Managing DSM user authentication with LDAP

Use an LDAP server to manage your Data Server Manager (DSM) user authentication.

About this task

You can use an external LDAP server to authenticate DSM users, while maintaining your DSM Administrator accounts and privileges with DSM. There are three ways to manage your DSM user credentials:
Simple mode
Use simple mode to authenticate if the DSM user exists in a centralized location on the LDAP side, and all entries under this centralized location are assumed to be the DSM user. All entries should be accessed anonymously or with a bind account with the proper privileges in LDAP.
Advanced mode
Users can use this mode if the DSM users exist in multiple locations on the LDAP managed side. All entries that meet the customized search conditions for those locations are recognized as DSM user.
DSM locates specific users in an LDAP directory and retrieve all users from the LDAP server by doing LDAP searches with customized search filters from several base distinguished names. Therefore, it must be possible for the related locations to be accessed anonymously; otherwise, the search can be done by a bind account with a proper privilege in LDAP.

The selected attribute for DSM login for each user must be unique on the LDAP side.

Manual mode

Users are added manually by a DSM super administrator. Use this mode only if you are unable to access the LDAP server anonymously, and when you can not acquire a bind account to perform search operations on the LDAP server. Do not enable this mode if you have an appropriate bind account. This mode is based on the function of 'Simple mode'. Therefore, if this mode is enabled, the configuration would leverage the same parameters required by 'Simple mode'.

Procedure

  1. If you haven't already installed IBM Data Server Manager, run the setup shell script to complete your installation.
  2. Stop the DSM service or application you are running.
  3. Navigate to the location where you installed DSM and open the /Config folder.
  4. Open the dswebserver_override.properties file and enable the LDAP authentication option: 
    dsweb.customauth.ldap=true
    If you do not have an LDAP bind account and want to enable the Manual mode, also add the following line:
    dsweb.customauth.enableAddLDAPUser=true
  5. From the same directory, open the customldap.properties file and set the following LDAP properties:
    Table 1. Basic LDAP configuration information (all modes)
    Parameter name Description Example or format
    ldap.host Host name or IP address of LDAP server. localhost
    ldap.port Port number of LDAP server. 389
    ldap.bind.dn Distinguished name (DN) of a bind account for DSM. CN=dsmadmin,CN=DSMdata,DC=DataServerManager,DC=COM
    ldap.bind.password Encrypted password of a bind account for DSM. wtiv2_xxxxxxxx...
    Note: To generate an encrypted password, use the script at <dsm install location>/dsutil/bin/crypt.sh(.bat)
    Table 2. LDAP user information (simple mode and manual mode)
    Parameter name Description Example or format
    ldap.user.parent.dn The DN that uniquely identifies the LDAP parent node. ou=DBAUnit,dc=example,dc=com

