
    3. Click Configure.
  4. On the Configuration tab of the Standalone LDAP registry page, perform the following steps:
    1. Enter a valid user name in the Primary administrative user name field.

      This value is the name of a user with administrative privileges that is defined in the registry. This user name is used to access the administrative console. It is also used by the wsadmin command.

      You can either enter the complete distinguished name (DN) of the user or the short name of the user, as defined by the user filter in the Advanced LDAP settings page.

    2. Optional: Select either the Automatically generated server identity or Server identity that is stored in the repository option.
      • If you select Automatically generated server identity, the application server generates the server identity that is used for internal process communication.

        You can change this server identity on the Authentication mechanisms and expiration page. To access the Authentication mechanisms and expiration page click Security > Secure administration, applications, and infrastructure > Authentication mechanisms and expiration. Change the value of the Internal server ID field.

      • If you select the Server identity that is stored in the repository option, enter the following information:
        • For Server user ID or administrative user on a Version 6.0.x node, specify a user ID that is used to run the application server for security purposes.
        • For Password, specify the password associated with this user.

      Although this ID is not the LDAP administrator user ID, the entry must exist in the LDAP.

    3. Optional: Select the LDAP server to use from the Type of LDAP server list.

      The type of LDAP server determines the default filters that are used by WebSphere® ESB. These default filters change the Type of LDAP server field to Custom, which indicates that custom filters are used. This action occurs after you click OK or Apply in the Advanced LDAP settings page. Select the Custom type from the list and modify the user and group filters to use other LDAP servers, if required.

      IBM Tivoli Directory Server users can select IBM Tivoli Directory Server as the directory type. Use the IBM Tivoli Directory Server directory type for better performance.

    4. In the Host field, enter the fully qualified name of the computer where the LDAP resides.

      You can enter either the IP address or domain name system (DNS) name.

    5. Optional: In the Port field, enter the port number on which the LDAP server is listening.

      The host name and the port number represent the realm for this LDAP server in the WebSphere ESB cell. So, if servers in different cells are communicating with each other using Lightweight Third Party Authentication (LTPA) tokens, these realms must match exactly in all the cells.

      The default value is 389.

      If multiple WebSphere ESB are installed and configured to run in the same single sign-on domain, or if the WebSphere ESB interoperates with a previous version of the WebSphere ESB, make sure that the port number match all configurations.

    6. Optional: Enter the base distinguished name in the Base Distinguished Name (DN) field.

      The base distinguished name indicates the starting point for LDAP searches in this LDAP directory server. For example, for a user with a DN of cn=John Doe, ou=Rochester, o=IBM, c=US, specify the base DN as any of the following options (assuming a suffix of c=us): ou=Rochester, o=IBM, c=us or o=IBM c=us or c=us.

      For authorization purposes, this field is case-sensitive. This specification implies that if a token is received (for example, from another cell or a Lotus Domino® server), the base distinguished name (DN) in the server must match exactly the base DN from the other cell or Domino server. If case sensitivity is not a consideration for authorization, enable Ignore case for authorization.

      In WebSphere ESB, the distinguished name is normalized according to the Lightweight Directory Access Protocol (LDAP) specification. Normalization consists of removing spaces in the base distinguished name before or after commas and equal symbols. An example of a non-normalized base distinguished name is o = ibm, c = us or o=ibm, c=us. An example of a normalized base distinguished name is o=ibm,c=us.

      This field is required for all LDAP directories except for the Domino Directory, where this field is optional.

    7. Optional: Enter the bind DN name in the Bind distinguished name field.

      The bind DN is required if anonymous binds are not possible on the LDAP server to obtain user and group information.

      If the LDAP server is set up to use anonymous binds, leave this field blank. If a name is not specified, the application server binds anonymously. See the Base Distinguished Name field description for examples of distinguished names.

    8. Optional: Enter the password corresponding to the bind DN in the Bind password field.
    9. Optional: Modify the Search time out value.

      This timeout value is the maximum amount of time that the LDAP server waits to send a response to the product client before stopping the request. The default is 120 seconds.

    10. Ensure that Reuse connection is selected.

      This option specifies that the server should reuse the LDAP connection. Clear this option only in rare situations where a router is used to send requests to multiple LDAP servers and when the router does not support affinity. Leave this option selected for all other situations.

    11. Optional: Verify that Ignore case for authorization is enabled.

      When you enable this option, the authorization check is case insensitive.

      Normally, an authorization check involves checking the complete DN of a user, which is unique in the LDAP server and is case-sensitive. However, when you use either the IBM Directory Server or the Sun ONE (formerly iPlanet) Directory Server LDAP servers, you must enable this option because the group information that is obtained from the LDAP servers is not consistent in case. This inconsistency affects the authorization check only. Otherwise, this field is optional and can be enabled when a case-sensitive authorization check is required.

      For example, you might select this option when you use certificates and the certificate contents do not match the case of the entry in the LDAP server. You can also enable Ignore case for authorization when you are using single sign-on (SSO) between the product and Lotus Domino.

      The default is enabled.

    12. Optional: Select SSL enabled if you want to use Secure Sockets Layer communications with the LDAP server.

      If you select the SSL enabled option, you can select either Centrally managed or Use specific SSL alias.

      • Centrally managed

        This option enables you to specify an SSL configuration for a particular scope such as the cell, node, server, or cluster in one location. To use the Centrally managed option, you must specify the SSL configuration for the particular set of endpoints.

        The Manage endpoint security configurations page displays all the inbound and outbound endpoints that use the SSL protocol.

        Expand the Inbound or Outbound section of the Manage endpoint security configurations page and click the name of a node to specify an SSL configuration that is used for every endpoint on that node. For an LDAP registry, you can override the inherited SSL configuration by specifying an SSL configuration for LDAP.

      • Use specific SSL alias

        This option is used to select one of the SSL configurations in the list below the option.

        This configuration is used only when SSL is enabled for LDAP. The default is NodeDefaultSSLSettings.

    13. Click OK and either Apply or Save until you return to the Secure administration, applications, and infrastructure page.
  5. From the Secure administration, applications, and infrastructure page, click Set as current.
  6. Click OK and either Apply or Save.

What to do next

Save, stop, and restart all servers so that the updates can take effect.

If the server starts without any problems, the setup is correct.


task Task topic

Terms of use | Feedback


Timestamp icon Last updated: 21 June 2010


http://publib.boulder.ibm.com/infocenter/dmndhelp/v6r2mx/topic//com.ibm.websphere.wesb620.doc/doc/tsec_ldap.html
Copyright IBM Corporation 2005, 2010. All Rights Reserved.
This information center is powered by Eclipse technology (http://www.eclipse.org).