Modifying the LDAP configuration file for LDAP over TLS

You must modify the authentication configuration file to enable the LDAP directory server that you are using.

The aurora_auth.config file contains three authentication modules:

  • Openpages - the default internal user directory
  • OpenpagesIP - a sample LDAP configuration for the Sun One Directory Server
  • OpenpagesAD - a sample LDAP configuration for the Microsoft Active Directory Server

The only module that the IBM OpenPages® system pays attention to is the module that is named Openpages. Therefore, you need to make a backup of the Openpages module, rename the OpenpagesIP or OpenpagesAD to Openpages, and then change the settings to reflect the settings of your LDAP server.

Procedure

  1. Stop all OpenPages services.
  2. Open and edit the <OP_HOME>/aurora/conf/aurora_auth.config file in a text editor.

    Where:

    <OP_HOME> is the installation location of the OpenPages application.

  3. Find the Openpages module and change its name to OpenpagesDefault.
  4. Modify either the OpenpagesIP or OpenpagesAD module name to Openpages.
    • If you are using a Microsoft Active Directory server, change the name of the OpenpagesAD module to Openpages.
    • If you are using a Sun One Directory Server, change the name of the OpenpagesIP module to Openpages.
    • If you are using a different LDAP server, you can use either of these modules. Choose a module to use as a template and change its name to Openpages.
  5. Specify the correct values for the following properties in the module that you named Openpages:
    provider.url
    Change the value to the hostname and port number for the LDAP authentication server. For LDAP over TLS (LDAPS), the protocol is ldaps and the port is the LDAPS port number (by default, 636).
    base.dn
    The top level of the LDAP directory tree structure (Domain Name) on the LDAP server. If the users to be authenticated are located in multiple locations within your Active Directory structure, list all of the locations explicitly by using the distinguished names of the locations, each separated by a semi-colon.
    For example:
    base.dn="DC=LDAPTesting,DC=local;CN=Users,DC=LDAPTesting,DC=local;
OU=Auditors,OU=External Auditors,OU=Staff,DC=LDAPTesting,DC=local"
    user.attr.id
    The attribute name of the user identifier (for example, uid, cn, etc.).
    Additional custom parameters
    You can add additional custom parameters that are supported by the Java™ Naming and Directory Interface (JNDI). Precede a JNDI property with the ctx.env. prefix.

    For example, if you want to use the JNDI property com.sun.jndi.ldap.connect.timeout, use ctx.env.com.sun.jndi.ldap.connect.timeout="<value>" in the aurora_auth.config file.

    For information about JNDI properties, see the Java SE documentation.

    For example:
    Openpages
{
   com.openpages.aurora.service.security.namespace.LDAPLoginModule 
          required debug=false
      provider.url="ldaps://myserver.company.com:636"
      security.authentication="simple"
      security.search.user.dn="cn=Directory Manager"
      security.search.user.credentials="openpages"
      base.dn="ou=people,o=IBM,c=US"
      user.attr.id="uid"
      ;
};
  6. When you are finished editing the file, save your changes and exit.
  7. Import the root certificate and any intermediate signer certificates for your LDAP server to the truststore on the OpenPages application servers.
    For more information, see Importing signed CA certificates.
  8. Restart all services.

Results

You have configured the OpenPages system to use an external LDAP user authentication server over TLS.