Configuring LDAP ACL management (Apache Tomcat)
Use LDAP to define the users and groups who can install mobile applications with the Application Center by defining the Application Center LDAP properties through JNDI.
Purpose
To configure LDAP ACL management of the Application Center, add an entry for each property in the <context> section of the IBM® Application Center Services application in the server.xml file. This entry must have the following syntax:<Environment name="JNDI_property_name" value="property_value" type="java.lang.String" override="false"/>
Where: - The JNDI_property_name parameter is the name of the property that you are adding.
- The property_value parameter sis the value of the property that you are adding.
Property | Description |
---|---|
ibm.appcenter.ldap.active | Set to true to enable LDAP; set to false to disable LDAP. |
ibm.appcenter.ldap.connectionURL | LDAP connection URL. |
ibm.appcenter.ldap.user.base | Search base of users. |
ibm.appcenter.ldap.user.loginName | LDAP login attribute. |
ibm.appcenter.ldap.user.displayName | LDAP attribute for the user name to be displayed, for example, a person's full name. |
ibm.appcenter.ldap.group.base | Search base of groups. |
ibm.appcenter.ldap.group.name | LDAP attribute for the group name. |
ibm.appcenter.ldap.group.uniquemember | LDAP attribute that identifies the members of a group. |
ibm.appcenter.ldap.user.groupmembership | LDAP attribute that identifies the groups to which a user belongs. |
ibm.appcenter.ldap.group.nesting | Management of nested groups: if nested groups are not managed, set the value to false. |
ibm.appcenter.ldap.user.filter | LDAP user search filter for the attribute of
user login name. Use %v as the placeholder for the
login name attribute. This property is only required when LDAP users and groups are defined in the same subtree; that is, when the properties ibm.appcenter.ldap.user.base and ibm.appcenter.ldap.group.base have the same value. |
ibm.appcenter.ldap.displayName.filter | LDAP user search filter for the attribute of
user display name. Use %v as the placeholder for
the display name attribute. This property is only required when LDAP users and groups are defined in the same subtree; that is, when the properties ibm.appcenter.ldap.user.base and ibm.appcenter.ldap.group.base have the same value. |
ibm.appcenter.ldap.group.filter | LDAP group search filter. Use %v as
the placeholder for the group attribute. This property is only required when LDAP users and groups are defined in the same subtree; that is, when the properties ibm.appcenter.ldap.user.base and ibm.appcenter.ldap.group.base have the same value. |
ibm.appcenter.ldap.security.sasl | The value of the security authentication mechanism when the LDAP external SASL authentication mechanism is required to bind to the LDAP server. The value depends on the LDAP server; usually, it is set to "EXTERNAL". |
ibm.appcenter.ldap.security.binddn | Property that identifies the distinguished name of the user permitted to search the LDAP directory. Use this property only if security binding is required. |
ibm.appcenter.ldap.security.bindpwd | Property that identifies the password of the user permitted to search the LDAP directory. Use this property only if security binding is required. |
ibm.appcenter.ldap.cache.expiration.seconds | Delay in seconds before the LDAP cache expires.
If no value is entered, the default value is 86400, which is equal
to 24 hours. Changes to users and groups on the LDAP server become visible to the Application Center after a delay, which is specified by ibm.appcenter.ldap.cache.expiration.seconds. The Application Center maintains a cache of LDAP data and the changes only become visible after the cache expires. By default, the delay is 24 hours. If you do not want to wait for this delay to expire after changes to users or groups, you can call this command to clear the cache of LDAP data:
See Using the stand-alone tool to clear the LDAP cache for details. |
ibm.appcenter.ldap.referral | Property that indicates whether referrals are
supported by the JNDI API. If no value is given, the JNDI API will
not handle LDAP referrals. Possible values are:
|
See List of JNDI properties for the Application Center for a complete list of LAPD properties that you can set.
Example
The example shows LDAP properties that are defined in the server.xml file.
<Environment name="ibm.appcenter.ldap.active" value="true" type="java.lang.String" override="false"/>
<Environment name="ibm.appcenter.ldap.connectionURL" value="ldaps://employees.com:636" type="java.lang.String" override="false"/>
<Environment name="ibm.appcenter.ldap.user.base" value="dc=ibm,dc=com" type="java.lang.String" override="false"/>
<Environment name="ibm.appcenter.ldap.user.loginName" value="uid" type="java.lang.String" override="false"/>
<Environment name="ibm.appcenter.ldap.user.displayName" value="cn" type="java.lang.String" override="false"/>
<Environment name="ibm.appcenter.ldap.user.groupmembership" value="ibm-allGroups" type="java.lang.String" override="false"/>
<Environment name="ibm.appcenter.ldap.group.base" value="dc=ibm,dc=com" type="java.lang.String" override="false"/>
<Environment name="ibm.appcenter.ldap.group.name" value="cn" type="java.lang.String" override="false"/>
<Environment name="ibm.appcenter.ldap.group.uniquemember" value="uniquemember" type="java.lang.String" override="false"/>
<Environment name="ibm.appcenter.ldap.cache.expiration.seconds" value="43200" type="java.lang.String" override="false"/>
<Environment name="ibm.appcenter.ldap.security.sasl" value="EXTERNAL" type="java.lang.String" override="false"/>
<Environment name="ibm.appcenter.ldap.security.referral" value="follow" type="java.lang.String" override="false"/>
<Environment name="ibm.appcenter.ldap.user.filter" value="(&(uid=%v)(objectclass=inetOrgPerson))" type="java.lang.String" override="false"/>
<Environment name="ibm.appcenter.ldap.user.displayName.filter" value="(&(cn=%v)(objectclass=inetOrgPerson))" type="java.lang.String" override="false"/>
<Environment name="ibm.appcenter.ldap.group.filter" value="(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))" type="java.lang.String" override="false"/>