Standalone LDAP registry settings
Use this page to configure Lightweight Directory Access Protocol (LDAP) settings when users and groups reside in an external LDAP directory.
- Click .
- Under User account repository, click the Available realm definitions drop-down list, select Standalone LDAP registry, and click Configure.
When security is enabled and any of these properties change, go to the Global security panel and click Apply to validate the changes.
WebSphere® Application Server Version 7.0 distinguishes between the user identities for administrators who manage the environment and server identities for authenticating server to server communications. In most cases, server identities are automatically generated and are not stored in a repository.
However, if you are adding a previous version node to the latest version cell and the previous version node used a server identity and password, you must ensure that the server identity and password for the previous version are defined in the repository for this cell. Enter the server user identity and password on this panel.
- Go to the panel for SAF by clicking .
- Select System Authorization Facility (SAF) from the drop-down list under the Authorization provider option.
- Click Configure.
It is recommended that you migrate from stand-alone LDAP registries to federated repositories. If you move to WebSphere Portal 6.1 and later, and or WebSphere Process Server 6.1 and later, you should migrate to federated repositories prior to these upgrades. For more information about federated repositories and its capabilities, read the Federated repositories topic. For more information about how to migrate to federated repositories, read the Migrating a stand-alone LDAP repository to a federated repositories LDAP repository configuration topic.
Primary administrative user name
Specifies the name of a user with administrative privileges that is defined in your user registry.
Automatically generated server identity
Enables the application server to generate the server identity, which is recommended for environments that contain only Version 6.1 or later nodes. Automatically generated server identities are not stored in a user repository.
Select this field or the Server identity that is stored in the repository field. Only one of the two fields can be selected at a time.
Information | Value |
---|---|
Default: | Enabled |
Server identity that is stored in the repository
Specifies a user identity in the repository that is used for internal process communication.
Select this field or the Automatically generated server identity field. Only one of the two fields can be selected at a time.
Information | Value |
---|---|
Default: | None |
Server user ID or administrative user on a Version 6.0.x node
Specifies the user ID that is used to run the application server for security purposes.
Password
Specifies the password that corresponds to the server ID.
Type of LDAP server
Specifies the type of LDAP server to which you connect.
IBM® SecureWay Directory Server is not supported.
IBM SecureWay Directory Server is supported by the application server for z/OS® as well as many other LDAP servers.
Host
Specifies the host ID (IP address or domain name service (DNS) name) of the LDAP server.
Port
Specifies the host port of the LDAP server.
389
in a Version 6.1 and later
configuration, and a WebSphere Application Server at
Version 8.x is going to interoperate with the Version 6.1 and later server, verify that port
389
is specified explicitly for the Version 8.x server. Information | Value |
---|---|
Default: | 389 |
Type: | Integer |
Base distinguished name (DN)
Specifies the base distinguished name (DN) of the directory service, which indicates the starting point for LDAP searches of the directory service. In most cases, bind DN and bind password are needed. However, when anonymous bind can satisfy all of the required functions, bind DN and bind password are not needed.
For example, for a user with a DN of cn=John Doe , ou=Rochester, o=IBM, c=US, specify the Base DN as any of the following options: ou=Rochester, o=IBM, c=US or o=IBM c=US or c=US. For authorization purposes, this field is case sensitive. This specification implies that if a token is received, for example, from another cell or Lotus® Domino®, the base DN in the server must match the base DN from the other cell or Lotus Domino server exactly. If case sensitivity is not a consideration for authorization, enable the Ignore case for authorization option. This option is required for all Lightweight Directory Access Protocol (LDAP) directories, except for the Lotus Domino Directory, IBM Tivoli® Directory Server V6.0, and Novell eDirectory, where this field is optional.
Bind authentication mechanism
Specifies which bind authentication mechanism that the application server uses to bind to the LDAP directory service.
Before fix pack 8.5.5.19, only simple bind authentication is supported.
Kerberos bind authentication with Generic Security Services API (GSSAPI) and simple bind authentication are supported.
