This article provides important information about the directory servers that are supported as Lightweight Directory Access Protocol (LDAP) servers in WebSphere Application Server.
For a list of supported LDAP servers, refer to the Supported hardware and software Web site.
It is expected that other LDAP servers follow the LDAP specification. Support is limited to these specific directory servers only. You can use any other directory server by using the custom directory type in the list and by filling in the filters that are required for that directory.
To improve performance for LDAP searches, the default filters for IBM Tivoli Directory Server, Sun ONE, and Active Directory are defined such that when you search for a user, the result contains all the relevant information about the user (user ID, groups, and so on). As a result, the product does not call the LDAP server multiple times. This definition is possible only in these directory types, which support searches where the complete user information is obtained.
If you use the IBM Directory Server, select the Ignore case for authorization option. This option is required because when the group information is obtained from the user object attributes, the case is not the same as when you get the group information directly. For the authorization to work in this case, perform a case insensitive check and verify the requirement for the Ignore case for authorization option.
The LDAP
Security Server for the z/OS platform is supported when the DB2 Technical
Database Management (TDBM) back-end is used. Use the SecureWay Directory
Server filters to connect to the LDAP Security Server for the z/OS
platform.
Directory Services is provided with i5/OS Version 5 Release 3 and is a member of the IBM Tivoli Directory Server family of products and services. For i5/OS Version 5 Release 3 and later, specify IBM Tivoli Directory Server as the directory type when configuring the user registry to use Directory Services.
Support for groups that contain other groups or nested groups depends upon the specific versions of WebSphere Application Server and LDAP. For more information, see Dynamic groups and nested group support.
To
use IBM Tivoli Directory Server, formerly IBM Directory Server, select IBM
Tivoli Directory Server as the directory type.
You can
select either the IBM Tivoli Directory Server or SecureWay directory
type for the IBM Directory Server.
The difference between these two types is group membership lookup. It is recommended that you choose the IBM Tivoli Directory Server for optimum performance during runtime. In the IBM Tivoli Directory Server, the group membership is an operational attribute. With this attribute, a group membership lookup is done by enumerating the ibm-allGroups attribute for the entry. All group memberships, including the static groups, dynamic groups, and nested groups, can be returned with the ibm-allGroups attribute.
WebSphere Application Server supports dynamic groups, nested groups, and static groups in IBM Tivoli Directory Server using the ibm-allGroups attribute. To utilize this attribute in a security authorization application, use a case-insensitive match so that attribute values returned by the ibm-allGroups attribute are all in uppercase.
If you must install IBM Tivoli Directory Server Version 6.0 and WebSphere Application Server Version 6.1 on the same machine, consider the following information:
User ID Map : person:shortname
To use Microsoft Active Directory as the LDAP server for authentication with WebSphere Application Server you must take specific steps. By default, Microsoft Active Directory does not permit anonymous LDAP queries. To create LDAP queries or to browse the directory, an LDAP client must bind to the LDAP server using the distinguished name (DN) of an account that has the authority to search and read the values of LDAP attributes, such as user and group information, needed by the Application Server. A group membership search in the Active Directory is done by enumerating the memberof attribute for a given user entry, rather than browsing through the member list in each group. If you change the default behavior to browse each group, you can change the Group Member ID Map field from memberof:member to group:member.
The following steps describe how to set up Microsoft Active Directory as your LDAP server.
In this information ...Related concepts
| IBM Redbooks, demos, education, and more |