Configuring look up authentication with LDAP by using the web UI

Configure the appliance to look up user details on the LDAP server. To look up users, the appliance binds to the LDAP server by using credentials.

Before you begin

CAUTION:
Read the topic Important: avoiding user lock out when configuring role based management before you attempt to set up authentication with LDAP

About this task

You can use the IBM® MQ Appliance web UI to configure role based management such that the appliance looks up user details in the LDAP server by using defined search parameters. To look up users, the appliance binds to the LDAP server by using credentials that you define as part of the RBM configuration, or you can use an anonymous bind to access the LDAP server. See User authentication with LDAP for a description of this method of authentication.

Procedure

  1. Start the IBM MQ Appliance web UI and click the Administration icon shows the administration icon.
  2. Select Access > RBM Settings
  3. Ensure that Administrative state is set to On and click Authentication to view the authentication tab.
  4. Select an Authentication method of LDAP.
  5. Specify the Server host and the Server port for connecting to the LDAP server (server port is usually 389, or 636 for an SSL connection), and select the LDAP version (the version is usually v3).
  6. If you have configured a load balancer group for LDAP access and created a profile, specify it in the Load balancer group field. Alternatively, click the plus icon shows the plus icon to open the Load Balancer Group dialog to specify a profile for your load balancer group (see Creating a load balancer group profile by using the web UI). You can leave this field blank if you are using a single LDAP server.
  7. Set Search LDAP for DN to On.
  8. Specify the DN that the appliance uses to bind to the LDAP server to perform the search in the LDAP bind DN field. Specify the password alias in the LDAP bind password alias field. Click the plus icon shows the plus icon to create a password alias if you have not already created one. (Leave these fields blank if you are using an anonymous bind to access the LDAP server.)
  9. Specify the LDAP search parameters. You can enter these parameters directly, or you can click the plus icon to open the LDAP Search Parameters tab.
  10. Specify an LDAP read timeout. The timeout is the time that the appliance will attempt to connect to the LDAP server before closing the connection. The default is 60 seconds. Specify 0 to never timeout.
  11. If you want to use an SSL (TLS) connection to the LDAP server, select an SSL client type of Client profile. If you have already defined a profile, select the profile name from the SSL client profile list. Alternatively, click the plus icon shows the plus icon to open the SSL Client Profile dialog and create a new SSL client profile (see Creating an TLS client profile by using the web UI).
  12. To define one or more fallback users, choose All users from the Local accounts for fallback list to have all local users able to log in to the appliance if LDAP is unavailable. Alternatively, select Specific users and select one or more local users.
  13. Optionally, change the default cache settings. Cache settings determine how long user details are held on the appliance before authentication is referred to the LDAP server again. By default, the appliance retains details for an absolute period of 600 seconds. You can change the cache mode or the cache lifetime, or both. You can also disable caching altogether.
  14. Click Apply to apply your changes.

What to do next

After you specify the user authentication method, you must next configure credential mapping.