Setting up LDAP security

Use Lightweight Directory Access Protocol (LDAP) authentication if you already have an LDAP server.

  1. Open the Tools dashboard and click System Settings. The System Configuration Assistant is displayed.
  2. Select LDAP as the authentication provider. A set of LDAP property fields is displayed.
  3. Specify this information
    Context factory (ldapContextFactory)
    Specify com.sun.jndi.ldap.LdapCtxFactory.
    Provider URL (ldapProviderUrl)
    Specify the LDAP provider URL. See the LDAP server documentation for information.
    Search Base (ldapSearchBase)
    Specify the search base used in LDAP queries. During queries, the search base is used to specify the search organization or the root level of the search.
    Directory Manager User (ldapDirMgrUser)
    Specify the directory manager user ID for the LDAP server. Use a full distinguished name (DN). For Netscape Directory Server, this is Directory Manager or any of the members of the group Directory Administrators. For example, uid=kvaughan, ou=People, dc=com.
    Directory Manager Password (ldapDirMgrPass)
    Specify the directory manager password for the ldapDirMgrUser user.
    Administrative Role (ldapAdministratorRole)
    Specify the administrator rights for all of the users in the specified user group.
    Power Designer Role (PowerDesignerRole)
    Optionally, specify the designer rights for all of the users in the specified user group.
    Role Class (ldapGroupClass)
    Defaults to groupOfUniqueNames. If your LDAP schema uses group for this value, override the default. This value requires ldapUseridAttr, ldapGroupClass, and ldapGroupMemberAttr values.
    Userid Attribute (ldapUseridAttr)

    This property defaults to uid. If your LDAP schema does not use uid, override the default with the attribute that contains the user id. In most other cases this is CN. This value requires ldapGroupMemberAttr, ldapGroupClass, and ldapUserDNMask values.

    Role Member Attribute (ldapGroup/MemberAttr)
    Defaults to uniqueMember. If your LDAP schema uses member for this value, override the default. This value requires ldapUseridAttr, ldapGroupClass, and ldapUserDNMask values.
    LDAP Mask Type (ldapMaskType)
    Specify the search performed by ldapUserDNMask. The only valid value is search.
    User DN Mask (ldapUserDNMask)
    You can search for users based on this property and the ldapMaskType property:
    • To locate users using default settings, which is useful for an LDAP provider such as iPlanet, and the users that are all at the same level of the LDAP schema, do not use the ldapUserDNMask parameter or ldapMaskType parameter. If none is used, the authentication provider combines the ldapUseridAttr value with the ldapSearchBase value to construct a Distinguished Name (DN). This is the form of the DN: ldapUseridAttr=userid, ldapSearchBase, where you replace the italicized words with the values of those parameters.
    • To search for users based on a fully qualified DN, ldapMaskType must be null and ldapUserDNMask must provide a fully qualified DN with a placeholder for the user ID of {0}. For example, the form might be: CN={0}, DC=Users, DC=Lawson, DC=Com, or UID={0}, OU=Users, o=Lawson, c=US. A sub tree search is not performed.
    • To search the LDAP schema sub-tree, the ldapMaskType must be set to search and ldapUserDNMask must be set to the minimum required partial-DN to locate the user. For example, the form could be simply CN={0}, or for another LDAP provider it might be: UID={0}, OU=Users.
      Note: The last option is the most common search scenario because users are rarely at only one level in the LDAP schema.
  4. Click Save Changes.
  5. In Websphere, stop and start your Framework Services application server.