Simple bind authentication
- Bind distinguished name (DN)
- Specifies the distinguished name for the application server to use when it binds to the LDAP
directory service. If no name is specified, the application server binds anonymously. The following
example is for a distinguished name:
ou=Rochester, o=IBM, c=US
- Bind password
- Specifies the password for the application server to use when it binds to the LDAP directory service.
Kerberos bind authentication with GSSAPI
- Kerberos principal name
- Specifies the Kerberos principal name or Kerberos service principal name that the application server uses to authenticate with the Key Distribution Center (KDC).
- Optional: Kerberos credential cache (Kerberos ticket cache)
-
Specifies the file location where Kerberos credentials for the Kerberos principal name or Kerberos service principal name are stored. This file is also known as the Kerberos ticket cache, or ccache.
If the Kerberos ticket cache and the Kerberos keytab are both specified, only the Kerberos ticket cache is used. If both the Kerberos ticket cache and the Kerberos keytab files are unspecified, the application server uses the default keytab file that is at the default system location.
- Optional: Kerberos configuration
-
Specifies the Kerberos configuration file name with its full path. Alternatively, click Browse to locate it. The Kerberos configuration file contains client configuration information, including the location of each Key Distribution Center (KDC) for the realm of interest. The following information gives the default file name and location for the Kerberos configuration file:
- /etc/krb5.conf
- C:\Windows\krb5.ini
- Optional: Kerberos keytab
-
Specifies a Kerberos keytab file name with its full path. The Kerberos keytab file contains one or more Kerberos principal or service principal names and a list of keys that are analogous to user passwords. The Kerberos keytab file is global for all Kerberos configurations, including SPNEGO and Kerberos Authentication. Protect Kerberos keytab files by storing them on a local disk to make them readable only by authorized users. The default keytab file name is
krb5.keytab
.If the Kerberos ticket cache and the Kerberos keytab are both specified, only the Kerberos ticket cache is used. If both the Kerberos ticket cache and the Kerberos keytab files are unspecified, the application server uses the default keytab file that is at the default system location.
Search timeout
Specifies the timeout value in seconds for a Lightweight Directory Access Protocol (LDAP) server to respond before stopping a request.
Information | Value |
---|---|
Default: | 120 |
Reuse connection
Specifies whether the server reuses the LDAP connection. Clear this option only in rare situations where a router is used to distribute requests to multiple LDAP servers and when the router does not support affinity.
Information | Value |
---|---|
Default: | Enabled |
Range: | Enabled or Disabled |
If you are using WebSphere Edge Server for LDAP failover, you must enable TCP resets with the Edge server. A TCP reset causes the connection to immediately closed and a backup server to failover.
Ignore case for authorization
Specifies that a case insensitive authorization check is performed when using the default authorization.
This option is required when IBM Tivoli Directory Server is selected as the LDAP directory server.
This option is required when Sun ONE Directory Server is selected as the LDAP directory server. See information about using specific directory servers as the LDAP server in the documentation.
This option is optional and can be enabled when a case-sensitive authorization check is required. For example, use this option when the certificates and the certificate contents do not match the case that is used for the entry in the LDAP server. You can enable the Ignore case for authorization option when using single sign-on (SSO) between the application server and Lotus Domino.
Information | Value |
---|---|
Default: | Enabled |
Range: | Enabled or Disabled |
SSL enabled
Specifies whether secure socket communication is enabled to the Lightweight Directory Access Protocol (LDAP) server.
When enabled, the LDAP Secure Sockets Layer (SSL) settings are used, if specified.
Centrally managed
Specifies that the selection of an SSL configuration is based upon the outbound topology view for the Java™ Naming and Directory Interface (JNDI) platform.
Centrally managed configurations support one location to maintain SSL configurations rather than spreading them across the configuration documents.
Information | Value |
---|---|
Default: | Enabled |
Use specific SSL alias
Specifies the SSL configuration alias to use for LDAP outbound SSL communications.
This option overrides the centrally managed configuration for the JNDI platform.