You can optionally use a Lightweight Directory Access Protocol
(LDAP) directory to authenticate users with your IBM® WebSphere® DataPower® XC10 Appliance.
Before you begin
You must be assigned the Appliance administration permission
to perform these steps.
About this task
Using an LDAP server to authenticate users is optional.
If you choose to use an external LDAP server, then you must match
all of your IBM WebSphere DataPower XC10 Appliance users
with the users in the specified LDAP directory. The user name attribute
is used to authenticate the IBM WebSphere DataPower XC10 Appliance users
with the LDAP directory. Users that are not in the LDAP directory
cannot be authenticated.
You can set up your LDAP to use the
secure port. The secure sockets layer (SSL) certificate of the LDAP
server must be issued by a publicly trusted certificate authority
(CA), which is already in the <JAVA_HOME>/jre/lib/security/cacerts file. WebSphere DataPower XC10 Appliance does
not support using self-signed certificates.
Procedure
- Navigate to the Settings panel. Use one of the following methods:
- From the menu bar at the top of the WebSphere DataPower XC10 Appliance user
interface, navigate to .
- From the Welcome page, click the Customize
settings link in the Step 1: Set up the appliance section.
- Expand Security.
- Configure your appliance to authenticate users with an
LDAP directory.
- To enable LDAP authentication, select the check box
next to Enable LDAP authentication. The Enable
LDAP authentication check box is not selected by default.
Selecting this check box enables WebSphere DataPower XC10 Appliance to
use the specified LDAP server to authenticate users at login.
- Enter the JNDI provider URL. Example for
non-SSL LDAP:
ldap://mycompany.com:389/
or
ldap://mycompany.com/
If a port is not explicitly specified, the default port
number is 389. Example for SSL LDAP: ldaps://mycompany.com:636/
or
ldaps://mycompany.com/
If a port is not explicitly specified, the default port
number is 636.
- Enter the JNDI base DN (users). Example:
CN=users,DC=mycompany,DC=com
- Enter the JNDI base DN (groups). Example:
DC=mycompany,DC=com
- Enter the Search filter (users). Example:
(&(sAMAccountName={0})(objectcategory=user)) or uid={0}
Note: A user ID is embedded in the place holder "{0}". "{0}"
is replaced by the login user ID that you entered in the login screen.
- Enter the JNDI security authentication. This
field is optional unless your LDAP server does not permit anonymous
LDAP queries. Example:
CN=Administrator,CN=users,DC=mycompany,DC=com
- Enter the password. This field is the JNDI
security credentials, and is optional unless your LDAP server does
not permit anonymous LDAP queries.
- Test the LDAP authentication settings that you configured. You can test the settings you used to configure authentication
with an LDAP server. This section allows you to perform LDAP queries
to look for specified users and groups.
- Click Test LDAP authentication settings to expand
this section.
- To test a user name, enter a user name in the LDAP user
name field, and click the associated Test LDAP query button. Example:
test_user@us.ibm.com
If the query is successful, then a message is displayed as
follows: Found LDAP User DN: <user information>. If the
query is not successful, then an error message is displayed.
- To test a group name, enter a group name in the LDAP
group name field, and click the associated Test LDAP query button. Example:
Test Group
If the query is successful, then a message is displayed as
follows: Found LDAP Group DN: <user information>. If the
query is not successful, then an error message is displayed.
Results
You have specified an LDAP directory for external authentication
when accessing the
user interface.
What to do next
Understanding how to control user access to different areas
of your environment is an important part of your security solution.
See
Managing users and groups for
more information about how you can manage users and group and their
permissions.