How to configure an LDAP user registry

Configure a Lightweight Directory Access Protocol (LDAP) user registry in a IBM® z/OS® Connect server.

Before you begin

You should be familiar with
- API provider authentication and identification when IBM z/OS Connect is acting as an API provider.
- API requester authentication and identification when IBM z/OS Connect is acting as an API requester.
You need the following information about the LDAP server:
- The type of LDAP server. For example, IBM Secure Directory Server or Microsoft Active Directory Server.
- Connection details such as host, port and whether the connection to the LDAP server is secured with TLS.
- For Microsoft Active Directory Server, the distinguished name (DN) for the application server, which is used to bind to the directory service and the bind password.
- The base distinguished name (DN) which indicates the starting point for LDAP searches in the directory service.
You must have write access to the server.xml configuration file.
You need to know the users and groups that are to be granted access to access IBM z/OS Connect .

About this task

You configure a Lightweight Directory Access Protocol (LDAP) user registry that references an existing LDAP server, so that its users and groups can be used for authentication and authorization.

Procedure

Follow the instructions in Configuring LDAP user registries in Liberty in the WebSphere Application Server for z/OS Liberty documentation.

References to Liberty refer to the IBM z/OS Connect server.

For more information about the ldapRegistry element and its attributes, see LDAP User Registry (ldapRegistry) in the WebSphere Application Server for z/OS Liberty documentation.

The following example shows an LDAP registry for an IBM Secure Directory Server. Note that the ldapType element must be set to "IBM Tivoli Directory Server" rather than "IBM Secure Directory Server".

<ldapRegistry id="ldap" realm="SampleLdapIDSRealm"
    host="ourLDAP.ibm.com" port="389" ignoreCase="true"  
    baseDN="o=mop,c=fr"  
    ldapType="IBM Tivoli Directory Server"> 
    <idsFilters 
        userFilter="(&amp;(uid=%v)(objectclass=ePerson))"  
        groupFilter="(&amp;(cn=%v)
            (|(objectclass=groupOfNames) 
            (objectclass=groupOfUniqueNames) 
            (objectclass=groupOfURLs)))" 
        userIdMap="*:uid"  
        groupIdMap="*:cn"  
        groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember; 
            groupOfNames:member;groupOfUniqueNames:uniqueMember"> 
    </idsFilters>     
</ldapRegistry>

After you have configured your server.xml configuration file with the features and ldapRegistry elements, restart your IBM z/OS Connect server.
Check the messages.log file to ensure the LDAP registry feature has been installed and that there are no error messages resulting from a misconfigured ldapRegistry entry. The following information messages in the messages.log file show that the ldapRegistry feature has been installed:
```
CWIMK0009I: The user registry federation service is ready.
CWWKS0008I: The security service is ready.
CWWKF0012I: The server installed the following features: [... ldapRegistry-3.0 ...]
```

Results

The LDAP users and groups matching the defined filters are now defined in the user registry and can be used by the IBM z/OS Connect server, for authentication and authorization.