InfoCenter Home >
6: Administer applications >
6.6: Tools and resources quick reference >
6.6.18: Securing applications >
6.6.18.1: Securing applications >
6.6.18.1.4a.4: User Registry settings
of the Configure Global Settings task

6.6.18.1.4a.4: User Registry settings
of the Configure Global Settings task

The content of the User Registry tabbed page changes depending on the selections on the Authentication Mechanism tabbed page:

  • If the administrator selected Local Operating System on the Authentication Mechanism tabbed page, only the Security Server ID and Security Server Password properties will be displayed on the User Registry page.

  • If the administrator selected LTPA on the Authentication Mechanism tabbed page, several additional properties described in this file will be available on the User Registry tabbed page.

Security Server ID
Specifies the user ID the Application Server Version 3 security server component will run under.

The ID corresponds either to an operating system ID or an LDAP directory ID, depending on the selection on the Authentication Mechanism tabbed page.

Security Server Password
Specifies the password the Application Server Version 3 security server will run under.

Directory Type
Specifies the directory service product to use to locate information against which to authenticate users and groups.

View supported directory services

All of the supported directory service choices have predefined filters and ID maps the administrator can view by clicking the Advanced button. If the administrator changes the filters or ID maps, the Directory Type will automatically change to Custom.

"Custom" can refer to any of the supported directory types, with customized filters and ID maps.

Advanced
Specifies optional properties the administrator can use to define search filters and ID maps for the selected directory service. The administrator can also specify how certificates will be used to locate entries in the LDAP directory service.

  • Initial JNDI Context Factory: Specifies the JNDI Context Factory to use. If the field is blank, Application Server uses the Context Factory provided by IBM.

  • Directory Type: Specifies the brand of the directory service. Only directory services compatible with Application Server Version 3 are listed.

    If the administrator changes the filter and ID map values on the Advanced dialog box, the Directory Type will change to Custom, even if the filters and ID maps the administrator is defining apply to a supported directory service.

  • User Filter: Specifies the property by which to look up users in the directory service. For example, to look up users based on their user IDs, specify (ampersand(uid=%v)(objectclass=inetOrgPerson) where ampersand is the ampersand symbol.

    For more information about this syntax, see the LDAP directory service documentation.

  • Group Filter: Specifies the property by which to look up groups in the directory service.

  • User ID Map: Specifies the piece of information that should represent users when users are displayed. For example, to display entries of the type object class = inetOrgPerson by their IDs, specify inetOrgPerson:uid.

    This field takes multiple objectclass:property pairs delimited by a semicolon (";").

  • Group ID Map: Specifies the piece of information that should represent groups when groups are displayed. For example, to display groups by their names, specify *:cn.

    The * is a wildcard character that searches on any object class in this case. This field takes multiple objectclass:property pairs delimited by a semicolon (";").

  • Group Member ID Map: Specifies which property of an objectclass stores the list of members belonging to the group represented by the objectclass.

    This field takes multiple objectclass:property pairs delimited by a semicolon (";"). For more information about this syntax, see the LDAP directory service documentation.

  • Certificate Mapping: Specifies the certificate field(s) against which to check certificate validity.

    • Exact Distinguished Name: Checks certificate validity against the exact distinguished name held by the LDAP directory service. It locates the subject DN of the certificate in the directory.

    • Unique Key: Checks certificate validity using a hash function on two predetermined attributes.
    • Certificate Filter: Enables the Filter field for specifying an property of your choice.

      Create an LDAP search filter with the contents of the certificate that will attempt to match a single Directory entry. An example of a search filter is:

       (ampersand(cn=${Subject:cn})(version=${Version})) 
      where ampersand is the ampersand symbol.

      The list of possible variable substitutions referring to portions of the certificate is given here (in the format "variable = meaning"):

      • PublicKey = Public Key of the certificate

      • Issuer:attribute = The issuer distinguished name of the certificate. An attribute value must be specified that allows the administrator to select a specific attribute of the Distinguished Name. To retrieve the entire Distinguished Name, use the "DN" attribute.

      • NotAfter = The date at which the certificate is no longer valid

      • NotBefore = The date before which the certificate is not valid

      • SerialNumber = The serial number of the certificate

      • SigAlgName = The signature algorithm name

      • SigAlgOID = The OID of the signature algorithm

      • SigAlgParams = The DER encoded signature algorithm parameters

      • Subject:attribute = The subject distinguished name of the certificate. An attribute value must be specified that allows the administrator to select a specific attribute of the Distinguished Name. To retrieve the entire Distinguished Name, use the attribute DN.

      • Version = The version number

  • Certificate Filter: If you specified the Filter Certificate Mapping, this property specifies the certificate property against which to check certificate validity.

Host
Specifies the host name of the machine on which the directory service resides.

Port
Specifies a port number for the directory service. Port 389 is the LDAP default.

Base Distinguished Name
Specifies the base distinguished name of the directory service, indicating the starting point for LDAP searches of the directory service. (See RFC 1779 for a discussion of this technique).

Some examples include:

  • uid=anyusername
  • ou=people
  • o=ibm

This field is required unless the product will be using a Domino directory service, in which case the administrator can leave the field blank to bind anonymously.

The host name, port, and base DN you specify in the Host, Port, and Base Distinguished Name fields are combined to form an LDAP URL, such as

ldap://myserver:1234/o=ibm
where myserver:1234 is the host name and optional port number for the directory service, and o=ibm is the base distinguished name.

Bind Distinguished Name
Specifies the distinguished name for Application Server to use to bind to the directory service. If left blank, the Application Server binds anonymously.

See the previous Base Distinguished Name field description for examples of distinguished names.

Bind Password
Specifies the password for the Application Server to use to bind to the directory service.

Use SSL to connect to directory
Specifies whether to use an SSL connection between the security server and your LDAP directory service.

If the administrator selects this option, the SSL connection will use the same SSL keyring as the one defined for SSL connections between application servers.

Go to previous article: Supported directory services Go to next article: Authentication Mechanism settings

 

 
Go to previous article: Supported directory services Go to next article: Authentication Mechanism settings