Setting LDAP parameters for Oracle LDAP Server

Define configuration parameters for IBM® Directory Server to provide extra security options for your environment.

Before you begin

Before setting configuration parameters, perform authentication tests to confirm that user, group, and membership search filters work properly. For more information, see the Related tasks section.

You must be assigned the Security administration role with permission to Manage security (Full permission) to perform these steps.

About this task

You might need to modify the example search parameters in the following steps to match your LDAP server schema.

You can use the console, the command line interface, or the REST API to complete this task. For the command line and REST API information, see the Related information section.

Procedure

  1. Click System > System Security.
  2. Expand the LDAP Settings section, and set the following configuration parameters.
    LDAP provider URL
    The LDAP server host name, port number, and LDAP or LDAPS protocol. The host name must be either the fully qualified domain name or IP address of your LDAP server. The host name must begin with either ldap:// for standard LDAP or ldaps:// when connecting to the LDAP server through a Secure Sockets Layer (SSL) tunnel.

    The LDAPS protocol is recommended for protecting sensitive user credential information. When selecting LDAPS, you must verify and accept the LDAP server X.509 certificate.

    Security certificate
    The security certificate is used only when PureApplication® Software is configured with LDAP over an SSL connection, for example using ldaps:// in the address. The security certificate must be an X.509 certificate and stored locally on PureApplication Software. The system uses the security certificate to determine whether to trust the LDAP server or servers.

    Use the Certificate number to store field to allow the system to trust a clustered LDAP environment in which each LDAP server has an unique X.509 certificate that is issued by a common certificate authority. By configuring PureApplication Software to trust the common certificate authority, by default the system trusts all certificates that are issued by the trusted certificate authority.

    LDAP security authentication
    The distinguished name (DN) of an LDAP user who is allowed to search the LDAP directory if the LDAP server does not allow anonymous access.
    Password
    The password for the LDAP user.
    LDAP base DN (users)
    The base DN subtree that is used when searching for user entries on the LDAP server. Use LDAP Data Interchange Format (LDIF) syntax for the entries.
    LDAP base DN (groups)
    The base DN subtree that is used when searching for group entries on the LDAP server.
    Search filter (users)
    Note: Confirm that the user search filter is effective by performing an LDAP authentication test. For more information, click Testing LDAP authentication settings in the Related tasks section below.
    Filter for finding entries in the LDAP base DN (users) subtree that match the user name. For example, see the following entry: 
    dn: uid=User1,ou=People,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
street: The Street Crt
roomNumber: A1

employeeType: regular
homePostalAddress: 123456
carLicense: carLicense
homePhone: 123456789
uid: user1
registeredAddress: Address fake
preferredDeliveryMethod: mail
employeeNumber: 1
title: Test User
postalCode: 123456
sn: user1
businessCategory: businessCategory
mobile: 123456789
givenName: User
postalAddress: 123456
cn: Test User1
displayName: Test user for LDAP testing
telephoneNumber: 123456789
initials: T.U.
postOfficeBox: 123
photo: c://eugen/photo.bmp
mail: user1@us.ibm.com
preferredLanguage: English
facsimileTelephoneNumber: 123456789
departmentNumber: 123456
description: Description
    The following filter searches for entries with a user ID attribute uid matches the user ID that was used to log in to the system. This filter only looks for entries within the inetOrgPerson object class.
    "(&(uid={0})(objectclass=inetOrgPerson))"

    When the match occurs, the {0} placeholder is replaced by the user ID from the login screen.

    Search filter (groups)
    Note: Confirm that the group search filter is effective by performing an LDAP authentication test. For more information, click Testing LDAP authentication settings in the Related tasks section below.
    Filter for finding entries in the LDAP base DN (groups) subtree that match the group name. For example, see the following entry:
    dn: cn=Everyone,ou=Groups,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: Everyone
ou: Groups
description: LDAP group of all LDAP test users
uniqueMember: uid=User1, ou=People,dc=example,dc=com
uniqueMember: uid=User2, ou=People,dc=example,dc=com
    The following filter searches for entries with a group ID attribute cn that match the group name. This filter only searches for entries that are within the groupofUniqueNames object class.
    "(&(cn={0})(objectclass=groupOfUniqueNames))"

    When the match occurs, the {0} placeholder is replaced by the group name.

    LDAP membership search filter pattern
    Note: Confirm that the member search filter is effective by performing an LDAP authentication test. For more information, click Testing LDAP authentication settings in the Related tasks section below.
    Filter used for returning a list of group member entries that are in the LDAP base DN (groups) subtree. For example, the following filter searches for entries in the groupOfUniqueNames object class that contain a particular group as a member. 
    "(&(uniqueMember={0})(objectclass=groupOfUniqueNames))"

    When the match occurs, the {0} placeholder is replaced by the member name.

    LDAP user search attribute
    The name of the attribute that represents the unique ID of the user. Typically, the value for LDAP user search attribute matches the user ID attribute (uid) that is used in the user search filter.
    Note: The value for LDAP user search attribute must match the value that was used when adding the user to system.
    LDAP group search attribute
    The name of the attribute in the group search filter that represents the group name. Typically, the value for LDAP group search attribute matches the group ID attribute that is used in the group search filter. For example, if the attribute name is cn in the group search filter, the value for LDAP group search attribute should also be cn. The cn value is the default value if none is specified.
    LDAP membership search attribute
    The member user attribute in a group. If this attribute is not provided, the membership search uses the full distinguished name (DN) of the user, for example member: cn=Test User1, ou=WebSphere, o=IBM, c=US. Only specify a different value when you want to use a particular attribute of the DN instead of the full DN in the search query.
    LDAP JNDI connect pool
    JNDI connection pooling is enabled when the value is set to Yes, which is the default value. Consult an IBM service engineer before changing this setting.
    LDAP JNDI read timeout (in milliseconds)
    The amount of time to wait for the LDAP server to respond. The default value is five minutes. Specify a value of 0 to disable the timeout option.
    LDAP server type
    The type of LDAP server. When using Oracle LDAP Server, select Generic LDAP.