Use this page to configure Lightweight Directory Access Protocol (LDAP) settings when users and groups reside in an external LDAP directory.
To view this administrative console page, click Security > User Registries > LDAP.
When security is enabled and any of these properties change, go to the Global Security panel and click Apply to validate the changes.
Note: Save, stop, and restart all the product servers (deployment manager, nodes and Application Servers) for changes in this panel to take effect.
Configuration tab
Although this ID is not the LDAP administrator user ID, specify a valid entry in the LDAP directory located under the Base Distinguished Name.
The type is used to preload default LDAP properties.
IBM Directory Server users can choose either IBM_Directory_Server or SecureWay
as the directory type. Use the IBM_Directory_server directory type for better
performance. Users of the iPlanet Directory Server can choose either iPlanet
Directory Server or NetScape as the directory type. Use the iPlanet
Directory Server directory type for better performance after configuring
iPlanet to use role (nsRole) as the grouping method.
For a list of supported LDAP servers, see "Supported directory services." in the documentation.
If multiple WebSphere Application Servers are installed and configured to run in the same single signon domain, or if the WebSphere Application Server interoperates with a previous version of the WebSphere Application Server, then it is important that the port number match all configurations. For example, if the LDAP port is explicitly specified as 389 in a Version 4.0.x configuration, and a WebSphere Application Server at Version 5 is going to interoperate with the Version 4.0.x server, then verify that port 389 is specified explicitly for the Version 5 server.
Default: | 389 |
For example, for a user with a distinguished name (DN) of cn=John Doe, ou=Rochester, o=IBM, c=US, you can specify the base DN as (assuming a suffix of c=us): ou=Rochester,o=IBM,c=us or o=IBM,c=us. For authorization purposes, this field is case sensitive. This specification implies that if a token is received (for example, from another cell or Domino) the base DN in the server must match the base DN from the other cell or Domino server exactly. If case sensitivity is not a consideration for authorization, enable the Ignore Case field.
If you need to interoperate between WebSphere Application
Server Version 5 and a Version 5.0.1 or later server, you must enter a normalized
base distinguished name. A normalized base distinguished name does not contain
spaces before or after commas and equal symbols. An example of a non-normalized
base distinguished name is o = ibm, c = us or o=ibm, c=us.
An example of a normalized base distinguished name is o=ibm,c=us.
In WebSphere Application Server, Version 5.0.1 or later, the normalization
occurs automatically at the run time
This field is required for all Lightweight Directory Access Protocol (LDAP) directories except for the Domino Directory, where this field is optional.
If no name is specified, the application server binds anonymously. See the Base Distinguished Name field description for examples of distinguished names.
Default: | 120 |
Default: | Enabled |
Range: | Enabled or Disabled |
This field is required when IBM Directory Server is selected as the LDAP directory server.
Otherwise, this field is optional and can be enabled when a case-sensitive authorization check is required. For example, use this field when the certificates and the certificate contents do not match the case used for the entry in the LDAP server. You can enable the Ignore Case field when using single signon (SSO) between WebSphere Application Server and Lotus Domino.
Default: | Disabled |
Range: | Enabled or Disabled |
Default: | DefaultSSLSettings |