Before you begin
WebSphere Application Server uses Lightweight Directory Access Protocol (LDAP) filters to search and obtain information about users and groups from an LDAP directory server. A default set of filters is provided for each LDAP server that the product supports. You can modify these filters to fit your LDAP configuration. After the filters are modified (and you click OK or Apply) the directory type in the LDAP Registry panel changes to custom, which indicates that custom filters are used. Also, you can develop filters to support any additional type of LDAP server. The effort to support additional LDAP directories is optional and other LDAP directory types are not supported.Steps for this task
In the following example, the property that is assigned to %v, which is the short name of the user, must be a unique key. Two LDAP entries with the same object class cannot have the same short name. To look up users based on their user IDs (uid) and to use the inetOrgPerson object class, specify the following syntax:
(&(uid=%v)(objectclass=inetOrgPerson)
For more information about this syntax, see the LDAP directory service documentation.
In the following example, the property that is assigned to %v, which is the short name of the group, must be a unique key. Two LDAP entries with the same object class cannot have the same short name. To look up groups based on their common names (CN) and to use either the groupOfNames or the groupOfUniqueNames object class, specify the following syntax:
(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))
For more information about this syntax, see the LDAP directory service documentation.
For the IBM Directory Server, iPlanet Directory Server, and Active Directory, this field is used to query all the users in a group by using the information that is stored in the user object (instead of querying all the groups individually to find if the user exists in that group). For example, the memberof:member filter (for Active Directory) is used to get the memberof attribute of the user object to obtain all the groups to which the user belongs. The member attribute is used to get all the users in a group that use the group object. Using the user object to obtain the group information improves performance.
Use the Ignore Case field in the LDAP settings to make the authorization case insensitive. If you select CERTIFICATE_FILTER, fill in the appropriate certificate filter (in the next field) to use for mapping the certificate to a user in LDAP.
The left side of the filter specification is an LDAP attribute that depends on the schema that your LDAP server is configured to use. The right side of the filter specification is one of the public attributes in your client certificate. Note that the right side must begin with a dollar sign ($), open bracket ({), and end with a close bracket (}). Use the following certificate attribute values on the right side of the filter specification. The case of the strings is important.
When any LDAP user or group filter is modified in the Advanced LDAP Settings panel click Apply. Clicking OK navigates you to the LDAP User Registry panel, which contains the previous LDAP directory type, rather than the custom LDAP directory type. Clicking OK or Apply in the LDAP User Registry panel saves the back-level LDAP directory type and the default filters of that directory. This action overwrites any changes to the filters that you made. To avoid overwriting changes, you can take either of the following actions:
Results
Setting the LDAP search filters.Example
What to do next