How to configure an LDAP user registry
Configure a Lightweight Directory Access Protocol (LDAP) user registry in a IBM® z/OS® Connect server.
Before you begin
- You should be familiar with
- API provider authentication and identification when IBM z/OS Connect is acting as an API provider.
- API requester authentication and identification when IBM z/OS Connect is acting as an API requester.
- You need the following information about the LDAP server:
- The type of LDAP server. For example, IBM Secure Directory Server or Microsoft Active Directory Server.
- Connection details such as host, port and whether the connection to the LDAP server is secured with TLS.
- For Microsoft Active Directory Server, the distinguished name (DN) for the application server, which is used to bind to the directory service and the bind password.
- The base distinguished name (DN) which indicates the starting point for LDAP searches in the directory service.
- You must have write access to the server.xml configuration file.
- You need to know the users and groups that are to be granted access to access IBM z/OS Connect .
You configure a Lightweight Directory Access Protocol (LDAP) user registry that references an existing LDAP server, so that its users and groups can be used for authentication and authorization.
About this task
- Follow the instructions in Configuring LDAP user registries in Liberty in the
WebSphere Application Server for z/OS Liberty documentation. References to Liberty refer to the IBM z/OS Connect server.
For more information about the
ldapRegistryelement and its attributes, see LDAP User Registry (ldapRegistry) in the WebSphere Application Server for z/OS Liberty documentation.The following example shows an LDAP registry for an IBM Secure Directory Server. Note that the
ldapTypeelement must be set to "IBM Tivoli Directory Server" rather than "IBM Secure Directory Server".
<ldapRegistry id="ldap" realm="SampleLdapIDSRealm" host="ourLDAP.ibm.com" port="389" ignoreCase="true" baseDN="o=mop,c=fr" ldapType="IBM Tivoli Directory Server"> <idsFilters userFilter="(&(uid=%v)(objectclass=ePerson))" groupFilter="(&(cn=%v) (|(objectclass=groupOfNames) (objectclass=groupOfUniqueNames) (objectclass=groupOfURLs)))" userIdMap="*:uid" groupIdMap="*:cn" groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember; groupOfNames:member;groupOfUniqueNames:uniqueMember"> </idsFilters> </ldapRegistry>
- After you have configured your server.xml configuration file with
ldapRegistryelements, restart your IBM z/OS Connect server.Check the messages.log file to ensure the LDAP registry feature has been installed and that there are no error messages resulting from a misconfigured
ldapRegistryentry. The following information messages in the messages.log file show that the
ldapRegistryfeature has been installed:
CWIMK0009I: The user registry federation service is ready. CWWKS0008I: The security service is ready. CWWKF0012I: The server installed the following features: [... ldapRegistry-3.0 ...]
The LDAP users and groups matching the defined filters are now defined in the user registry and can be used by the IBM z/OS Connect server, for authentication and authorization.