Steps for selecting an LDAP registry

Before you begin

To use LDAP as the user registry, you need to know a valid user name (ID), the user password, the server host and port, the base distinguished name (DN) and if necessary the bind DN and the bind password. You can choose any valid user in the registry that is searchable. In some LDAP servers, the administrative users are not searchable and cannot be used (for example, cn=root in SecureWay). This user is referred to as WebSphere Application Server security server ID, server ID, or server user ID in the documentation. Being a server ID means a user has special privileges when calling some protected internal methods. Normally, this ID and password is used to log into the administrative console once security is turned on. You can use other users to log in if those users are part of the administrative roles.

Perform the following steps to select LDAP as the user registry.

Why and when to perform this task

You need to start the administrative console by specifying URL: http://server_hostname:9090/admin

Steps for this task

  1. Click Security > User Registry > LDAP in the Navigation tree on the left.
  2. On the LDAP user registry panel in the General Properties section of the Configuration tab, enter the Server user ID and password.
    This ID is the security server ID, which is only used for WebSphere Application Server security and is not associated with the system process that runs the server. The server calls the Local OS registry to authenticate and obtain privilege information about users by calling the native APIs in that particular registry.
  3. In the type menu, select the type of LDAP server to which you connect.
    The type is used to preload default LDAP properties. IBM Directory Server users can choose either IBM_Directory_Server or SecureWay as the directory type. Use the IBM_ Directory_server directory type for better performance. Users of the iPlanet Directory Server can choose either iPlanet Directory Server or NetScape as the directory type. Use the iPlanet Directory Server directory type for better performance after configuring the iPlanet to use role (nsRole) as the grouping method. For a list of supported LDAP servers, see Supported directory services.
  4. In the Host box, enter the host ID (IP address or domain name system (DNS) name) of the LDAP server.
  5. In the Port box, enter host port of the LDAP server. The default value is 389.
    If multiple WebSphere Application Servers are installed and configured to run in the same single signon domain, or if the WebSphere Application Server interoperates with a previous version of the WebSphere Application Server, then it is important that the port number match all configurations. For example, if the LDAP port is explicitly specified as 389 in a Version 4.0.x configuration, and a WebSphere Application Server at Version 5 is going to interoperate with the Version 4.0.x server, then verify that port 389 is specified explicitly for the Version 5 server.
  6. In the Base Distinguished Name field, enter the base distinguished name of the directory service, indicating the starting point for LDAP searches of the directory service.
    For example, for a user with a distinguished name (DN) of cn=John Doe, ou=Rochester, o=IBM, c=US, you can specify the base DN as (assuming a suffix of c=us): ou=Rochester,o=IBM,c=us or o=IBM,c=us,c=us. For authorization purposes, this field is case sensitive. This implies that if a token is received (for example, from another cell or Domino) the base DN in the server must match exactly the base DN from the other cell or Domino. If case sensitivity is not a consideration for authorization, enable the Ignore Case field.

    [Version 5.0.1 and later]In WebSphere Application Server, Version 5.0.1 or later, the distinguished name is normalized according to the Lightweight Directory Access Protocol (LDAP) specification. In WebSphere Application Server, Version 5, the distinguished name is not normalized. Normalization consists of removing spaces in the base distinguished name before or after commas and equal symbols. If you do not enter a normalized base distinguished name for this field and WebSphere Application Version 5.0.1 or later sends a security token to a version 5 server, the request is rejected during authorization because the distinguished names do not match. An example of a non-normalized base distinguished name is o = ibm, c = us or o=ibm, c=us. An example of a normalized base distinguished name is o=ibm,c=us. To interoperate between WebSphere Application Server Version 5 and later versions, you must enter a normalized base distinguished name in the Base Distinguished Name field. In WebSphere Application Server, Version 5.0.1 or later, the normalization occurs automatically during run time.

    This field is required for all LDAP directories except for the Domino Directory, where it is optional.

  7. In the Bind Distinguished Name field, enter the distinguished name for the application server to use when binding to the directory service.
    If no name is specified, the application server binds anonymously. See the Base Distinguished Name field description for examples of distinguished names.
  8. In the Bind Password field, enter the password for the application server to use when binding to the directory service.
  9. In the Search Timeout field, enter the timeout value in seconds for an LDAP server to respond before aborting a request. The default value is 300.
  10. Ensure that the Reuse Connection option is checked.
    Enabled (or checked) is the default and specifies that the server should reuse the LDAP connection. Clear this option only in rare situations where a router is used to spray requests to multiple LDAP servers and when the router does not support affinity.
  11. The Ignore Case option allows you to enable or disable case insensitive authorization check.
    This field is required when IBM Directory Server is selected as the LDAP directory server. Otherwise, this field is optional and can be enabled when a case sensitive authorization check is required. For example, when you use certificates and the certificate contents do not match the case of the entry in the LDAP server. You c an also enable the Ignore Case field when using single signon (SSO) between the product and Domino. The default is Disabled.
  12. The SSL Enabled option allows you to enable or disable secure socket communication to the LDAP server.
    When enabled, the LDAP Secure Sockets Layer (SSL) settings are used, if specified.
  13. In the SSL Configuration menu, select the Secure Sockets Layer configuration to use for the LDAP connection.
    This configuration is used only when SSL is enabled for LDAP. The default is DefaultSSLSettings.
  14. Click OK.

Related concepts
Steps for selecting a user registry
Related reference
Supported directory services



Searchable topic ID:   tsecselectldapreg
Last updated: Jun 21, 2007 9:56:50 PM CDT    WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/tsec_selectldapreg.html

Library | Support | Terms of Use | Feedback