    where ou is the organizational unit (group) the user belongs to; dc represents each component of the domain dataservermanager.com. Entries under this node are treated as DSM users.
    ldap.user.rdn.attribute.type The Relative distinguished name (RDN) for user entries in LDAP. cn, uid, etc
    Table 3. LDAP configuration and user information (advanced mode)
    Parameter name Description Example or format
    ldap.use.advanced.mode Change this value to enable or disable LDAP advanced mode. true or false
    ldap.user.base.dn Base DNs for searching DSM users in LDAP. BaseDN1;BaseDN2;...;BaseDNn
    ldap.user.search.filter Search filter for searching DSM users in LDAP. 
    (|
(objectClass=person) 
(objectClass=organizationalPerson) 
(objectClass=inetOrgPerson) 
)
    ldap.user.login.attribute.type Attribute for DSM users to input as the User ID (UID) when logging in to DSM. mail
  6. Save your changes and close the customldap.properties file.
  7. Restart your Data Server Manager service or application.
  8. Log in to Data Server Manager.
    For simple mode and manual mode, the value of the attribute set in ldap.user.rdn.attribute.type is treated as the DSM user name. The value should be the RDN value of user entries.
    For advanced mode, the value of the attribute set in ldap.user.login.attribute.type is treated as the DSM user name. It must be a unique value in the LDAP directory.
  9. Manage privileges.
    Console privileges are still managed from the DSM console, where DSM administrators can assign new roles to other users, and change roles of other users, on the Users and Privileges page (under Settings).
    • In simple mode, all users that are listed in ldap.user.parent.dn have a DSM user role, at minimum.
    • In advanced mode, all users that are listed in the search results have a DSM user role, at minimum.
    • in manual mode, users can successfully log in only if they are added, assigned a role, and a listed in ldap.user.parent.dn. Only super administrator can add users.
  10. Configure parameters of LDAP connection pooling in customldap.properties file. If the value is not configured, a default value will be used.
    The parameters are as follows:
    • ldap.connection.timeOutMill - Specifies the timeout value in millisecond of a single connection. Default is 15 minutes.
    • ldap.connection.pool.lifo- Determines whether or not the pool returns idle objects in last-in-first-out order. The default setting for this parameter is true.
    • ldap.connection.pool.maxActive - Controls the maximum number of objects that can be allocated by the pool (checked out to clients, or idle awaiting checkout) at a given time. When non-positive, there is no limit to the number of objects that can be managed by the pool at one time. When maxActive is reached, the pool is said to be exhausted. The default setting for this parameter is 8.
    • ldap.connection.pool.maxIdle- Controls the maximum number of objects that can sit idle in the pool at any time. When negative, there is no limit to the number of objects that may be idle at one time. The default setting for this parameter is 8.
    • ldap.connection.pool.max- Specifies the maximum amount of time to wait for an idle object when the pool is exhausted and whenExhaustedAction setting is WHEN_EXHAUSTED_BLOCK.
    • ldap.connection.pool.minEvictableIdleTimeMill- Specifies the minimum amount of time that an object may sit idle in the pool before it is eligible for eviction due to idle time. When non-positive, no object will be dropped from the pool due to idle time alone. This setting has no effect unless timeBetweenEvictionRunsMill is > 0. The default setting for this parameter is 30 minutes.
    • ldap.connection.pool.minIdle - Specifies the minimum number of idle objects in my pool.
    • ldap.connection.pool.numTestsPerEvictionRun- Determines the number of objects examined in each run of the idle object evictor. This setting has no effect unless timeBetweenEvictionRunsMill is > 0. The default setting for this parameter is 3.
    • ldap.connection.pool.softMinEvictableIdleTimeMill- Specifies the minimum amount of time an object may sit idle in the pool before it is eligible for eviction by the idle object evictor (if any), with the extra condition that at least "minIdle" object instances remain in the pool. When non-positive, no objects will be evicted from the pool due to idle time alone. This setting has no effect unless timeBetweenEvictionRunsMill is > 0. and it is superseded by minEvictableIdleTimeMill is (that is, if minEvictableIdleTimeMill is positive, then softMinEvictableIdleTimeMill is ignored). The default setting for this parameter is -1 (disabled).
    • ldap.connection.pool.testOnBorrow- When testOnBorrow is set, the pool will attempt to validate each object before it is returned from the borrowObject() method. Objects that fail to validate will be dropped from the pool, and a different object will be borrowed. The default setting for this parameter is false.
    • ldap.connection.pool.testOnReturn- When testOnReturn is set, the pool will attempt to validate each object before it is returned to the pool in the returnObject(T) method. Objects that fail to validate will be dropped from the pool. The default setting for this parameter is false.
    • ldap.connection.pool.testWhileIdle- Indicates whether or not idle objects should be validated using the factory's PoolableObjectFactory.validateObject(T) method. Objects that fail to validate will be dropped from the pool. This setting has no effect unless timeBetweenEvictionRunsMill is > 0. The default setting for this parameter is false.
    • ldap.connection.pool.timeBetweenEvictionRunsMill- Indicates how long the eviction thread should sleep before "runs" of examining idle objects. When non-positive, no eviction thread will be launched. The default setting for this parameter is -1 ( that is, idle object eviction is disabled by default).
    • ldap.connection.pool.whenExhaustedAction- Specifies the behavior of the borrowObject() method when the pool is exhausted. WHEN_EXHAUSTED_FAIL, WHEN_EXHAUSTED_GROW, WHEN_EXHAUSTED_BLOCK. The default whenExhaustedAction setting is WHEN_EXHAUSTED_BLOCK and the default maxWait setting is -1. By default, therefore, borrowObject will block indefinitely until an idle instance becomes available.
    For more information, refer to Apache common pool.
    Note: The following configuration is recommended to prevent connection timeout issues:
    ldap.connection.pool.testOnBorrow=true
ldap.connection.pool.minEvictableIdleTimeMillis=60000
ldap.connection.pool.timeBetweenEvictionRunsMillis=120000