Configuring your system to authenticate users with an LDAP directory

You can use a Lightweight Directory Access Protocol (LDAP) directory to authenticate users in the system. Use the system console to complete this task.

Before you begin

You must be assigned the Security administration role with permission to Manage security (Full permission) to perform these steps.

About this task

Using an LDAP server to authenticate users is optional. The user name attribute is used to authenticate system users with the LDAP directory. Users that are not in the LDAP directory cannot be authenticated with LDAP.

You can set up your LDAP to use the secure port. The secure sockets layer (SSL) certificate of the LDAP server must be issued by a publicly trusted certificate authority (CA). Additionally, the CA certificate is already in the <JAVA_HOME>/jre/lib/security/cacerts file.

You can use the console, the command line interface, or the REST API to complete this task. For the command line and REST API information, see the Related information section.

Procedure

  1. Click System > System Security.
  2. Configure your system to authenticate users with an LDAP directory.
    1. Complete the LDAP provider URL field.
      If the field displays the message, None provided, click None provided and type the LDAP provider URL in the field. To modify the field, click the value that is entered in the field and modify the content.
      The following example is for a non-SSL LDAP:
      ldap://mycompany.com:389/ 

or 

ldap://mycompany.com/
      If the port number is not explicitly specified, the default port number is 389.
      The following example is for SSL LDAP:
      ldaps://mycompany.com:636/ 

or 

ldaps://mycompany.com/
      If it is not explicitly specified, the default port number is 636.
      If the SSL certificate is self-signed or a non-trusted certificate, a window shows the certificate information. You must accept the certificate for LDAP authentication to work.
    2. Complete the LDAP base DN (users) field.
      If the field displays the message, None provided, click None provided and type the LDAP base DN in the field. To modify the field, click the value that is entered in the field and modify the content as shown in the following example:
      CN=users,DC=mycompany,DC=com
    3. Complete the LDAP base DN (groups) field.
      If the field displays the message, None provided, click None provided and type the LDAP base DN in the field. To modify the field, click the value that is entered in the field and modify the content as shown in the following example:
      DC=mycompany,DC=com
      Note: LDAP groups are not displayed in the User groups field in the user details pane. Also, LDAP users that belong to an LDAP group are not displayed in the Group members field in the group details pane.
    4. Complete the Search filter (users) field.
      To modify the field, click the value that is entered in the field and modify the content as shown in the following example:
      (&(uid={0})(objectclass=inetOrgPerson))
      Note: A user ID is embedded in the {0} place holder. The {0} place holder is replaced by the login user ID that you entered in the login screen.
    5. Complete the Search filter (groups) field.
      To modify the field, click the value that is entered in the field and modify the content as shown in the following example:
      (&(member={0})(objectclass=groupOfNames))
    6. Complete the LDAP security authentication field.
      If the field displays the message, None provided, click None provided and type the LDAP security authentication in the field. To modify the field, click the value that is entered in the field and modify the content.
      This field is optional unless your LDAP server does not permit anonymous LDAP queries. A sample LDAP security authentication entry is shown in the following example:
      CN=Administrator,CN=users,DC=mycompany,DC=com
  3. Test the LDAP authentication settings you configured.
    You can test the settings you set to configure authentication with an LDAP server. This section allows you to perform LDAP queries to look for specified users and groups.
    1. Click Test LDAP authentication settings to expand this section.
    2. Test a user name.
      Enter a user name, for example janesmith@mycompany.com, in the LDAP user name field. Click the associated Test LDAP query button.

      If the query is successful, then a message is displayed as follows: Found LDAP User DN: <user information>. If the query is not successful, then an error message is displayed.

    3. Test a group name.
      Enter a group name, for example WebSphere Clouds, in the LDAP group name field. Click the associated Test LDAP query button.

      If the query is successful, then a message is displayed as follows: Found LDAP Group DN: <user information>. If the query is not successful, then an error message is displayed.