Advanced Lightweight Directory Access Protocol user registry settings
Use this page to configure the advanced Lightweight Directory Access Protocol (LDAP) user registry settings when users and groups reside in an external LDAP directory.
- Click .
- Under User account repository, click the Available realm definitions drop-down list, select Standalone LDAP registry, and click Configure.
- Under Additional properties, click Advanced Lightweight Directory Access Protocol (LDAP) user registry settings.
Default values for all the user and group related filters are already completed in the
appropriate fields. You can change these values depending on your requirements. These default values
are based on the type of LDAP server that is selected in the Standalone LDAP registry settings
panel. If this type changes, for example from Netscape to Secureway, the default filters
automatically change. When the default filter values change, the LDAP server type changes to
Custom
to indicate that custom filters are used. When security is enabled and any
of these properties change, go to the Global security panel and click Apply
or OK to validate the changes.
It is recommended that you migrate from stand-alone LDAP registries to federated repositories. If you move to WebSphere Portal 6.1 and later, and or WebSphere Process Server 6.1 and later, you should migrate to federated repositories prior to these upgrades. For more information about federated repositories and its capabilities, read the Federated repositories topic. For more information about how to migrate to federated repositories, read the Migrating a stand-alone LDAP repository to a federated repositories LDAP repository configuration topic.
User filter
Specifies the LDAP user filter that searches the user registry for users.
This option is typically used for security role-to-user assignments and specifies the property by
which to look up users in the directory service. For example, to look up users based on their user
IDs, specify (&(uid=%v)(objectclass=inetOrgPerson))
. For more information about
this syntax, see the LDAP directory service documentation.
Information | Value |
---|---|
Data type: | String |
Group filter
Specifies the LDAP group filter that searches the user registry for groups
This option is typically used for security role-to-group assignments and specifies the property by which to look up groups in the directory service. For more information about this syntax, see the LDAP directory service documentation.
Information | Value |
---|---|
Data type: | String |
User ID map
Specifies the LDAP filter that maps the short name of a user to an LDAP entry.
Specifies the piece of information that represents users when users display. For example, to
display entries of the object class = inetOrgPerson
type by their IDs, specify
inetOrgPerson:uid
. This field takes multiple objectclass:property
pairs delimited by a semicolon (;
).
Information | Value |
---|---|
Data type: | String |
Group ID map
Specifies the LDAP filter that maps the short name of a group to an LDAP entry.
Specifies the piece of information that represents groups when groups display. For example, to
display groups by their names, specify *:cn
. The asterisk (*
) is a
wildcard character that searches on any object class in this case. This field takes multiple
objectclass:property
pairs, delimited by a semicolon (;
).
Information | Value |
---|---|
Data type: | String |
Group member ID map
Specifies the LDAP filter that identifies user-to-group relationships.
For directory types SecureWay, and Domino®, this field takes multiple objectclass:property pairs, delimited by a semicolon (;). In an objectclass:property pair, the object class value is the same object class that is defined in the group filter, and the property is the member attribute. If the object class value does not match the object class in the group filter, authorization might fail if groups are mapped to security roles. For more information about this syntax, see your LDAP directory service documentation.
For IBM® Directory
Server, Sun ONE, and Active Directory, this field takes multiple group attribute:member
attribute
pairs delimited by a semicolon (;
). These pairs are used to find
the group memberships of a user by enumerating all the group attributes that are possessed by a
given user. For example, attribute pair memberof:member
is used by Active
Directory, and ibm-allGroup:member
is used by IBM Directory Server. This field also
specifies which property of an object class stores the list of members belonging to the group
represented by the object class. For supported LDAP directory servers, see Supported directory
services.
Information | Value |
---|---|
Data type: | String |
Perform a nested group search
Specifies a recursive nested group search.
-
IBM Directory Server
is preconfigured by the application server security to recursively calculate a user's group
memberships using the
ibm-allGroup
attribute. - SunONE directory server is preconfigured to calculate nested group memberships using the
nsRole
attribute.
Information | Value |
---|---|
Data type: | String |
Kerberos user filter
Specifies the Kerberos user filter value. This value can be modified when Kerberos is configured and is active as one of the preferred authentication mechanisms.
Information | Value |
---|---|
Data type: | String |
Certificate map mode
Specifies whether to map X.509 certificates into an LDAP directory by
EXACT_DN
or CERTIFICATE_FILTER
. Specify
CERTIFICATE_FILTER
to use the specified certificate filter for the
mapping.
Information | Value |
---|---|
Data type: | String |
Certificate filter
Specifies the filter certificate mapping property for the LDAP filter. The filter is used to map attributes in the client certificate to entries in the LDAP registry.
(&(uid=${SubjectCN})(objectclass=inetOrgPerson))
. The filter specification
contains an LDAP attribute that depends on the schema that your LDAP server is configured to use.
The filter specification also contains one of the public attributes in your client certificate. It
must begin with a dollar sign ($
) and open bracket ({
) and end
with a close bracket (}
). You can use the following certificate attribute values
and the case of the strings is important: ${UniqueKey}
${PublicKey}
${IssuerDN}
${Issuer<xx>}
where
<xx>
is replaced by the characters that represent any valid component of the Issuer Distinguished Name. For example, you might use${IssuerCN}
for the Issuer Common Name.${NotAfter}
${NotBefore}
${SerialNumber}
${SigAlgName}
${SigAlgOID}
${SigAlgParams}
${SubjectDN}
${Subject<xx>}
where
<xx>
is replaced by the characters that represent any valid component of the Subject Distinguished Name. For example, you might use${SubjectCN}
for the Subject Common Name.${Version}
Information | Value |
---|---|
Data type: | String |