Configuring authorization by using LDAP groups
Authorize roles in IBM® Integration Bus against a Lightweight Directory Access Protocol (LDAP) or Secure LDAP (LDAPS) server.
Before you begin
LDAP authorization can be applied only to LDAP authenticated users. If LDAP authentication is not already enabled, enable it now as described in Enabling an integration node to use LDAP for authentication.
About this task
You can grant and revoke administration authority for an integration node or integration server by configuring LDAP authorization for specified groups or attributes in LDAP to specified roles in IBM Integration Bus. You can configure the authorization by setting properties in the web administration server security YAML configuration file, ldap.auth.yaml. An example file that shows the layout of this configuration file is provided in the directory \server\sample\configuration. To apply the configuration that you specify in ldap.auth.yaml, you must use the appropriate IBM Integration Bus commands.
LDAP authorization can only be applied to LDAP authenticated users. LDAP users must belong to one or more LDAP groups, or have one or more LDAP attributes that map to roles in IBM Integration Bus, with appropriate access to the admin REST API. Roles in IBM Integration Bus have read, write, or execute permissions for objects in integration nodes or integration servers. For more information, see Role-based security. LDAP users can belong to a single LDAP group that can be mapped to a single role in IBM Integration Bus, or multiple LDAP groups that can be mapped to multiple roles in IBM Integration Bus. An LDAP authenticated user's LDAP attributes can also be used to map to roles in IBM Integration Bus.
Configure LDAP authorization by completing the following steps. The values that are used in these steps are for illustrative purposes; provide your own values as appropriate to your environment.
Procedure
What to do next
- Authorize a single LDAP group to have a role in IBM Integration Bus. See Authorizing a single LDAP group to have a role in IBM Integration Bus.
- Authorize multiple LDAP groups to have roles in IBM Integration Bus. See Authorizing multiple LDAP groups to have roles in IBM Integration Bus.
- Authorize an LDAP authenticated user's LDAP attributes to have a role in IBM Integration Bus. See Authorizing an LDAP-authenticated user's LDAP attributes to have a role in IBM Integration Bus.