IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Authenticating incoming requests with LDAP

Configure a message flow to perform identity authentication using Lightweight Directory Access Protocol (LDAP).

Before you start:

Before you can configure a message flow to perform identity authentication using LDAP, you need to check that an appropriate security profile exists, or create a new security profile. See Creating a security profile for LDAP.

To authenticate the identity of a user or system, the broker attempts to connect to the LDAP server using the username and password associated with the identity. To do this, the broker needs the following information:
  • To resolve the username to an LDAP entry, the broker needs to know the base distinguished name (base DN) of the accepted login IDs. This is required to enable the broker to differentiate between different entries with the same name.
  • If the identities do not all have a common base DN, but can be uniquely resolved from a subtree, the DN can be specified in the broker configuration. When a subtree search has been specified, the broker must first connect to the LDAP server and search for the given username in order to obtain the full username distinguished name (DN) to be used for authentication. If your LDAP directory does not permit login of unrecognized IDs, and does not grant search access rights on the subtree, you must set up a separate authorized login ID that the broker can use for the search. Use the mqsisetdbparms command to specify a username and password. For example:
    mqsisetdbparms -n ldap::LDAP -u username -p password
    or
    mqsisetdbparms -n ldap::<servername> -u username -p password

    where <servername> is your base LDAP server name, for example, ldap.mydomain.com.

    If you specify ldap::LDAP, it creates a default setting for the broker, which the broker attempts to use if you have not explicitly used the mqsisetdbparms command to create a login ID for a specific <servername>. All servers that do not have an explicit ldap::servername entry then start using the credentials in the ldap::LDAP entry. This means that any servers that were previously using anonymous bind by default will start using the details in ldap::LDAP.

    The username that you specify in the -u parameter must be recognized by the LDAP server as a complete user name. In most cases this means that you need to specify the full DN of the user. Alternatively, by specifying a username to be anonymous, you can force the broker to bind anonymously to this LDAP server. This might be useful if you have specified a non-anonymous bind as your default (ldap::LDAP). For example: 
    mqsisetdbparms -n ldap::<servername> -u anonymous -p password
    In this case, the value specified for password is ignored.

Steps for enabling LDAP authentication:

To enable an existing message flow to perform identity authentication, use the Broker Archive editor to select a security profile that uses LDAP for authentication. You can set a security profile on a message flow or on individual input nodes. If no security profile is set for the input nodes, the setting is inherited from the setting on the message flow.
  1. Switch to the Integration Development perspective.
  2. In the Application Development view, right-click the BAR file and then click Open with > Broker Archive Editor.
  3. Click the Manage and Configure tab.
  4. Click the flow or node on which you want to set the security profile. The properties that you can configure for the message flow or for the node are displayed in the Properties view.
  5. In the Security Profile Name field, select a security profile that uses LDAP for authentication.
  6. Save the BAR file.

For a SOAPInput node to use the identity in the WS-Security header (rather than an underlying transport identity) an appropriate policy set and bindings must also be defined and specified. For more information, see Policy sets.

If the message identity does not contain enough information for authentication, the information must be taken from the message body. For example, if a password is required for authentication but the message came from WebSphere® MQ with only a username, the password information must be taken from the message body. For more information, see Configuring the extraction of an identity or security token.

Parent topic: Configuring identity authentication and security token validation
Related concepts:
Identity
Authentication and validation
Identity mapping
Authorization
Identity and security token propagation
Security profiles
Security exception processing
Related tasks:
Configuring the extraction of an identity or security token
Configuring identity mapping
Creating a security profile
Configuring authorization
Configuring identity authentication and security token validation
Configuring a message flow for identity propagation
Setting up message flow security
Related reference:
mqsicreateconfigurableservice command
mqsideleteconfigurableservice command
mqsichangeproperties command
mqsireportproperties command
MQInput node
HTTPInput node
SOAPInput node
SOAPAsyncRequest node
HTTPRequest node
MQOutput node
ap04121_.htm | Last updated Friday, 21 July 2017