Preparing the directory servers
Install and set up the directory server so that IBM® Security Access Manager for Enterprise Single Sign-On can communicate with it. You can use a Microsoft Active Directory, Security Directory Server, or an LDAP-compatible host as a directory server.
A directory service or user registry provides user authentication and access control. IBM Security Access Manager for Enterprise Single Sign-On can work with your existing supported directory server if you are already using a directory service to authenticate and manage user accounts in a repository.
Integration with a directory server is not an installation prerequisite. IBM Security Access Manager for Enterprise Single Sign-On also operates in enterprise environments that choose not to use a directory service. For additional deployment considerations with a directory server, see the IBM Security Access Manager for Enterprise Single Sign-On Planning and Deployment Guide.
You can work in configurations with a single directory server or a federated repository. IBM Security Access Manager for Enterprise Single Sign-On uses the virtual member manager component in WebSphere® Application Server to support authentication on directory servers.
- Distinguished names must be unique for a collection of users or groups over all directory servers. For example: If cn=imsadmin,dc=ibm exists in AD-LDAP1, it must not exist in AD-LDAP2, and in AD-LDAP3.
- For LDAP only: The short name, for example imsadmin, must be unique for a realm over all registries.
- The base distinguished names for all registries that are used within a realm must not overlap. For example: If AD-LDAP1 is cn=users,dc=ibm, AD-LDAP2 must not be dc=ibm.
For more information about the virtual member manager component in WebSphere Application Server, see the WebSphere Application Server Version 8.5.5 product documentation.
You can choose an enterprise directory before installing IBM Security Access Manager for Enterprise Single Sign-On.
For complete instructions on preparing and setting up an existing directory server, see your vendor supplied documentation for the directory server.
- Prepare to provide the required directory server host
name, domain name, port number, required lookup user, bind distinguished
names, and base distinguished names.
You must provide the values when you choose to configure the IMS Server with a directory server. You can update the values that you need in the Planning worksheet. See Planning worksheet.
- IBM Security Access Manager for Enterprise Single Sign-On works with LDAP directory servers like IBM Tivoli® Directory Server or an Active Directory.
- To support password resets with AccessAssistant :
- On an Active Directory with non-SSL connections, you must install the Tivoli Identity Manager Active Directory Adapter on the same domain.
- On an Active Directory with an SSL connection, no further directory server configurations are required.
- Prepare a directory user with administrative privileges. You can also prepare a designated directory user account with password reset privileges on the directory server.
Directory server resources
The following resources can help you prepare a supported directory server and enable security.
- Overview and installation instructions
- Enabling SSL security instructionshttp://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/com.ibm.IBMDS.doc/toc.xmlNote: Enter Configuring IBM Security Directory Server for SSL access in the search field.
- Overview and installation instructions
Go to the Microsoft website at www.microsoft.com and search for
Active Directory installation overview
. - Enabling SSL security instructions
Go to the Microsoft website at www.microsoft.com and search for
Active Directory SSL enabling
.