Enabling LDAP on WebSphere Application Server

You can set up the Lightweight Directory Access Protocol (LDAP) on WebSphere Application Server.

About this task

LDAP registries contain record of users and groups. When configuring a WebSphere server (either Liberty or full WAS) for LDAP authentication, you must specify queries to identify records that represent users and groups. Use the userFilter and groupFilter attributes to identify user records and group records. The userFilter attribute identifies only user records. The groupFilter attribute identifies only group records.
For example:
  • userFilter="(&(uid=%v)(objectclass=inetOrgPerson))"
  • groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=posixGroup)))"
If you use LDAP (including LDAP and LDAP/SDBM) for user management and you enable the option to not use case-sensitive user management, make sure that Jazz® Team Server is also configured to allow user management that is not case sensitive. To configure the Jazz Team Server login property, on the Advanced Properties page of the Administrative web interface, modify the Use case insensitive user ID matching property.

Procedure

  1. From the WebSphere Application Server Integrated Solutions Console, click Security > Global security.
  2. Apply the following security settings, and then click Apply and save the changes.
    • Enable administrative security: on
    • Enable application security: on
    • User account repository/Available realm definitions: standalone LDAP registry
    • In the User account repository section, click Configure, and enter information about the general properties:
      • Primary administrative user name: Your user ID
      • Server user identity: Automatically generated server identity
      • Host: Name of the LDAP server
      • Port: Port of the LDAP server. Default is 389.
      • Type of LDAP server: Custom
      • Search timeout: 120 seconds
      • Base distinguished name (DN): The base distinguished name of the directory service
  3. Click Test connection to make sure you can successfully connect to your LDAP server.
  4. In the Additional Properties section, click Advanced Lightweight Directory Access Protocol (LDAP) user registry settings and provide the information in the General Properties fields as follows:
    Remember: Replace the objectclass values and use the values that your LDAP administrator provided for configuring WebSphere Application Server.
    • User filter:
      (&(uid=%v)(objectclass=inetOrgPerson))
    • Group filter:
      (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=posixGroup)))
    • User ID map:
       *:uid
    • Group ID map:
      *:cn
    • Group member ID map, where ibm is replaced with your ID:
      ibm-allGroups:member;ibm-allGroups:uniqueMember 
  5. Click Apply and save the changes. Confirm each setting by clicking Apply and Save on each screen.
  6. Click OK to go back to the Global Security page.
  7. Set Standalone LDAP registry as the current realm definition by clicking Set as Current.
  8. Stop and restart WebSphere Application Server.
  9. After WebSphere Application Server restarts, validate the changes by logging on to the Integrated Solutions Console.