Configuring LDAP - Advanced method

Edit online

You can configure LDAP in the GUI with the Advanced method by updating the LDAP registry file.

Before you begin

You can configure LDAP in two ways:
  • On the Basic tab, you complete fields that Copy Services Manager uses to set up the configuration. For the Basic method, go to Configuring LDAP - Basic method.
  • On the Advanced tab, you can directly edit the raw data in the LDAP registry file for a more customized approach. Or, if you already have a custom LDAP configuration, you must use the Advanced tab to make changes. This topic covers the Advanced method.
Notes:
  • Copy Services Manager only tests the configuration on the current tab that you are viewing, whether Basic or Advanced. Changes that you make in one tab are not synchronized immediately with the other tab. After saving the configuration, changes can be seen by clicking Modify again and viewing the tabs.

About this task

Follow these steps if you select the Advanced tab for configuring LDAP:

Procedure

  1. Edit the ldapRegistry.xml file. The wizard displays the file with syntax highlighting to assist you. See the WebSphere Application Server Liberty documentation for a full listing of the tags and attributes available for the LDAP registry file.
    The ldapRegistry.xml file must be enclosed in server tags as shown:
    <server>
    <ldapRegistry>
    </ldapRegistry>
</server>

    Note: The password in the Advanced tab view is encrypted when you save it.To change the password, starting with V6.2.7, you can now use the new Bind Password field, instead of having to modify the ldapRegistry.xml file with clear text.

    If you update the password in the ldapRegistry.xml file in plain text and save the file, Copy Services Manager encrypts the password so that the next time the wizard is opened, the password does not appear in plain text. However, to avoid any potential security issues of entering a password in plain text at all, you can instead use the new Bind Password field on the Advanced tab.

  2. Optional: Select the Enable SSL check box to upload an SSL key file to the LDAP server that you are connecting to. Then, click Load Certificate and select the file name.
    Notes:
    • This action adds the attributes sslEnabled="true" and sslRef="ldapsslref" to the configuration. These attributes need to be removed from the text to disable SSL.
    • When you modify an existing LDAP server configuration, the Enable SSL check box is already selected, and the associated SSL attributes are already set to sslEnabled="true" and sslRef="ldapsslref". You can use the existing certificate file that is displayed, or click Load Certificate again if you need to load a new one. Or, remove these attributes from the ldapRegistry.xml file to disable SSL.
    • You can load a certificate file that contains multiple certificates in a single file, if needed. For more information, see Creating a file with multiple certificates for LDAP configuration.
  3. Optional: If you plan on using a configuration with nested groups, the following additional parameter must be added to the ldapregistry.xml file: 
    recursiveSearch="true"
    See Configuring nested groups in LDAP for more information.
  4. Click Test to test the connection. If the system cannot connect, an error message appears.
    Note: If you get a message that no users or groups were found, you can modify your inputs and click Test again. Alternately, you can save the configuration without making more changes.
  5. Click Save to complete the LDAP configuration, or click Cancel to exit.

Results

When all the fields are correctly completed, and the test connection is successful, one or more servers are configured for LDAP authentication.