Setting LDAP parameters for Microsoft Active Directory

Define configuration parameters for Microsoft Active Directory to provide extra security options for your environment.

1. Click System > System Security.
2. Expand the LDAP Settings section, and set the following configuration parameters.

   LDAP provider URL

   The LDAP server host name, port number, and LDAP or LDAPS protocol. The host name must be either the fully qualified domain name or IP address of your LDAP server. The host name must begin with either ldap:// for standard LDAP or ldaps:// when connecting to the LDAP server through a Secure Sockets Layer (SSL) tunnel.

   The LDAPS protocol is recommended for protecting sensitive user credential information. When selecting LDAPS, you must verify and accept the LDAP server X.509 certificate.

   Security certificate

   The security certificate is used only when PureApplication® System is configured with LDAP over an SSL connection, for example using ldaps:// in the address. The security certificate must be an X.509 certificate and stored locally on PureApplication System. The system uses the security certificate to determine whether to trust the LDAP server or servers.

   Use the Certificate number to store field to allow the system to trust a clustered LDAP environment in which each LDAP server has an unique X.509 certificate that is issued by a common certificate authority. By configuring PureApplication System to trust the common certificate authority, by default the system trusts all certificates that are issued by the trusted certificate authority.

   LDAP security authentication

   The distinguished name (DN) of an LDAP user who is allowed to search the LDAP directory if the LDAP server does not allow anonymous access.

   Password

   The password of the user.

   LDAP base DN (users)

   The base DN subtree that is used when searching for user entries on the LDAP server. Use LDAP Data Interchange Format (LDIF) syntax for the entries.

   LDAP base DN (groups)

   The base DN subtree that is used when searching for group entries on the LDAP server.

   Search filter (users)

   Note: Confirm that the user search filter is effective by performing an LDAP authentication test. For more information, click Testing LDAP authentication settings in the Related tasks section below.

   Filter for finding entries in the LDAP base DN (users) subtree that match the user name. For example, see the following entry:

   dn: CN=testuser,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
   objectClass: top
   objectClass: person
   objectClass: organizationalPerson
   objectClass: user
   cn: testuser
   givenName: testuser
   distinguishedName: CN=testuser,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
   instanceType: 4
   whenCreated: 20121016115033.0Z
   whenChanged: 20121128154238.0Z
   displayName: testuser
   uSNCreated: 12880
   uSNChanged: 30679
   name: testuser
   objectGUID:: FHdAtR/CQEyxvINHhsGnLw==
   userAccountControl: 2687488
   badPwdCount: 1
   codePage: 0
   countryCode: 0
   badPasswordTime: 129954117792502335
   lastLogoff: 0
   lastLogon: 129949649905545787
   pwdLastSet: 129948648233962943
   primaryGroupID: 513
   objectSid:: AQUAAAAAAAUVAAAABP7bJiQPVlNtcWUsVAQAAA==
   accountExpires: 9223372036854775807
   logonCount: 0
   sAMAccountName: testuser
   sAMAccountType: 805306368
   userPrincipalName: testuser@secfvt2.austin.ibm.com
   objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=secfvt2,DC=austin,DC=i
    bm,DC=com
   dSCorePropagationData: 16010101000000.0Z
   lastLogonTimestamp: 129985909582341952

   The following filter searches for entries with a user ID attribute sAMAccountName matches the user ID that was used to log in to the system. This filter only looks for entries within the organizationalPerson and person object classes.

   "(&(sAMAccountName={0})(ObjectClass=organizationalPerson)(ObjectClass=person))" 

   When the match occurs, the {0} placeholder is replaced by the user ID from the login screen.

   Search filter (groups)

   Note: Confirm that the group search filter is effective by performing an LDAP authentication test. For more information, click Testing LDAP authentication settings in the Related tasks section below.

   Filter for finding entries in the LDAP base DN (groups) subtree that match the group name. For example, see the following entry:

   dn: CN=group1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
   objectClass: top
   objectClass: group
   cn: group1
   member: CN=WIMUser3,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
   member: CN=WIMUser1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
   member: CN=user3,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
   member: CN=user1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
   member: CN=KRBUser3,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
   member: CN=KRBUser1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
   member: CN=LDAPUser3,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
   member: CN=LDAPUser1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
   distinguishedName: CN=group1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
   instanceType: 4
   whenCreated: 20121016162937.0Z
   whenChanged: 20121016214016.0Z
   uSNCreated: 12972
   uSNChanged: 22942
   name: group1
   objectGUID:: RyfdOC8kXEyOk7Q+qjtjSg==
   objectSid:: AQUAAAAAAAUVAAAABP7bJiQPVlNtcWUsXwQAAA==
   sAMAccountName: group1
   sAMAccountType: 268435456
   groupType: -2147483646
   objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=secfvt2,DC=austin,DC=ib
    m,DC=com
   dSCorePropagationData: 16010101000000.0Z

   The following filter searches for entries with a group ID attribute sAMAccountName that match the group name. This filter only searches for entries that are within the Group object class.

   "(&(sAMAccountName={0})(ObjectClass=Group))" 

   When the match occurs, the {0} placeholder is replaced by the group name.

   LDAP membership search filter pattern

   Note: Confirm that the member search filter is effective by performing an LDAP authentication test. For more information, click Testing LDAP authentication settings in the Related tasks section below.

   Filter used for returning a list of group member entries that are in the LDAP base DN (groups) subtree. For example, the following filter searches for entries in the group object class that contain a particular group as a member.

   "(&(member={0}) (objectclass=group))" 

   LDAP user search attribute

   The name of the attribute that represents the unique ID of the user. Typically, the value for LDAP user search attribute matches the user ID attribute (sAMAccountName) that is used in the user search filter.

   Note: The value of LDAP user search attribute must match the value that was used when adding the user to the system.

   LDAP group search attribute

   The name of the attribute in the group search filter that represents the group name. Typically, the value for LDAP group search attribute matches the group ID attribute that is used in the group search filter. For example, if the attribute name is sAMAccountName in the group search filter, the value for LDAP group search attribute should also be sAMAccountName. The sAMAccountName value is the default value if none is specified.

   LDAP membership search attribute

   The member user attribute in a group. If this attribute is not provided, the membership search uses the full distinguished name (DN) of the user, for example member: cn=Test User1, ou=WebSphere, o=IBM, c=US. Only specify a different value when you want to use a particular attribute of the DN instead of the full DN in the search query.

   LDAP JNDI connect pool

   JNDI connection pooling is enabled when the value is set to Yes, which is the default value. Consult an IBM service engineer before changing this setting.

   LDAP JNDI read timeout (in milliseconds)

   The amount of time to wait for the LDAP server to respond. The default value is five minutes. Specify a value of 0 to disable the timeout option.

   LDAP server type

   The type of LDAP server. When using Microsoft Active Directory, select Microsoft Active Directory.

   Back to the top of the page