LDAP configuration

A server that runs the Lightweight Directory Access Protocol (LDAP) can be configured to authenticate with an Operational Decision Manager release.

See Use case 2 in Configuring user access without OpenID for an example of a configuration file. Modify the file to match your existing LDAP server and follow the instructions to apply the modified configuration file in your deployment. Options include IBM Security Directory Server and Active Directory.

Table 1. LDAP configuration
XML elements	Description	Example values
Directory service server hostname	The hostname must be either the fully qualified domain name or IP address of your LDAP server.	openldap
Directory service server port number	The LDAP server host port number.	389
Directory service server bind user name	Maps to `Name` in the LDAP provider. CN is a mandatory property.	cn=root
Directory service server bind user password	The password of the LDAP security authentication user.	admin
Base entry distinguished name (repository)	The base distinguished name (DN) of an LDAP user who is allowed to search the LDAP directory if the LDAP server does not allow anonymous access. `CN=John Smith,OU=Rochester,DC=cp,DC=com` The base DN subtree is used when searching for user entries on the LDAP server.	ou=Rochester,o=IBM
Directory service server user filter	Filter for finding entries in the LDAP base DN (users) subtree that match the user name. The following filter searches for entries with a user ID attribute (uid) that matches the user ID used to log in to the system. This filter only looks for entries within the `Person` object class. `"(&(uid={0})(objectclass=Person))"` When the match occurs, the `{0}` placeholder is replaced by the user ID	For Active Directory, (&(samAccountName=%v)(objectClass=user)) For IBM Security Directory Server, (&(cn=%v)(objectclass=person))
Base group entry distinguished name (repository)	The base DN subtree that is used when searching for group entries on the LDAP server.	ou=Rochester,o=IBM
Directory service server group filter	Filter for finding entries in the LDAP base DN (groups) subtree that match the group name. The following filter searches for entries within the `groupOfNames` object class that match the group name. `"(&(cn={0}) (objectclass=groupOfNames))"` When the match occurs, the `{0}` placeholder is replaced by the group name.	For Active Directory, (&(samAccountName=%v)(objectClass=group)) For IBM Security Directory Server, (&(cn=%v)(\|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))
Directory service server user id map	The user id is a filter that is used to determine the user's Full Name (FN). You can specify the attribute from the LDAP that you want to display for the full name of the user.	For Active Directory, userIdMap="user:sAMAccountName" For IBM Security Directory Server, userIdMap=" *:uid"
Directory service server group id map	The group id is a filter that is used to determine the group name.	For Active Directory, groupIdMap=":cn" For IBM Security Directory Server, groupIdMap=" :cn"
Directory service server groupMember id map	Identifies the groupMember.	For Active Directory, groupMemberIdMap=memberOf:member For more information, see Configuring LDAP user registries in Liberty . For IBM Security Directory Server, groupMemberIdMap=groupOfNames:member