Using specific directory servers as the LDAP server

Important information about the directory servers that are supported as Lightweight Directory Access Protocol (LDAP) servers in WebSphere® Application Server are provided.

Before you begin

Microsoft Active Directory forests are not supported with the stand-alone LDAP Registry. The Federated Repository Registry, when configured to use an Active Directory LDAP does support the use of forests.

About this task

It is expected that other LDAP servers follow the LDAP specification. Support is limited to these specific directory servers only. You can use any other directory server by using the custom directory type in the list and by filling in the filters that are required for that directory.

To improve performance for LDAP searches, the default filters for IBM® Tivoli® Directory Server, Sun ONE, and Active Directory are defined such that when you search for a user, the result contains all the relevant information about the user (user ID, groups, and so on). As a result, the product does not call the LDAP server multiple times. This definition is possible only in these directory types, which support searches where the complete user information is obtained.

If you use the IBM Directory Server, select the Ignore case for authorization option. This option is required because when the group information is obtained from the user object attributes, the case is not the same as when you get the group information directly. For the authorization to work in this case, perform a case insensitive check and verify the requirement for the Ignore case for authorization option.

[z/OS]The LDAP Security Server for the z/OS® platform is supported when the DB2® Technical Database Management (TDBM) back-end is used. Use the SecureWay Directory Server filters to connect to the LDAP Security Server for the z/OS platform.

  • [IBM i]Using Directory Services as the LDAP server

    Support for groups that contain other groups or nested groups depends upon the specific versions of WebSphere Application Server and LDAP. For more information, see Dynamic groups and nested group support for LDAP.

  • Using IBM Tivoli Directory Server as the LDAP server

    [AIX Solaris HP-UX Linux Windows][IBM i] To use IBM Tivoli Directory Server, formerly IBM Directory Server, select IBM Tivoli Directory Server as the directory type.

    [z/OS]You can select either the IBM Tivoli Directory Server or SecureWay directory type for the IBM Directory Server.

    The difference between these two types is group membership lookup. It is recommended that you choose the IBM Tivoli Directory Server for optimum performance during runtime. In the IBM Tivoli Directory Server, the group membership is an operational attribute. With this attribute, a group membership lookup is done by enumerating the ibm-allGroups attribute for the entry. All group memberships, including the static groups, dynamic groups, and nested groups, can be returned with the ibm-allGroups attribute.

    WebSphere Application Server supports dynamic groups, nested groups, and static groups in IBM Tivoli Directory Server using the ibm-allGroups attribute. To utilize this attribute in a security authorization application, use a case-insensitive match so that attribute values returned by the ibm-allGroups attribute are all in uppercase.

    Important: It is recommended that you do not install IBM Tivoli Directory Server Version 6.0 on the same machine that you install Version 8.5. IBM Tivoli Directory Server Version 6.0 includes WebSphere Application Server Express® Version 5.1.1, which the directory server uses for its administrative console. Install the Web Administration tool Version 6.0 and WebSphere Application Server ExpressVersion 5.1.1, which are both bundled with IBM Tivoli Directory Server Version 6.0, on a different machine from Version 8.5. You cannot use Version 8.5 as the administrative console for IBM Tivoli Directory Server. If IBM Tivoli Directory Server Version 6.0 and Version 8.5 are installed on the same machine, you might encounter port conflicts.

    If you must install IBM Tivoli Directory Server Version 6.0 and Version 8.5 on the same machine, consider the following information:

    • During the IBM Tivoli Directory Server installation process, you must select both the Web Administration tool and WebSphere Application Server Express Version 5.1.1.
    • Install Version 8.5.
    • When you install Version 8.5, change the port number for the application server.
    • You might need to adjust the WebSphere Application Server environment variables on Version 8.5 for WAS_HOME and WAS_INSTALL_ROOT (or APP_SERVER_ROOT for IBM i). To change the variables using the administrative console, click Environment > WebSphere Variables.
  • Using a Lotus® Domino® Enterprise Server as the LDAP server
    If you select the Lotus Domino Enterprise Server Version 6.5.4 or Version 7.0 and the attribute short name is not defined in the schema, you can take either of the following actions:
    • Change the schema to add the short name attribute.
    • Change the user ID map filter to replace the short name with any other defined attribute (preferably to UID). For example, change person:shortname to person:uid.

