By default, the user registry is the local operating system registry. If you prefer, you can use an external Lightweight Directory Access Protocol (LDAP) as the user registry.
To access a user registry using LDAP, you must know a valid user name (ID) and password, the server host and port of the registry server, the base distinguished name (DN) and, if necessary, the bind DN and the bind password.
In a network deployment environment, you must use LDAP.
You can choose any valid user in the user registry that is searchable. You can use any user ID that has the administrative role to log in.
This value is the name of a user with administrative privileges that is defined in the registry. This user name is used to access the administrative console. It is also used by the wsadmin command.
You can either enter the complete distinguished name (DN) of the user or the short name of the user, as defined by the user filter in the Advanced LDAP settings page.
You can change this server identity on the Authentication mechanisms and expiration page. To access the Authentication mechanisms and expiration page click Security > Secure administration, applications, and infrastructure > Authentication mechanisms and expiration. Change the value of the Internal server ID field.
Although this ID is not the LDAP administrator user ID, the entry must exist in the LDAP.
The type of LDAP server determines the default filters that are used by WebSphere® ESB. These default filters change the Type of LDAP server field to Custom, which indicates that custom filters are used. This action occurs after you click OK or Apply in the Advanced LDAP settings page. Select the Custom type from the list and modify the user and group filters to use other LDAP servers, if required.
IBM Tivoli Directory Server users can select IBM Tivoli Directory Server as the directory type. Use the IBM Tivoli Directory Server directory type for better performance.
You can enter either the IP address or domain name system (DNS) name.
The host name and the port number represent the realm for this LDAP server in the WebSphere ESB cell. So, if servers in different cells are communicating with each other using Lightweight Third Party Authentication (LTPA) tokens, these realms must match exactly in all the cells.
The default value is 389.
If multiple WebSphere ESB are installed and configured to run in the same single sign-on domain, or if the WebSphere ESB interoperates with a previous version of the WebSphere ESB, make sure that the port number match all configurations.
The base distinguished name indicates the starting point for LDAP searches in this LDAP directory server. For example, for a user with a DN of cn=John Doe, ou=Rochester, o=IBM, c=US, specify the base DN as any of the following options (assuming a suffix of c=us): ou=Rochester, o=IBM, c=us or o=IBM c=us or c=us.
For authorization purposes, this field is case-sensitive. This specification implies that if a token is received (for example, from another cell or a Lotus Domino® server), the base distinguished name (DN) in the server must match exactly the base DN from the other cell or Domino server. If case sensitivity is not a consideration for authorization, enable Ignore case for authorization.
In WebSphere ESB, the distinguished name is normalized according to the Lightweight Directory Access Protocol (LDAP) specification. Normalization consists of removing spaces in the base distinguished name before or after commas and equal symbols. An example of a non-normalized base distinguished name is o = ibm, c = us or o=ibm, c=us. An example of a normalized base distinguished name is o=ibm,c=us.
This field is required for all LDAP directories except for the Domino Directory, where this field is optional.
The bind DN is required if anonymous binds are not possible on the LDAP server to obtain user and group information.
If the LDAP server is set up to use anonymous binds, leave this field blank. If a name is not specified, the application server binds anonymously. See the Base Distinguished Name field description for examples of distinguished names.
This timeout value is the maximum amount of time that the LDAP server waits to send a response to the product client before stopping the request. The default is 120 seconds.
This option specifies that the server should reuse the LDAP connection. Clear this option only in rare situations where a router is used to send requests to multiple LDAP servers and when the router does not support affinity. Leave this option selected for all other situations.
When you enable this option, the authorization check is case insensitive.
Normally, an authorization check involves checking the complete DN of a user, which is unique in the LDAP server and is case-sensitive. However, when you use either the IBM Directory Server or the Sun ONE (formerly iPlanet) Directory Server LDAP servers, you must enable this option because the group information that is obtained from the LDAP servers is not consistent in case. This inconsistency affects the authorization check only. Otherwise, this field is optional and can be enabled when a case-sensitive authorization check is required.
For example, you might select this option when you use certificates and the certificate contents do not match the case of the entry in the LDAP server. You can also enable Ignore case for authorization when you are using single sign-on (SSO) between the product and Lotus Domino.
The default is enabled.
If you select the SSL enabled option, you can select either Centrally managed or Use specific SSL alias.
This option enables you to specify an SSL configuration for a particular scope such as the cell, node, server, or cluster in one location. To use the Centrally managed option, you must specify the SSL configuration for the particular set of endpoints.
The Manage endpoint security configurations page displays all the inbound and outbound endpoints that use the SSL protocol.
Expand the Inbound or Outbound section of the Manage endpoint security configurations page and click the name of a node to specify an SSL configuration that is used for every endpoint on that node. For an LDAP registry, you can override the inherited SSL configuration by specifying an SSL configuration for LDAP.
This option is used to select one of the SSL configurations in the list below the option.
This configuration is used only when SSL is enabled for LDAP. The default is NodeDefaultSSLSettings.
If the server starts without any problems, the setup is correct.