Configuring LDAP ACL management (Liberty profile)

Use LDAP to define the users and groups who can install mobile applications through the Application Center. The means of defining these users and groups is the Access Control List (ACL).

Purpose

To enable ACL management with LDAP. You enable ACL management after you configure LDAP and map users and groups to Application Center roles. Only the simple type of LDAP authentication is supported.

Properties

To be able to define JNDI entries, make sure that the following feature is defined in the server.xml file:

<feature>jndi-1.0</feature>

Add an entry for each property in the <server> section of the server.xml file. This entry should have the following syntax:

<jndiEntry jndiName="JNDI_property_name" value="property_value"/>

Where:

The JNDI_property_name argument is the name of the property that you are adding.

The property_value argument is the value of the property that you are adding.

Table 1. JNDI properties for configuring ACL management with LDAP in the server.xml file
Property Description
ibm.appcenter.ldap.active Set it to true to enable LDAP or to false to disable LDAP.
ibm.appcenter.ldap.federated.active Since WebSphere® Application Server Liberty profile V8.5.5: set it to true to enable use of the federated registry; set to false to disable use of the federated registry, which is the default setting.
ibm.appcenter.ldap.connectionURL LDAP connection URL.
ibm.appcenter.ldap.user.base Search base of users.
ibm.appcenter.ldap.user.loginName LDAP login attribute.
ibm.appcenter.ldap.user.displayName LDAP attribute for the user name to be displayed, for example, a person's full name.
ibm.appcenter.ldap.group.base Search base of groups.
ibm.appcenter.ldap.group.name LDAP attribute for the group name.
ibm.appcenter.ldap.group.uniquemember LDAP attribute that identifies the members of a group.
ibm.appcenter.ldap.user.groupmembership LDAP attribute that identifies the groups to which a user belongs.
ibm.appcenter.ldap.group.nesting Management of nested groups: if nested groups are not managed, set the value to false.
ibm.appcenter.ldap.user.filter LDAP user search filter for the attribute of user login name. Use %v as the placeholder for the login name attribute.

This property is required only when LDAP users and groups are defined in the same subtree; that is, when the properties ibm.appcenter.ldap.user.base and ibm.appcenter.ldap.group.base have the same value.
ibm.appcenter.ldap.displayName.filter LDAP user search filter for the attribute of user display name. Use %v as the placeholder for the display name attribute.

This property is required only when LDAP users and groups are defined in the same subtree; that is, when the properties ibm.appcenter.ldap.user.base and ibm.appcenter.ldap.group.base have the same value.
ibm.appcenter.ldap.group.filter LDAP group search filter. Use %v as the placeholder for the group attribute.

This property is required only when LDAP users and groups are defined in the same subtree; that is, when the properties ibm.appcenter.ldap.user.base and ibm.appcenter.ldap.group.base have the same value.
ibm.appcenter.ldap.security.sasl The value of the security authentication mechanism when the LDAP external SASL authentication mechanism is required to bind to the LDAP server. The value depends on the LDAP server; usually, it is set to EXTERNAL.
ibm.appcenter.ldap.security.binddn This property identifies the distinguished name of the user who is allowed to search the LDAP directory. Use this property only if security binding is required.
ibm.appcenter.ldap.security.bindpwd

This property identifies the password of the user who is allowed to search the LDAP directory. Use this property only if security binding is required. The password can be encoded with the "Liberty profile securityUtility" tool. Run the tool and then set the value of this property to the encoded password that is generated by the tool. The supported encoding types are xor and aes (only with the default key).

Edit the Liberty profile server.xml file to check whether the classloader is enabled to load the JAR file that decodes the password.
ibm.appcenter.ldap.cache.expiration.seconds Delay in seconds before the LDAP cache expires. If no value is entered, the default value is 86400, which is equal to 24 hours.

Changes to users and groups on the LDAP server become visible to the Application Center after a delay, which is specified by ibm.appcenter.ldap.cache.expiration.seconds. The Application Center maintains a cache of LDAP data and the changes become visible only after the cache expires. By default, the delay is 24 hours. If you do not want to wait for this delay to expire after changes to users or groups, you can call this command to clear the cache of LDAP data:

acdeploytool.sh -clearLdapCache -s serverurl -c context -u user -p password

See Using the stand-alone tool to clear the LDAP cache for details.
ibm.appcenter.ldap.referral This property indicates whether referrals are supported by the JNDI API. If no value is passed, the JNDI API handles no LDAP referrals. Valid values:
  • ignore: ignores referrals found in the LDAP server.
  • follow: automatically follows any referrals found in the LDAP server.
  • throw: causes an exception to occur for each referral found in the LDAP server.

See List of JNDI properties for the Application Center for a complete list of LAPD properties that you can set.

Example of setting properties for ACL management with LDAP

This example shows the settings of the properties in the server.xml file required for ACL management with LDAP.

<jndiEntry jndiName="ibm.appcenter.ldap.active" value="true"/>
<jndiEntry jndiName="ibm.appcenter.ldap.connectionURL" value="ldap://employees.com:636"/>
<jndiEntry jndiName="ibm.appcenter.ldap.user.loginName" value="uid"/>
<jndiEntry jndiName="ibm.appcenter.ldap.user.base" value="dc=ibm,dc=com"/>
<jndiEntry jndiName="ibm.appcenter.ldap.group.base" value="dc=ibm,dc=com"/>
<jndiEntry jndiName="ibm.appcenter.ldap.user.displayName" value="sn"/>
<jndiEntry jndiName="ibm.appcenter.ldap.group.name" value="cn"/>
<jndiEntry jndiName="ibm.appcenter.ldap.group.uniquemember" value="uniqueMember"/>
<jndiEntry jndiName="ibm.appcenter.ldap.user.groupmembership" value=ibm-allGroups"/>
<jndiEntry jndiName="ibm.appcenter.ldap.cache.expiration.seconds" value=43200"/>
<jndiEntry jndiName="ibm.appcenter.ldap.security.sasl" value='"EXTERNAL"'/>
<jndiEntry jndiName="ibm.appcenter.ldap.referral" value='"follow"'/>
<jndiEntry jndiName="ibm.appcenter.ldap.user.filter" value='"(&amp;(uid=%v)(objectclass=inetOrgPerson))"'/>
<jndiEntry jndiName="ibm.appcenter.ldap.user.displayName.filter" value='"(&amp;(cn=%v)(objectclass=inetOrgPerson))"'/>
<jndiEntry jndiName="ibm.appcenter.ldap.group.filter" value='"(&amp;(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))"'/>
Parent topic: LDAP with Liberty profile