Configuring LDAP ACL management (Liberty profile)
Use LDAP to define the users and groups who can install mobile applications through the Application Center. The means of defining these users and groups is the Access Control List (ACL).
Purpose
To enable ACL management with LDAP. You enable ACL management after you configure LDAP and map users and groups to Application Center roles. Only the simple type of LDAP authentication is supported.Properties
To be able to define JNDI entries, make sure that the following feature is defined in the server.xml file:
<feature>jndi-1.0</feature>
Add an entry for each property in the <server> section of the server.xml file. This entry should have the following syntax:
<jndiEntry jndiName="JNDI_property_name" value="property_value"/>
Where:
The JNDI_property_name argument is the name of the property that you are adding.
The property_value argument is the value of the property that you are adding.
Property | Description |
---|---|
ibm.appcenter.ldap.active | Set it to true to enable LDAP or to false to disable LDAP. |
ibm.appcenter.ldap.federated.active | Since WebSphere® Application Server Liberty profile V8.5.5: set it to true to enable use of the federated registry; set to false to disable use of the federated registry, which is the default setting. |
ibm.appcenter.ldap.connectionURL | LDAP connection URL. |
ibm.appcenter.ldap.user.base | Search base of users. |
ibm.appcenter.ldap.user.loginName | LDAP login attribute. |
ibm.appcenter.ldap.user.displayName | LDAP attribute for the user name to be displayed, for example, a person's full name. |
ibm.appcenter.ldap.group.base | Search base of groups. |
ibm.appcenter.ldap.group.name | LDAP attribute for the group name. |
ibm.appcenter.ldap.group.uniquemember | LDAP attribute that identifies the members of a group. |
ibm.appcenter.ldap.user.groupmembership | LDAP attribute that identifies the groups to which a user belongs. |
ibm.appcenter.ldap.group.nesting | Management of nested groups: if nested groups are not managed, set the value to false. |
ibm.appcenter.ldap.user.filter | LDAP user search filter for the attribute of
user login name. Use %v as the placeholder for
the login name attribute. This property is required only when LDAP users and groups are defined in the same subtree; that is, when the properties ibm.appcenter.ldap.user.base and ibm.appcenter.ldap.group.base have the same value. |
ibm.appcenter.ldap.displayName.filter | LDAP user search filter for the attribute of
user display name. Use %v as the placeholder for
the display name attribute. This property is required only when LDAP users and groups are defined in the same subtree; that is, when the properties ibm.appcenter.ldap.user.base and ibm.appcenter.ldap.group.base have the same value. |
ibm.appcenter.ldap.group.filter | LDAP group search filter. Use %v as
the placeholder for the group attribute. This property is required only when LDAP users and groups are defined in the same subtree; that is, when the properties ibm.appcenter.ldap.user.base and ibm.appcenter.ldap.group.base have the same value. |
ibm.appcenter.ldap.security.sasl | The value of the security authentication mechanism when the LDAP external SASL authentication mechanism is required to bind to the LDAP server. The value depends on the LDAP server; usually, it is set to EXTERNAL. |
ibm.appcenter.ldap.security.binddn | This property identifies the distinguished name of the user who is allowed to search the LDAP directory. Use this property only if security binding is required. |
ibm.appcenter.ldap.security.bindpwd | This property identifies the password of the user who is allowed to search the LDAP directory. Use this property only if security binding is required. The password can be encoded with the "Liberty profile securityUtility" tool. Run the tool and then set the value of this property to the encoded password that is generated by the tool. The supported encoding types are xor and aes (only with the default key). Edit the Liberty profile server.xml file to check whether the classloader is enabled to load the JAR file that decodes the password. |
ibm.appcenter.ldap.cache.expiration.seconds | Delay in seconds before the LDAP cache expires.
If no value is entered, the default value is 86400,
which is equal to 24 hours. Changes to users and groups on the LDAP server become visible to the Application Center after a delay, which is specified by ibm.appcenter.ldap.cache.expiration.seconds. The Application Center maintains a cache of LDAP data and the changes become visible only after the cache expires. By default, the delay is 24 hours. If you do not want to wait for this delay to expire after changes to users or groups, you can call this command to clear the cache of LDAP data:
See Using the stand-alone tool to clear the LDAP cache for details. |
ibm.appcenter.ldap.referral | This property indicates whether referrals are
supported by the JNDI API. If no value is passed, the JNDI API handles
no LDAP referrals. Valid values:
|
See List of JNDI properties for the Application Center for a complete list of LAPD properties that you can set.
Example of setting properties for ACL management with LDAP
This example shows the settings of the properties in the server.xml file required for ACL management with LDAP.
<jndiEntry jndiName="ibm.appcenter.ldap.active" value="true"/>
<jndiEntry jndiName="ibm.appcenter.ldap.connectionURL" value="ldap://employees.com:636"/>
<jndiEntry jndiName="ibm.appcenter.ldap.user.loginName" value="uid"/>
<jndiEntry jndiName="ibm.appcenter.ldap.user.base" value="dc=ibm,dc=com"/>
<jndiEntry jndiName="ibm.appcenter.ldap.group.base" value="dc=ibm,dc=com"/>
<jndiEntry jndiName="ibm.appcenter.ldap.user.displayName" value="sn"/>
<jndiEntry jndiName="ibm.appcenter.ldap.group.name" value="cn"/>
<jndiEntry jndiName="ibm.appcenter.ldap.group.uniquemember" value="uniqueMember"/>
<jndiEntry jndiName="ibm.appcenter.ldap.user.groupmembership" value=ibm-allGroups"/>
<jndiEntry jndiName="ibm.appcenter.ldap.cache.expiration.seconds" value=43200"/>
<jndiEntry jndiName="ibm.appcenter.ldap.security.sasl" value='"EXTERNAL"'/>
<jndiEntry jndiName="ibm.appcenter.ldap.referral" value='"follow"'/>
<jndiEntry jndiName="ibm.appcenter.ldap.user.filter" value='"(&(uid=%v)(objectclass=inetOrgPerson))"'/>
<jndiEntry jndiName="ibm.appcenter.ldap.user.displayName.filter" value='"(&(cn=%v)(objectclass=inetOrgPerson))"'/>
<jndiEntry jndiName="ibm.appcenter.ldap.group.filter" value='"(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))"'/>