Before you begin
For Using Microsoft (MS) Active Directory server as the LDAP server in the following section, note that to use Microsoft Active Directory as the LDAP server for authentication with WebSphere Application Server you must take specific steps. By default, Microsoft Active Directory does not permit anonymous LDAP queries. To create LDAP queries or to browse the directory, an LDAP client must bind to the LDAP server using the distinguished name (DN) of an account that belongs to the administrator group of the Windows system. A group membership search in the Active Directory is done by enumerating the memberof attribute that is possessed by a given user entry, rather than browsing through the member list in each group. If you change this default behavior to browse each group, you can change the Group Member ID Map field from memberof:member to group:member.Microsoft Active Directory forest is not supported in the user registry in this product.
Why and when to perform this task
Using IBM Directory Server
as the LDAP server
You
can choose the directory type of either IBM Directory Server or SecureWay for
the IBM Directory Server.
For supported directory servers, refer to the Supported directory services article. The difference between these two types is group membership lookup. Choose the IBM Tivoli Directory Server for optimum performance during run time. In the IBM Tivoli Directory Server, the group membership is an operational attribute. With this attribute, a group membership lookup is done using the ibm-allGroups attribute for the entry. To utilize this attribute in a security authorization application, use a case-insensitive match so that attribute values returned by the ibm-allGroups attribute are all in uppercase.
Using a Lotus Domino Server as the LDAP server
If you choose the Lotus Domino LDAP server Version 6 and the attribute short name is not defined in the schema, you can take either of the following actions:
Using iPlanet Directory
Server as the LDAP server
You
can choose the iPlanet Directory Server or Netscape for your iPlanet Directory
Server system. For supported directory servers, refer to the article, Supported directory services.
The difference between the two directory server types is group membership
lookup. The iPlanet Directory Server directory is selected to use
with the iPlanet Directory Server new grouping mechanism only. The
new grouping mechanism is called roles in the iPlanet Directory
Server, and the attribute is nsRole.
Roles unify entries. Roles are designed to be more efficient and easier to use for applications. For example, an application can locate the role of an entry by enumerating all the roles that are possessed by a given entry, rather than selecting a group and browsing through the members list.
When using roles, you can create a group using a:
Using Microsoft Active Directory server as the LDAP server
To set up Microsoft Active Directory as your LDAP server, complete the following steps.
Steps for this task
cn=<adminUsername>, cn=users, dc=ibm, dc=com