Configuring an LDAP or an LDAP/SDBM connection

Edit online

Configure an LDAP or an LDAP/SDBM connection with the WebSphere Liberty server.

About this task

LDAP registries contain record of users and groups. When configuring a WebSphere server (either Liberty or full WAS) for LDAP authentication, you must specify queries to identify records that represent users and groups. Use the userFilter and groupFilter attributes to identify user records and group records. The userFilter attribute identifies only user records. The groupFilter attribute identifies only group records.
For example:
  • userFilter="(&(uid=%v)(objectclass=inetOrgPerson))"
  • groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=posixGroup)))"
If you use LDAP for user management and you enable the option to not use case-sensitive user management, make sure that Jazz® Team Server is also configured to allow user management that is not case sensitive. To configure the Jazz Team Server login property, on the Advanced Properties page of the Administrative web interface, modify the Use case insensitive user ID matching property.

Procedure

  1. Run the setup wizard and advance through the pages until you reach the Setup User Registry page. For more information about the setup wizard, see Running the setup by using Custom setup in the setup wizard.
  2. In Step 1, under User Registry Type, select LDAP or LDAP/SDBM .
  3. In Step 2, complete the fields. See LDAP and LDAP/SDBM configuration parameters\ for details.
  4. Click Save LDAP Config Files.
    Tip: Two files are modified with this operation: ldapUserRegistry.xml and application.xml files. You can see the name and location of the generated XML files by clicking show details in the message box.
  5. Go to JazzInstallDir/server/liberty/servers/clm and open the server.xml file for editing. For LDAP/SDBM, replace the basicUserRegistry.xml file with the generated ldapUserRegistry.xml file. Change the value of ignoreCase from false to true.
  6. Comment out <include location="conf/basicUserRegistry.xml"> and uncomment <!--include location="conf/ldapUserRegistry.xml"--> to use the LDAP user registry.
  7. Open JazzInstallDir/server/liberty/servers/clm/conf/ldapUserRegistry.xml for editing and examine the ldapRegistry values to ensure that they match your organization's particular LDAP configuration. By default, the ldapUserRegistry.xml file uses IBM Tivoli Directory Server as ldapType and idsFilters: 
    <ldapRegistry
        id="sample_ldap" realm="SampleLdapIDSRealm" ignoreCase="true"
        host="localhost" port="389"
        baseDN="ou=people,dc=jazz,dc=net"
        ldapType="IBM Tivoli Directory Server">  
        <idsFilters
            userFilter="(&amp;(uid=%v)(objectclass=inetOrgPerson))"
            groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfNames)(objectclass=posixGroup)))"
            userIdMap="*:uid"
            groupIdMap="*:cn"
            groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember">
        </idsFilters>
        <ldapEntityType name="PersonAccount">
        <searchBase>DC=company,DC=com</searchBase>
        </ldapEntityType>

        <ldapEntityType name="Group">
        <searchBase>OU=Groups,OU=America,DC=company,DC=com</searchBase>
        </ldapEntityType>
    </ldapRegistry>
    You can also use Microsoft Active Directory type. Here is an example of a Microsoft Active Directory type with its default values:
    ldapType="Microsoft Active Directory"
        <activedFilters
            userFilter="(&(sAMAccountName=%v)(objectcategory=user))"
            groupFilter="(&(cn=%v)(objectcategory=group))"
            userIdMap="user:sAMAccountName"
            groupIdMap="*:cn"
            groupMemberIdMap="memberof:member">
        </activedFilters>

    In the above example, userFilter query returns only users, and the groupFilter query returns only groups.

  8. Save and close ldapUserRegistry.xml .
  9. Open JazzInstallDir/server/liberty/servers/clm/conf/application.xml and examine each war file group name and ensure it matches your organization group names. Applications that rely on container authentication are jts.war, ccm.war, qm.war, and am.war. Other applications delegate authentication to Jazz Team Server.
  10. Restart the WebSphere Liberty server.
  11. Open a web browser window and go to https://host.example.com:9443/jts/setup, where host.example.com is the fully qualified host name for your server.
  12. Test the connection by logging on to your server by using a user ID that is in your LDAP external registry.
    Note: For the LDAP/SDBM settings, you are recommended to select the check box next to Compute and save additional LDAP queries based on these configuration values. You can view and modify the computed settings at any time from the Admin Configuration UI.
  13. Optional: Under the LDAP/SDBM configuration, continue the following steps:
    1. Ignore the Test Connection warning. Click Save LDAP Config Files.
    2. Follow the message and click Next to save the LDAP settings.
    3. Restart the WebSphere Liberty server according to the message that explains you have to restart the server to connect it to the LDAP RACF user registry.

What to do next

Note: In a distributed environment, carry out steps 5 through 10 to configure the WebSphere Liberty files on other servers.