Enabling an integration node to use LDAP for authentication
Web user accounts can be authenticated against a Lightweight Directory Access Protocol (LDAP) or Secure LDAP (LDAPS) server. You can authenticate web users by using the REST API, the web user interface, the IBM® Integration Toolkit, or custom integration applications that use the Integration API.
Before you begin
- IBM Tivoli® Directory Server
- Microsoft Active Directory
About this task
If your LDAP directory does not permit unrecognized user IDs to log in, and does not grant search access rights on the subtree, you must set up a separate, authorized ID that the integration node can use for the search. For more information, see Configuring authorization with LDAP or Authenticating incoming requests with LDAP.
- Open a command window that is configured for your environment.
- To set the LDAP server that you want to use for authentication,
enter the following command on the command line.
where intNode is the name of your integration node and ldapURL is the URL for your LDAP.
mqsichangeproperties intNode -b webadmin -o server -n ldapAuthenticationUri -v "ldapURL"Enter the ldapURL by using the following syntax:
- (Required) Fixed protocol string. Use
ldapsto specify that SSL is used.
- (Required) Name or IP address of the LDAP server.
- (Optional) Port on the LDAP server. If SSL is not enabled, the default port is 389. If SSL is enabled, the default port is 636.
- (Required) String that defines the base distinguished name (DN) of all users in the directory. If users exist in different subtrees, specify a common subtree under which a search on the user name uniquely resolves to the required user entry, and set the sub attribute.
- If users who need access to the integration
exist in multiple base DNs, you can specify more than one base DN
in the ldapURL by enclosing each base DN in parentheses.
The following syntax shows how to specify the ldapURL when
users exist in 3 base DNs:
- (Optional) String that defines the attribute to which the incoming user name maps, typically uid, CN, or email address. The default is uid.
- (Optional) Defines whether to perform a base or subtree search.
baseis selected, the authentication is faster because the DN of the user is constructed from the uid_att, username, and baseDN values. If
subis selected, a search must be performed before the DN can be resolved. The default is
Put public server certificates in the integration node truststore for use with LDAPS connections; do not put them in the webadmin truststore.
- Configure the web user accounts for each user that you
want to authenticate. Either create new web user accounts or modify
existing web user accounts:
- Create a new web user account by using the mqsiwebuseradmin command. For
where ldapusername is the user name in the LDAP directory, and sysrole is the role to associate with the web user account. For more information about roles, see Role-based security.
mqsiwebuseradmin intNode -c -u ldapusername -x -r sysroleNote: If you add a local password by using the -a parameter, the local password is used instead of LDAP authentication.
- Modify an existing web user account to remove any local password.
mqsiwebuseradmin intNode -m -u ldapusername -x -r sysroleNote: You can modify an existing web user account to be authenticated by using LDAP only if the existing user name matches the user name in the LDAP directory. If the user names do not match, you must create a new web user account.
- Create a new web user account by using the mqsiwebuseradmin command. For example: