InfoCenter Home >
6: Administer applications >
6.6: Tools and resources quick reference >
6.6.18: Securing applications >
6.6.18.8: Using Microsoft Active Directory as an LDAP Server

6.6.18.8: Using Microsoft Active Directory as an LDAP Server

To use Miscrosoft Active Directory as the LDAP server for authentication with WebSphere Application Server, there are some specific steps you must take. By default, Microsoft Active Directory does not allow anonymous LDAP queries. To make LDAP queries or browse the directory, an LDAP client must bind to the LDAP server using the distinguished name (DN) of an account that belongs to the Administrator group of the Windows system.

To set up Microsoft Active Directory as your LDAP server, follow this procedure:

  1. Determine the full DN and password of an account in the Administrators group. For example, if the Active Directory administrator creates an account in the Users folder of the Active Directory Users and Computers Windows NT/2000 control panel and the DNS domain is ibm.com, the resulting DN has the following structure:
    cn=<adminUsername>, cn=users, dc=ibm, dc=com
  2. Determine the short name and password of any account in the Microsoft Active Directory. This does not have to be the same account as used in the previous step.
  3. Use the WebSphere Application Server administrative console to set up the information needed to use Microsoft Active Directory:
    1. Start the administrative server for the domain, if necessary.
    2. Start the administrative console, if necessary.
    3. On the administrative console, click Console -> Security Center on the console menu bar.
    4. Select the Authentication tabbed page. On it, select Lightweight Third Party Authentication (LTPA) as the authentication mechanism.
    5. Enter the following information in the LDAP settings fields:
      • Security Server ID: The short name of the account chosen in 2
      • Security Server Password: the password of the account chosen in step 2
      • Directory Type: Active Directory
      • Host: The DNS name of the machine running Microsoft Active Directory
      • Base Distinguished Name: the domain components of the DN of the account chosen in step 1. For example:
        dc=ibm, dc=com
      • Bind Distinguished Name: the full DN of the account chosen in step 1. For example:
        cn=<adminUsername>, cn=users, dc=ibm, dc=com
      • Bind Password: the password of the account chosen in step 1
    6. Click OK button to save the changes.
    7. Stop and restart the administrative server to make the changes take effect.
Go to previous article: Protecting individual application components and methods Go to next article: Specifying authentication options in sas.client.props

 

 
Go to previous article: Protecting individual application components and methods Go to next article: Specifying authentication options in sas.client.props