InfoCenter Home >
6: Administer applications >
6.6: Tools and resources quick reference >
6.6.18: Securing applications >
6.6.18.1: Securing applications >
6.6.18.1.4a.4: User Registry settings of the Configure Global Settings task
The content of the User Registry
tabbed page changes depending on the selections on the Authentication
Mechanism tabbed page:
- If the administrator selected Local Operating System on the Authentication Mechanism tabbed page,
only the Security Server ID and Security Server Password properties will be displayed
on the User Registry page.
- If the administrator selected LTPA on the Authentication Mechanism tabbed page, several additional
properties described in this file will be available on the User Registry
tabbed page.
- Security Server ID
- Specifies the user ID the Application Server Version 3 security server component will
run under.
The ID corresponds either to an operating system ID or an LDAP directory ID, depending
on the selection on the Authentication Mechanism tabbed page.
- Security Server Password
- Specifies the password the Application Server Version 3 security server will run under.
- Directory Type
- Specifies the directory service product to use to locate information against
which to authenticate users and groups.
View supported directory services
All of the supported directory service choices have predefined filters and
ID maps the administrator can view by clicking the Advanced button. If
the administrator changes the filters or ID maps, the
Directory Type will automatically change to Custom.
"Custom" can refer to any of the
supported directory types, with customized filters and ID maps.
- Advanced
- Specifies optional properties the administrator can use to define search filters and ID
maps for the selected directory service. The administrator can also specify how certificates
will be used to locate entries in the LDAP directory service.
- Initial JNDI Context Factory: Specifies the JNDI Context Factory
to use. If the field is blank, Application Server uses the Context
Factory provided by IBM.
- Directory Type: Specifies the brand of the directory
service. Only directory services compatible with Application Server Version 3
are listed.
If the administrator changes the filter and ID map values on the Advanced dialog box,
the Directory Type will change to Custom, even if the filters and ID maps
the administrator is defining apply to a supported directory service.
- User Filter: Specifies the property by which to look up users
in the directory service. For example, to look up users based on their
user IDs, specify (ampersand(uid=%v)(objectclass=inetOrgPerson)
where ampersand is the ampersand symbol.
For more information about this syntax, see the LDAP directory service
documentation.
- Group Filter: Specifies the property by which to look up
groups in the directory service.
- User ID Map: Specifies the piece of information that should represent
users when users are displayed. For example, to display entries of the
type object class = inetOrgPerson by their IDs, specify
inetOrgPerson:uid.
This field takes multiple objectclass:property
pairs delimited by a semicolon (";").
- Group ID Map: Specifies the piece of information that should
represent groups when groups are displayed. For example, to display groups
by their names, specify *:cn.
The * is a wildcard character that searches on any object class in
this case. This field takes multiple objectclass:property
pairs delimited by a semicolon (";").
- Group Member ID Map: Specifies which property of an objectclass
stores the list of members belonging to the group represented by the objectclass.
This field takes multiple objectclass:property pairs delimited
by a semicolon (";"). For more information about this syntax, see the
LDAP directory service documentation.
- Certificate Mapping: Specifies the certificate field(s) against
which to check certificate validity.
- Exact Distinguished Name: Checks certificate validity against
the exact distinguished name held by the LDAP directory service. It locates
the subject DN of the certificate in the directory.
- Unique Key: Checks certificate validity using a hash function
on two predetermined attributes.
- Certificate Filter: Enables the Filter field for
specifying an property of your choice.
Create an LDAP search filter with the contents of the certificate that will
attempt to match a single Directory entry. An example of a search filter is:
(ampersand(cn=${Subject:cn})(version=${Version}))
where ampersand is the ampersand symbol.
The list of possible variable substitutions referring to portions of the certificate
is given here (in the format "variable = meaning"):
- PublicKey = Public Key of the certificate
- Issuer:attribute = The issuer distinguished name of the certificate. An attribute
value must be specified that allows the administrator to select a specific attribute of the
Distinguished Name. To retrieve the entire Distinguished Name, use
the "DN" attribute.
- NotAfter = The date at which the certificate is no longer valid
- NotBefore = The date before which the certificate is not valid
- SerialNumber = The serial number of the certificate
- SigAlgName = The signature algorithm name
- SigAlgOID = The OID of the signature algorithm
- SigAlgParams = The DER encoded signature algorithm parameters
- Subject:attribute = The subject distinguished name of the certificate. An
attribute value must be specified that allows the administrator to select a specific attribute
of the Distinguished Name. To retrieve the entire Distinguished Name,
use the attribute DN.
- Version = The version number
- Certificate Filter: If you specified the Filter Certificate Mapping, this
property specifies the certificate property against which to check certificate
validity.
- Host
- Specifies the host name of the machine on which the directory service resides.
- Port
- Specifies a port number for the directory service. Port 389 is the LDAP default.
- Base Distinguished Name
- Specifies the base distinguished name of the directory service, indicating
the starting point for LDAP searches of the directory service. (See RFC 1779
for a discussion of this technique).
Some examples include:
- uid=anyusername
- ou=people
- o=ibm
This field is required unless the product will be using a Domino
directory service, in which case the administrator can leave the
field blank to bind anonymously.
The host name, port, and base DN you
specify in the Host, Port, and Base Distinguished Name fields are combined
to form an LDAP URL, such as
ldap://myserver:1234/o=ibm
where myserver:1234 is the host name and optional port number for the directory
service, and o=ibm is the base distinguished name.
- Bind Distinguished Name
- Specifies the distinguished name for Application Server to use to bind to
the directory service. If left blank, the Application Server binds anonymously.
See the previous Base Distinguished Name field description for examples
of distinguished names.
- Bind Password
- Specifies the password for the Application Server to use to bind to the
directory service.
- Use SSL to connect to directory
- Specifies whether to use an SSL connection between the security server and
your LDAP directory service.
If the administrator selects this option, the SSL connection will use the same SSL keyring
as the one defined for SSL connections between application servers.
|
|