Lightweight Directory Access Protocol test query utility settings

Use this page to test Lightweight Directory Access Protocol (LDAP) server connections and search filters.

Important: These settings cannot be saved.

To view this administrative console page, complete the following steps:

Click Security > Global Security.
Under the User account repository section, select Federated repositories or Standalone LDAP registry from the Available realm definitions field and click Configure.
If you selected Federated repositories, complete the following steps:
1. If repositories are listed in the Repositories in the Realm table, complete the following steps:
  - Click the link for a repository under the Repository Identifier column.
  - Under Related Items on the repository detail page, click LDAP Test Query.
2. If no repositories are listed in the Repositories in the Realm table, complete the following steps:
  - Click Add repositories (custom, LDAP, etc).
  - Click New repository, and then select LDAP repository.
  - On the New page for the LDAP configuration, click LDAP Test Query under Related Items.
If you selected Standalone LDAP registry, click LDAP Test Query under Related Items.

Host

Specifies the LDAP server host name. This host name is either an IP address or a domain name server (DNS) name.

Port

Specifies the LDAP server port number.

Information	Value
Data type	Integer
Default	389
Range	389, which is not a Secure Sockets Layer (SSL) connection 636, which is a Secure Sockets Layer (SSL) connection

Base distinguished name (DN)

Specifies the base distinguished name of the directory service. This name indicates the starting point for LDAP searches in the directory service. For example, ou=Rochester, o=IBM, c=us.

Bind authentication mechanism

Specifies which bind authentication mechanism that the application server uses to bind to the LDAP directory service.

Before fix pack 8.5.5.19, only simple bind authentication is supported.

[8.5.5.19 or later] Kerberos bind authentication with Generic Security Services API (GSSAPI) and simple bind authentication are supported.

Simple bind authentication

The application server uses simple bind authentication by default.

Bind distinguished name (DN)

Specifies the distinguished name for the application server to use when it binds to the LDAP directory service. If no name is specified, the application server binds anonymously. The following example is for a distinguished name:

ou=Rochester, o=IBM, c=US

Bind password

Specifies the password for the application server to use when it binds to the LDAP directory service.

Kerberos bind authentication with GSSAPI

To use the Kerberos bind authentication with GSSAPI, specify a Kerberos principal name or Kerberos service principal name. Other fields are optional.

Kerberos principal name: Specifies the Kerberos principal name or Kerberos service principal name that the application server uses to authenticate with the Key Distribution Center (KDC).

Optional: Kerberos credential cache (Kerberos ticket cache)

Specifies the file location where Kerberos credentials for the Kerberos principal name or Kerberos service principal name are stored. This file is also known as the Kerberos ticket cache, or ccache.

If the Kerberos ticket cache and the Kerberos keytab are both specified, only the Kerberos ticket cache is used. If both the Kerberos ticket cache and the Kerberos keytab files are unspecified, the application server uses the default keytab file that is at the default system location.

Optional: Kerberos configuration

Specifies the Kerberos configuration file name with its full path. Alternatively, click Browse to locate it. The Kerberos configuration file contains client configuration information, including the location of each Key Distribution Center (KDC) for the realm of interest. The following information gives the default file name and location for the Kerberos configuration file:

/etc/krb5.conf
C:\Windows\krb5.ini

If no Kerberos configuration file is specified, the application server uses this default Kerberos configuration file at its default system location. The Kerberos configuration file is global for all Kerberos configurations, including Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) and Kerberos authentication. For more information, see the topic about the Kerberos configuration file.

Optional: Kerberos keytab

Specifies a Kerberos keytab file name with its full path. The Kerberos keytab file contains one or more Kerberos principal or service principal names and a list of keys that are analogous to user passwords. The Kerberos keytab file is global for all Kerberos configurations, including SPNEGO and Kerberos Authentication. Protect Kerberos keytab files by storing them on a local disk to make them readable only by authorized users. The default keytab file name is krb5.keytab.

Important: Kerberos bind authentication in a mixed cell with node levels earlier than fix pack 8.5.5.19 is not supported.

SSL enabled

Specifies whether secure socket communications are enabled with the LDAP server. When this option is selected, LDAP Secure Sockets Layer (SSL) settings are used, if specified.

Centrally managed

Specifies that the selection of an SSL configuration is based on the outbound topology view for Java™ Naming and Directory Interface (JNDI). Centrally managed configurations support one location to maintain SSL configurations instead of having multiple locations for the SSL configurations across the configuration documents.

Use specific SSL alias

Specifies the SSL configuration alias to use for LDAP outbound SSL communications. This option overrides the centrally managed configuration for JNDI.

Enable referral to other LDAP servers

Specifies whether the search follows referrals if the user is not on the current server. The default is ignore.

Search filter string

Specifies the search filter string that you are looking for.

Search limit

Specifies how many search results to display.

Information	Value
Data type	Integer
Default	20
Maximum	100