|
Problem |
It is possible to configure WebSphere® Application Server
V3.5.x and V4.0.x global security to use the Microsoft® Active Directory
as the LDAP server. |
|
Cause |
Microsoft Active Directory, by default, does not allow
anonymous LDAP querying to see users. Only by binding with the Domain Name
(DN) of an account that belongs to the Administrators group, can an LDAP
client browse the Microsoft Active Directory. |
|
Solution |
Assuming the Microsoft Active Directory has not been
changed from this default behavior, the following steps enable WebSphere
Application Server security to work with Microsoft Active Directory as the
LDAP server:
- Acquire the full DN and password of an account in the Administrators
group.
Hint: If the Microsoft Active Directory administrator created the account
in the Users folder of the Active Directory Users and Computers Windows®
NT control panel, the DN looks something like this:
cn=admin username,cn=users,dc=ibm,dc=com
- Get the short logon name and password of any account in the Microsoft
Active Directory server. It can be the short logon name of the one account
in Step 1, or it can be a different one. This account need not have any
special privileges.
- With the above information, configure the User Registry tab of the
administrative console global security task with the following settings:
Security Server ID: shortusername
Security Server Password: shortusername password
Directory Type: Active Directory
Host: ldapserverhostname.ibm.com
Base Distinguished Name: dc=ibm,dc=com
Bind Distinguished Name: cn=admin username,cn=users,dc=ibm,dc=com
Bind Password: admin username password
Note: Unlike most of the other LDAP servers, the default LDAP
filter settings for the Microsoft Active Directory gets the shortusername
from the sAMAccountName LDAP parameter rather than the
uid LDAP parameter, which is default for most of the other LDAP
servers configured in WebSphere Application Server. |
|
|
|
|
|
|