Customizing the user registry for Java Platform, Enterprise Edition
The Liberty user registry is used as the default registry for the Java™ Platform, Enterprise Edition components. This registry can be customized to use the LDAP user registries.
To customize the user registry, complete the following steps.
- Import the LDAP certificate to the Liberty truststore. For more information, see Add an LDAP certificate to the FTM keystore.
- Copy the server configuration snippet to the ConfigMap.
The custom server XML snippet must include the
<ldapRegistry> and the
<administrator-role> elements. The administrator role that is specified in the
<administrator-role> element is assigned to gain access permission to the Liberty admin center.Note: The users that are defined in the configured LDAP must be created in the
FTM database to gain access to the FTM user interface and must
have appropriate permissions.
Example LDAP configuration XML snippets
The LDAP config snippet for the Control Center pod is shown in the following
example.
<server>
<ldapRegistry id="ldap" host="ldap-hostname/ip" port="ldap-port"
ignoreCase="true"
baseDN="o=mycompany,c=us"
ldapType="IBM Tivoli Directory Server"
sslEnabled="true"
sslRef="defaultSSLConfig"
recursiveSearch="true">
<idsFilters
groupFilter="(&(cn=%v)(objectclass=groupOfUniqueNames))"
groupMemberIdMap="groupOfUniqueNames:uniquemember"
userFilter="(&(emailAddress=%v)(objectclass=ePerson))"
userIdMap="*:emailAddress"
groupIdMap="*:cn"/>
</ldapRegistry>
<administrator-role>
<user>LDAP-User</user>
</administrator-role>
</server>
The LDAP configuration snippet for the OAC pod must include
<ldapRegistry>, <administrator-role>, and <run-as>
entries as shown in the following example.<server>
<ldapRegistry id="ldap" host=" ldap-hostname/ip" port=" ldap-port"
ignoreCase="true"
baseDN="o=mycompany,c=us"
ldapType="IBM Tivoli Directory Server"
sslEnabled="true"
sslRef="defaultSSLConfig"
recursiveSearch="true">
<idsFilters
groupFilter="(&(cn=%v)(objectclass=groupOfUniqueNames))"
groupMemberIdMap="groupOfUniqueNames:uniquemember"
userFilter="(&(emailAddress=%v)(objectclass=ePerson))"
userIdMap="*:emailAddress"
groupIdMap="*:cn"/>
</ldapRegistry>
<administrator-role>
<user>LDAP-User</user>
</administrator-role>
<application id="OAC">
<application-bnd id="OAC-BND">
<security-role id ="OAC-SR">
<run-as userid="LDAP-User"/>
</security-role>
</application-bnd>
</application>
</server>
Note: In the LDAP configuration snippet for the OAC, the IDs for
<application>, <application-bnd>, and
<security-role> must match the IDs that are in the server.xml.