Lightweight Directory Access Protocol repository configuration settings

Use this page to configure secure access to a Lightweight Directory Access Protocol (LDAP) repository with optional failover servers.

To view this administrative console page, complete the following steps:
  1. In the administrative console, click Security > Global security.
  2. Under User account repository, select Federated repositories from the Available realm definitions field and click Configure. To configure for a specific domain in a multiple security domain environment, click Security domains > domain_name. Under Security Attributes, expand User Realm, and click Customize for this domain. Select the Realm type as Federated repositories and then click Configure.
  3. Under Related items, click Manage repositories.
  4. Click Add to specify a new external repository or select an external repository that is preconfigured.

When you finish adding or updating your federated repository configuration, go to the Security > Global security panel and click Apply to validate the changes.

Repository identifier

Specifies a unique identifier for the LDAP repository. This identifier uniquely identifies the repository within the cell, for example: LDAP1.

Directory type

Specifies the type of LDAP server to which you connect.

Expand the drop-down list to display a list of LDAP directory types.

Primary host name

Specifies the host name of the primary LDAP server. This host name is either an IP address or a domain name service (DNS) name.

Port

Specifies the LDAP server port.

The default value is 389, which is not a Secure Sockets Layer (SSL) connection. Use port 636 for a Secure Sockets Layer (SSL) connection. For some LDAP servers, you can specify a different port for a non-SSL or SSL connection. If you do not know the port to use, contact your LDAP server administrator.

Information Value
Data type: Integer
Default: 389
Range: 389, which is not a Secure Sockets Layer (SSL) connection

636, which is a Secure Sockets Layer (SSL) connection

Failover host name

Specifies the host name of the failover LDAP server.

You can specify a secondary directory server to be used in the event that your primary directory server becomes unavailable. After switching to a secondary directory server, the LDAP repository attempts to reconnect to the primary directory server every 15 minutes.

Port: failover

Specifies the port of the failover LDAP server.

The default value is 389, which is not a Secure Sockets Layer (SSL) connection. Use port 636 for a Secure Sockets Layer (SSL) connection. For some LDAP servers, you can specify a different port for a non-SSL or SSL connection. If you do not know the port to use, contact your LDAP server administrator.

Information Value
Data type: Integer
Range: 389, which is not a Secure Sockets Layer (SSL) connection

636, which is a Secure Sockets Layer (SSL) connection

Support referrals to other LDAP servers

Specifies how referrals that are encountered by the LDAP server are handled.

A referral is an entity that is used to redirect a client request to another LDAP server. A referral contains the names and locations of other objects. It is sent by the server to indicate that the information that the client requested can be found at another location, possibly at another server or several servers. The default value is ignore.

Information Value
Default: ignore
Range:
ignore
Referrals are ignored.
follow
Referrals are followed automatically.

Support for repository change tracking

Specifies the type of support for repository change tracking. The profile manager refers to this value before passing on the request to the corresponding adapter. If the value is none, then that repository is not called to retrieve the changed entities.

none
Specifies there is no change tracking support for this repository.
native
Specifies that the repository's native change tracking mechanism is used by virtual member manager to return changed entities.

Custom properties

Specifies arbitrary name and value pairs of data. The name is a property key and the value is a string value that can be used to set internal system configuration properties.

Defining a new property enables you to configure a setting beyond that which is available in the administrative console.

Bind authentication mechanism

Specifies which bind authentication mechanism that the application server uses to bind to the LDAP directory service.

Before fix pack 9.0.5.7, only simple bind authentication is supported.

[9.0.5.7 or later] Kerberos bind authentication with Generic Security Services API (GSSAPI) and simple bind authentication are supported.

Simple bind authentication

The application server uses simple bind authentication by default.
Bind distinguished name (DN)
Specifies the distinguished name for the application server to use when it binds to the LDAP directory service. If no name is specified, the application server binds anonymously. The following example is for a distinguished name:
ou=Rochester, o=IBM, c=US
Bind password
Specifies the password for the application server to use when it binds to the LDAP directory service.
[9.0.5.7 or later]

Kerberos bind authentication with GSSAPI

To use the Kerberos bind authentication with GSSAPI, specify a Kerberos principal name or Kerberos service principal name. Other fields are optional.
Kerberos principal name
Specifies the Kerberos principal name or Kerberos service principal name that the application server uses to authenticate with the Key Distribution Center (KDC).
Optional: Kerberos credential cache (Kerberos ticket cache)

Specifies the file location where Kerberos credentials for the Kerberos principal name or Kerberos service principal name are stored. This file is also known as the Kerberos ticket cache, or ccache.

If the Kerberos ticket cache and the Kerberos keytab are both specified, only the Kerberos ticket cache is used. If both the Kerberos ticket cache and the Kerberos keytab files are unspecified, the application server uses the default keytab file that is at the default system location.

