Configuring user authentication against an LDAP directory
You can configure the Web GUI to authenticate users and groups against an LDAP directory. The configuration steps involve adding the LDAP directory to the Virtual Member Manager (VMM) realm and configuring VMM to write new users to the LDAP directory. You then assign Web GUI roles to the LDAP users and synchronize those users with the ObjectServer. The synchronization enables the users to write to the ObjectServer, so that they can use Web GUI functions that require ObjectServer write-permissions.
Before you begin
- Familiarize yourself with the concept of the VMM realm. See Web GUI user authentication
- Ensure that the LDAP directory is running and that it can be accessed from the Web GUI host computer.
- If an ObjectServer was previously added to the realm as a user repository it needs to be removed. See Removing user repositories.
- If the previous user repository was the default file-based repository, remove any default users that were created when the file-based repository was added. You need to remove these users to avoid duplicate users across repositories in the realm.
- Obtain the following information about the LDAP directory. You
need this information to configure the LDAP directory in the realm.
- Host name and port number of the primary server that hosts the LDAP directory and the backup server, if applicable. The host names must contain no spaces.
- Type and version of LDAP directory that is used, for example IBM Tivoli Directory Server V6.2, or Microsoft Active Directory.
- User ID and password that are used to bind to the LDAP server. This user ID must be unique. For example, cn=root. Important: To create users and groups through the Web GUI, the LDAP bind ID must have the appropriate permissions in the LDAP directory. The bind ID must contain no spaces.
- Subtree of the LDAP directory that you want to be used for authenticating users.
Sample LDAP data
The following configuration tasks use sample data from a subtree in an LDAP directory. When you perform the configuration tasks, replace the sample data with your own.The LDAP directory is identified as TIVIDS. TIVIDS contains the subtree ou=NetworkManagement,dc=myco=dc=com, which contains the users and groups that will be authenticated by the Web GUI. In this subtree, the LDAP objects are defined as follows:
- The user prefix is uid
- The user suffix is cn=users
- The group prefix is cn
- The group suffix is cn=groups