Authenticating users with LDAP registries in a Microsoft Active Directory forest

Authenticating a user across multiple repositories, or across a distributed Lightweight Directory Access Protocol (LDAP) repository, such as a Microsoft® Active Directory forest can be challenging. In any search of the whole user registry, if there is more than one match at run time, authentication fails because of ambiguous match results.

Before you begin

In any multiple Microsoft Active Directory domain environment, the WebSphere® Application Server administrator must consider that the default unique ID in the Microsoft Active Directory is the sAMAccountName attribute of a user.

About this task

User IDs are guaranteed to be unique within a single domain. However they are not guaranteed across a tree or a forest. For example, suppose the user ID, smith, is added in the forest and in each subdomain. The search for sAMAccountName=smith returns three matches. WebSphere Application Server does not authenticate this user when there is more than one possible match in the registry.
Figure 1. Forest search strategy. Search illustration of a non-unique sAMAccountName across the entire forest.

You can mitigate this condition by changing the user filter to be based on the userPrincipalName attribute of the user, which is unique across the forest, instead of being based on their sAMAccountName attribute. However, users must then know to log in using their userPrincipalName, which they might not know.

The specific procedure to establish a user filter on a LDAP user registry depends on the type of LDAP registry. The following examples illustrate a procedure for a stand-alone LDAP registry and a procedure for a federated repository registry.

Procedure

  1. Establish a user filter on a stand-alone LDAP registry: You can set the user filter on the Advance Lightweight Access Protocol (LDAP) user registry settings page to search for userPrincipalName instead of sAMAccountName value.
    For example:
    (&(objectClass=user)(userPrincipalName=%w))
  2. Establish a user filter on a federated repositories registry: You can change the log-in property in the LDAP repository to uid;cn, for example, by using the administrative console.
    1. Click Security.
    2. Select Global security.
    3. Under Available realm definitions, use the drop-down list to select Federated repositories.
    4. Click Configure.
    5. Under Related items, click Manage repositories.
    6. Under General Properties, add the following information:
      Repository identifier
      forest
      Directory type
      Microsoft WIndows Server 2003 Active Directory
      Primary host name
      forest.acme.net
      Port
      389
      Failover server used when primary is not available
      Delete
      Bind distinguished name
      cn=wasbind, CN=Users, DC=ib
      Bind password
      ********
      Login properties
      uid;cn
  3. Click OK and Save to save the changes to the master configuration.
  4. Locate the {WAS_HOME}\profiles\{profileName}\config\cells\{cellName}\wim\config\wimconfig.xml or profile_root/conf/cells/<cell>/wim/config/wimconfig.xml file in the deployment manager configuration.
  5. Edit the wimconfig.xml file.
    1. Find the <config:attributeConfiguration> attribute in the file.
    2. Add the following lines:
      <config:attributes name="userPrincipalName" propertyName="cn">
      <config:entityTypes>PersonAccount</config:entityTypes>
      </config:attributes>
  6. Save the wimconfig.xml file.
  7. Run the profile_root/bin/syncNode.bat or profile_root/syncNode.bar/sh script on all of the nodes in the configuration.

Results

Avoid trouble: When you select any of these scenarios, consult appropriate Microsoft Active Directory information to completely understand any implications the scenarios might have on your configuation planning.gotcha



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Oct 22, 2010 12:21:29 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-zos&topic=tsec_was_ad_filter
File name: tsec_was_ad_filter.html