    The userID map filter is changed to use the uid attribute instead of the shortname attribute as the current version of Lotus Domino does not create the shortname attribute by default. If you want to use the shortname attribute, define the attribute in the schema and change the userID map filter.

    User ID Map :    person:shortname

  • Using Sun ONE Directory Server as the LDAP server
    You can select Sun ONE Directory Server for your Sun ONE Directory Server system. In Sun ONE Directory Server, the object class is the default groupOfUniqueName when you create a group. For better performance, WebSphere Application Server uses the User object to locate the user group membership from the nsRole attribute. Create the group from the role. If you want to use the groupOfUniqueName attribute to search groups, specify your own filter setting. Roles unify entries. Roles are designed to be more efficient and easier to use for applications. For example, an application can locate the role of an entry by enumerating all the roles that are possessed by a given entry, rather than selecting a group and browsing through the members list. When using roles, you can create a group using a:
    • Managed role
    • Filtered role
    • Nested role
    All of these roles are computable by the nsRole attribute.
  • Using Microsoft Active Directory server as the LDAP server

    To use Microsoft Active Directory as the LDAP server for authentication with WebSphere Application Server you must take specific steps. By default, Microsoft Active Directory does not permit anonymous LDAP queries. To create LDAP queries or to browse the directory, an LDAP client must bind to the LDAP server using the distinguished name (DN) of an account that has the authority to search and read the values of LDAP attributes, such as user and group information, needed by the Application Server. A group membership search in the Active Directory is done by enumerating the memberof attribute for a given user entry, rather than browsing through the member list in each group. If you change the default behavior to browse each group, you can change the Group Member ID Map field from memberof:member to group:member.

The following steps describe how to set up Microsoft Active Directory as your LDAP server.

Procedure

  1. Determine the full distinguished name (DN) and password of an account in the administrators group.
    [AIX Solaris HP-UX Linux Windows][IBM i]For example, if the Active Directory administrator creates an account in the Users folder of the Active Directory Users and Computers Windows control panel and the DNS domain is ibm.com, the resulting DN has the following structure: 
    cn=<adminUsername>, cn=users, dc=ibm, 
dc=com
  2. Determine the short name and password of any account in the Microsoft Active Directory.
  3. Use the WebSphere Application Server administrative console to set up the information that is needed to use Microsoft Active Directory.
    1. Click Security > Global security.
    2. Under User account repository, select Standalone LDAP registry and click Configure.
    3. Set up LDAP with Active Directory as the type of LDAP server.
      Based on the information that is determined in the previous steps, you can specify the following values on the LDAP settings panel:
      Primary administrative user name
      Specify the name of a user with administrative privileges that is defined in the registry. This user name is used to access the administrative console or used by wsadmin.
      Type
      Specify Active Directory
      Host
      Specify the domain name service (DNS) name of the machine that is running Microsoft Active Directory.
      Base distinguished name (DN)
      Specify the domain components of the DN of the account that is chosen in the first step. For example: dc=ibm, dc=com
      Bind distinguished name (DN)
      Specify the full distinguished name of the account that is chosen in the first step. For example: cn=adminUsername, cn=users, dc=ibm, dc=com
      Bind password
      Specify the password of the account that is chosen in the first step.
    4. Click OK and Save to save the changes to the master configuration.
  4. Click Security > Global security.
  5. Under User account repository, click the Available realm definitions drop-down list, select Standalone LDAP registry, and click Configure.
  6. Select either the Automatically generated server identity or Server identity that is stored in the repository option.
    If you select the Server identity that is stored in the repository option, enter the following information:
    Server user ID or administrative user on a Version 6.0.x node
    Specify the short name of the account that is chosen in the second step.
    Server user password
    Specify the password of the account that is chosen in the second step.
  7. Optional: Set ObjectCategory as the filter in the Group member ID map field to improve LDAP performance.
    1. Under Additional properties, click Advanced Lightweight Directory Access Protocol (LDAP) user registry settings .
    2. Add ;objectCategory:group to the end of the Group member ID map field.
  8. Click OK and Save to save the changes to the master configuration.
  9. Stop and restart the administrative server so that the changes take effect.