WebSphere Application Server - Express, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Configuring Lightweight Directory Access Protocol user registries

Before you begin

Review the article on Lightweight Directory Access Protocol (LDAP) before beginning this task.

Steps for this task

  1. In the administrative console, click Security > Global security.
  2. Under User registries, click LDAP.
  3. Enter a valid user name in the Server user ID field. You can either enter the complete distinguished name (DN) of the user or the short name of the user, as defined by the user filter in the Advanced LDAP settings panel. For example, enter the user ID for Netscape browsers.
  4. Enter the password of the user in the Server user password field.
  5. Select the type of LDAP server that is used from the Type list. The type of LDAP server determines the default filters that are used by WebSphere Application Server. These default filters change the Type field to Custom, which indicates that custom filters are used. This action occurs after you click OK or Apply in the Advanced LDAP settings panel. Choose the Custom type from the list and modify the user and group filters to use other LDAP servers, if required. If either the IBM Directory Server or the iPlanet Directory Server is selected, also select the Ignore Case field.
  6. Enter the fully qualified host name of the LDAP server in the Host field.
  7. Enter the LDAP server port number in the Port field. The host name and the port number represent the realm for this LDAP server in the WebSphere Application Server cell. So, if servers in different cells are communicating with each other using Lightweight Third Party Authentication (LTPA) tokens, these realms must match exactly in all the cells.
  8. Enter the base distinguished name (DN) in the Base distinguished name field. The base DN indicates the starting point for searches in this LDAP directory server. For example, for a user with a DN of cn=John Doe, ou=Rochester, o=IBM, c=US, specify the base DN as any of the following options assuming a suffix of c=us): ou=Rochester, o=IBM, c=us or o=IBM c=us or c=us. This field can be case sensitive. Match the case in your directory server. This field is required for all LDAP directories except the Domino Directory. The Base DN field is optional for the Domino server.
  9. Enter the bind DN name in the Bind distinguished name field, if necessary. The bind DN is required if anonymous binds are not possible on the LDAP server to obtain user and group information. If the LDAP server is set up to use anonymous binds, leave this field blank.
  10. Enter the password corresponding to the bind DN in the Bind password field, if necessary.
  11. Modify the Search time out value, if required. This timeout value is the maximum amount of time that the LDAP server waits to send a response to the product client before stopping the request. The default is 120 seconds.
  12. Clear the Reuse connection option only if you use routers to send requests to multiple LDAP servers, and if the routers do not support affinity. Leave this field enabled for all other situations.
  13. Select the Ignore case for authorization option, if required. When this flag is enabled, the authorization check is case insensitive. Normally, an authorization check involves checking the complete DN of a user, which is unique in the LDAP server and is case sensitive. However, when using either the IBM Directory Server or the iPlanet Directory Server LDAP servers, this flag needs enabling because the group information that is obtained from the LDAP servers is not consistent in case. This inconsistency only affects the authorization check only.
  14. Enable Secure Sockets Layer (SSL) if the communication to the LDAP server is through SSL. For more information on setting up LDAP for SSL, refer to Configuring Secure Sockets Layer for the Lightweight Directory Access Protocol client.
  15. Optional: Select the SSL enabled option if you want to use Secure Sockets Layer communications with the LDAP server. If you select the SSL enabled option, select the appropriate SSL alias configuration from the list in the SSL configuration field.
  16. Click OK. The validation of the user, password, and the setup do not take place in this panel. Validation is only done when you click OK or Apply in the Global Security panel. If you are enabling security for the first time, complete the remaining steps and go to the Global Security panel. Select LDAP as the active user registry. If security is already enabled, but information on this panel changes, go to the Global Security panel and click OK or Apply to validate your changes. If your changes are not validated, the server might not start.

Result

This set of steps is required to set up the LDAP user registry. This step is required as part of enabling security in the WebSphere Application Server.

What to do next

  1. If you are enabling security, complete the remaining steps as specified in Configuring global security. As the final step, validate this setup by clicking OK or Apply in the Global Security panel.
  2. Save, stop, and restart all the product servers (deployment managers, nodes and Application Servers) for changes in this panel to take effect. If the server comes up without any problems the setup is correct.



Sub-topics
Lightweight Directory Access Protocol settings
Advanced Lightweight Directory Access Protocol user registry settings

Related concepts
Local operating system user registries

Related tasks
Configuring Lightweight Directory Access Protocol search filters
Configuring Secure Sockets Layer for the Lightweight Directory Access Protocol client
Configuring global security
Configuring global security

Related reference
Custom user registries

Task topic    

Terms of Use | Feedback

Last updated: Jun 8, 2005 12:45:23 PM EDT
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_ldap.html

© Copyright IBM Corporation 2002, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)