Configuring an external LDAP server for system user authentication

The system administrator uses the ap_external_ldap utility on the system to configure an external LDAP server for user authentication. For information on all command options, read ap_external_ldap command.

Before you begin

Note:
  • When authentication is enabled with external Windows AD or LDAP, the same username cannot be used on both local and external LDAP servers.
  • You must manually delete the /home/<user directory> for any user removed from the local server or Windows AD.
  • Anonymous user binding with LDAP is not supported, the ldap bind user must provide the password while enabling LDAP configuration.
Before configuring external LDAP in the system, gather the following information:
Host of the LDAP server and port
For example: myserver.com and 389
Distinguished Name/Domain Name (dn) of the LDAP directory
For example: myldaporg.com
Bind User information
The user ID and password for the LDAP domain user who has access to query all user and group info. For example: myuseradmin and myadminpasswd
In addition, you should decide whether to use SSL or TLS to connect to the LDAP server.

Procedure

  1. Log in to the system control node as apadmin or as another member of the ibmapsysadmins group.
  2. Run the ap_external_ldap command with the following arguments:
    • When not using SSL:
      ap_external_ldap enable --server  ldap://ADserverHostnname  --port 389  --search-base-dn "dc=myldaporg,dc=com"  --search_user_dn "cn=usernamwithoutspace, dc=domain,dc=com"  --search_user_password "SearchuserPassword"  --searchfield sAMAccountName
    • When using SSL:
      If you want to use SSL method, ensure that you specify ldaps in hostname in --server option , and the SSL port of your LDAP server in the -–port option, as in the following example:
      ap_external_ldap enable --server  ldaps://ADserverHostnname  --port 636  --search-base-dn "dc=myldaporg,dc=com"  --search_user_dn "cn=usernamwithoutspace, dc=domain,dc=com"  --search_user_password "SearchuserPassword"  --searchfield sAMAccountName
    Note:
    • In --server option, the hostname must be prefixed with
      • ldap:// (as in ldap://adhostname) for configuration without SSL
      • ldaps (as in ldaps://adhostname) for configuration with SSL.
    • In --search_user_dn option, the value in the cn or uid value must not have space and all the dn values must be supplied for user (example "cn=userwithoutspace, dc=domain,dc=com").
    • In --searchfield option, the value must be:
      • for Windows Active Directory Integration: sAMAccountName
      • for OpenLDAP server: either uid, or cn
  3. Once the command runs successfully, verify your setting by using the id command.
    For example, if user1 is a user ID from your LDAP database, then the following command returns the ID and group info of this user successfully:
    id user1
  4. To allow system operations for users from the external directory, add these users with the following command: 
     ap_external_ldap useradd -h
usage: ap_external_ldap useradd [-h] -u USERNAME -d DISPLAYNAME -g {2001,2002}
                                -e EMAIL

optional arguments:
  -h, --help            show this help message and exit
  -u USERNAME, --user USERNAME
                        username from LDAP or Active Directory server
  -d DISPLAYNAME, --displayname DISPLAYNAME
                        displayName of user from LDAP or Active Directory
                        server
  -g {2001,2002}, --groupid {2001,2002}
                        platform groupid: 2001 for ibmapsysadmins, 2002 for
                        ibmapsysusers
  -e EMAIL, --email EMAIL
                        email of user from LDAP or Active Directory server
    For example, to add a user named myaduser to the group ibmapsysadmins, run the following command:
    ap_external_ldap useradd  -u myaduser -g 2001 -d myaduserdipslayname -e myaduser@mail.com
Successfully added LDAP user:myaduser to system operation