Integrating Lightweight Directory Access Protocol (LDAP)

You can integrate LDAP into Product Master so that you can locate organizations, individuals, and other resources such as files and devices in a network.

LDAP integration enables your system to support over 1000 casual users where each user requires authorization for various internal and external roles. For example, Category Managers is an internal role and an Assistant Brand Manager is an external role. With LDAP integration, you can distribute your LDAP directory over several servers and improve your security infrastructure through:

Real-time LDAP user entitlement
User import from an LDAP server for immediate setup,
User authentication within the same LDAP server that you import from.

You can also integrate a separate LDAP server tool into your system to use for the authentication process. In this case, the system authorization infrastructure is used to authorize LDAP users, and the separate LDAP server tool is used to authenticate each user. To differentiate each LDAP user in your system, you use LDAP flags. This process of entitlement for LDAP users and roles into your system is done during run time and is based on either user-invoked or system-invoked script operations.

For more information, see your product documentation for details.

LDAP users and roles

The following list describes how LDAP users and roles function in the Product Master:

If a user is authenticated in a session, then the user remains authenticated until the end of the session. Even if the user identity changes during that period, the user is still authenticated. For example, a change in role or password does not invalidate user authentication.
If the user exists in the Product Master and the LDAP flag is not set, then authentication is run against Product Master.
If the user exists in the Product Master and the LDAP flag is set, then authentication is run against the LDAP server. Any Product Master roles that are set within the LDAP server must match the user-role mappings in the Product Master.
If the user exists and contains a role on the LDAP server but does not exist in the Product Master, the required entitlements for the user are created in an LDAP flag set.
If you delete or remove an LDAP user from the Active Directory, you need to manually disable such a user in the Product Master through Admin UI > Security > User Console.
The script operations getLdapUserInfo and getAllLdapUsersInfo enables you to source a list of users from the LDAP server.

Product Master can work with the LDAP v3 compliant LDAP servers.

LDIF integration

You can use the ASCII file format, Lightweight Directory Interchange Format (LDIF), to exchange and synchronize your data between LDAP servers.

You can synchronize you LDAP directories by extracting either a full or partial directory then formatting the contents into LDIF files. The LDIF format is used to convey either a directory of information or a description of a set of changes that are made to directory entries. An LDIF file consists of a series of records that are separated by line separators. Each record in an LDIF file consists of either a sequence of lines that describe a specific directory entry or a set of changes to a directory entry.

Product Master also includes an LDIF parser that can read and write directly to the LDIF protocol into LDAP core objects that include the following:

Distinguished name
Object classes
Associated attributes
Other core objects

You can write script functions to access the LDAP core objects that are based on your business logic requirements.

Configuring LDAP over Secure Socket Layer

If you must configure LDAP over Secure Socket Layer (SSL), then you must perform the following extra steps to be able to log in to IBM® Product Master.

Import the certificate that is exported from the LDAP server into the WebSphere® Application Server Cell truststore. This configuration is required for SSL connection using Active Directory and IBM WebSphere Application Server.
Customize the LDAP script (WPCS file) provided by Product Master as follows. This configuration is required for IBM Product Master and Active Directory over SSL.
Modify the LDAPLibrary.wpcs trigger script to replace the system properties from:
```
runJavaMethod(null,setPropertyMethod,"javax.net.ssl.trustStore",keystore);
```
To
```
runJavaMethod(null,setPropertyMethod,"com.ibm.ssl.trustStore", "$WAS_HOME/java/<version>/jre/lib/security/cacerts");
```
Where, $WAS_HOME/java/<version>/jre/lib/security/cacerts is the folder where the certificates are stored.
Example

/opt/IBM/WebSphere/AppServer/java/8.0/jre/lib/security/cacerts

Note: The directory path might differ across different environments.

You can point the keystore attribute in the LDAP Properties lookup table in Product Master to either the custom keystore path or the WebSphere Application Server truststore path.
The LDAP URL should be as follows.
```
ldaps://<hostname:<ssl_port>
```

LDAP limitations

The following lists the LDAP integration limitations.

Single sign-on capabilities: Product Master supports single sign-on with the LDAP v3-compliant LDAP servers. LDAP support does not enable single sign-on support automatically.; Product Master and WebSphere Application Server applications integrate with LDAP and all the local users from the Product Master and WebSphere Application Server are not allowed to log in to their application. Only LDAP users can log in to both applications with default company. By default, LDAP or single sign-on disables the local Admin or users and hence users cannot log in separately with and without single sign-on in the same application instance. For more information, see Configuring SSO.; Note: WebSphere Global Security is required for Product Master application if you are enabling LDAP configuration over Secure Sockets Layer (SSL).
Locale-specific string extraction: LDAP entry searches are not certified.
SASL binding: Novell eDirectory server has a known issue with SASL bind (integrated with DIGEST-MD5) in the globalized environment. Contact Novell technical support to determine whether this problem is applicable to your environment.