Optional: Kerberos configuration
Specifies the Kerberos configuration file name with its full path. Alternatively, click Browse to locate it. The Kerberos configuration file contains client configuration information, including the location of each Key Distribution Center (KDC) for the realm of interest. The following information gives the default file name and location for the Kerberos configuration file:
  • [Linux][AIX][z/OS][HP-UX][IBM i][Solaris]/etc/krb5.conf
  • [Windows]C:\Windows\krb5.ini
If no Kerberos configuration file is specified, the application server uses this default Kerberos configuration file at its default system location. The Kerberos configuration file is global for all Kerberos configurations, including Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) and Kerberos authentication. For more information, see the topic about the Kerberos configuration file.
Optional: Kerberos keytab

Specifies a Kerberos keytab file name with its full path. The Kerberos keytab file contains one or more Kerberos principal or service principal names and a list of keys that are analogous to user passwords. The Kerberos keytab file is global for all Kerberos configurations, including SPNEGO and Kerberos Authentication. Protect Kerberos keytab files by storing them on a local disk to make them readable only by authorized users. The default keytab file name is krb5.keytab.

If the Kerberos ticket cache and the Kerberos keytab are both specified, only the Kerberos ticket cache is used. If both the Kerberos ticket cache and the Kerberos keytab files are unspecified, the application server uses the default keytab file that is at the default system location.

Important: Kerberos bind authentication in a mixed cell with node levels earlier than fix pack 9.0.5.7 is not supported.

Login properties

Specifies the property names to use to log into the application server.

This field takes multiple login properties, delimited by a semicolon (;). For example, uid;mail. All login properties are searched during login. If multiple entries or no entries are found, an exception is thrown. For example, if you specify the login properties as uid;mail and the login ID as Bob, the search filter searches for uid=Bob or mail=Bob. When the search returns a single entry, then authentication can proceed. Otherwise, an exception is thrown.

Supported configurations: If you define multiple login properties, the first login property is programmatically mapped to the federated repositories principalName property. For example, if you set uid;mail as the login properties, the LDAP attribute uid value is mapped to the federated repositories principalName property. If you define multiple login properties, after login, the first login property is returned as the value of the principalName property. For example, if you pass joe@yourco.com as the principalName value and the login properties are configured as uid;mail, the principalName is returned as joe.

LDAP attribute for Kerberos principal name

Specifies the LDAP attribute for Kerberos principal name. This field can be modified when Kerberos is configured and it is one of the active or preferred authentication mechanisms.

Certificate mapping

Specifies whether to map X.509 certificates into an LDAP directory by EXACT_DN or CERTIFICATE_FILTER. Specify CERTIFICATE_FILTER to use the specified certificate filter for the mapping.

Certificate filter

Specifies the filter certificate mapping property for the LDAP filter. The filter is used to map attributes in the client certificate to entries in the LDAP repository.

If more than one LDAP entry matches the filter specification at run time, authentication fails because the result is an ambiguous match. The syntax or structure of this filter is:

LDAP attribute=${Client certificate attribute}

An example of a simple certificate filter is: uid=${SubjectCN}.

You can also specify multiple properties and values as part of the certificate filter. Two examples of complex certificate filters are:

(&(cn=${IssuerCN}) (employeeNumber=${SerialNumber})

(& (issuer=${IssuerDN}) (serial=${SerialNumber}) (subjectdn=${SubjectDN}))

The part of the filter specification before the equals sign (=) is an LDAP attribute that depends on the schema that your LDAP server is configured to use. The part of the filter specification after the equals sign (=) is one of the public attributes in your client certificate. You can also use the UniqueKey certificate variable, which consists of the base64-encoding of the MD5 hash of the subject DN and issuer DN. The part of the filter specification after the equals sign must begin with a dollar sign ($) and open bracket ({) and end with a close bracket (}). You can use the following certificate attribute values on the the part of the filter specification after the equals sign. The case of the strings is important:
  • ${UniqueKey}
  • ${PublicKey}
  • ${IssuerDN}
  • ${Issuerxx} where xx is replaced by the characters that represent any valid component of the Issuer Distinguished Name. For example, you might use ${IssuerCN} for the Issuer Common Name.
  • ${NotAfter}
  • ${NotBefore}
  • ${SerialNumber}
  • ${SigAlgName}
  • ${SigAlgOID}
  • ${SigAlgParams}
  • ${SubjectDN}
  • ${Subjectxx} where xx is replaced by the characters that represent any valid component of the Subject Distinguished Name. For example, you might use ${SubjectCN} for the Subject Common Name.
  • ${Version}

Require SSL communications

Specifies whether secure socket communication is enabled to the LDAP server.

When enabled, the Secure Sockets Layer (SSL) settings for LDAP are used, if specified.

Centrally managed

Specifies that the selection of an SSL configuration is based upon the outbound topology view for the Java™ Naming and Directory Interface (JNDI) platform.

Centrally managed configurations support one location to maintain SSL configurations, rather than spreading them across the configuration documents.

Information Value
Default: Enabled
Range: Enabled or Disabled

Use specific SSL alias

Specifies the SSL configuration alias to use for LDAP outbound SSL communications.

This option overrides the centrally managed configuration for the JNDI platform.