Connecting to the LDAP server

Before users can be imported and authenticated from an LDAP or LDAP-supported authentication system, you must connect to the LDAP server.

Before you begin

Your IBM® StoredIQ® application stack must be at version 7.6.0.6 or later.

Procedure

  1. Using an SSH tool, log in to the application stack as the siqadmin user.
  2. Enter the following command: ldapcfg.
  3. Enter these configuration details.
    1. To enable LDAP, select Allow External LDAP User.
    2. Provide the following information:
      Parameter Value
      LDAP URL The host name or IP address of your directory server:
      • For non-SSL connections:
        ldap://ldap-server-hostname
ldap://ip-address
      • For SSL connections: 
        ldaps://ldap-server-hostname
ldaps://ip-address
      LDAP User The user account for accessing the directory server, for example, cn=user,dc=example,dc=com
      LDAP Password The LDAP user's password
      Base DN The base domain name, for example, dc=siqdomain,dc=com

      The LDAP Configuration window also contains the following attribute-mapping details.

      Attribute Predefined mapping
      First Name givenName
      Last Name sn
      Email mail
      Username cn

      This field cannot contain spaces or special characters. Additionally, it must be a part of your DN for users to import successfully.
      Important: Do not modify these predefined attribute mappings unless your schema is different. If you have questions about the schema or these changes, contact your company's LDAP administrator.
    3. Select Test connection to test whether you are connected to the LDAP server.
      The LDAP Status information shows whether the connection test passed or failed.
  4. Save and exit the configuration.
  5. Restart the application stack by using this command: systemctl restart appstack-uwsgi.service
  6. Check the status by using this command: systemctl list-dependencies appstack.target

Results

The list of LDAP users is now available for import.

To avoid that the information in the application stack database becomes stale, the user details are synchronized with the directory server on a daily basis. A recurring background service avoids overloading a synchronization request on the LDAP server. However, you can trigger an immediate synchronization by running the sync_ldap script as siqadmin user.

Note: During synchronization, only active LDAP users' details are updated. If LDAP users are deleted from the LDAP server, those users' details are marked as inactive in the application stack database.