Setting up MSAD security

Usually, you use Microsoft Active Directory (MSAD) authentication in Windows 2003 server environments because you do not have to maintain two sets of user IDs and passwords: a user's ID and password are the same for Framework Services or Smart Notification as they are for logging into the Windows environment. MSAD authentication setup is similar to LDAP authentication setup, but it uses some schema elements that are unique. The MSAD authenticator uses the LDAP API to perform authentication.

  1. Open the Tools dashboard and click System Settings. The System Configuration Assistant is displayed.
  2. Select MSAD as the authentication provider. A set of MSAD property fields opens. These properties are described here:
    Context factory (ldapContextFactory)
    Specify com.sun.jndi.ldap.LdapCtxFactory unless the server being deployed to requires a different context factory.
    Provider URL (ldapProviderUrl)
    Specify the LDAP provider URL and port. An example URL is ldap://corpdc01.corporate.company.com:389. See your IS department to find out the port MSAD uses to listen for LDAP requests.
    Search Base (ldapSearchBase)
    Specify the search base used in LDAP queries. During queries, the MSADAuthenticationProvider and the MSADRoleProvider uses the search base to specify the search organization or the root level of the search. For example, dc=mycompany, dc=com.
    Directory Manager User (ldapDirMgrUser)
    Specify the user ID that has the authority to do a directory search and to search the memberOf attribute in the schema.
    Directory Manager Password (ldapDirMgrPass)
    Specify the directory manager password for the ldapDirMgrUser user.
    Administrative Role (ldapAdministratorRole)
    Specify the name of a group that contains users who have permission to administrate the LSN server.
    Power Designer Role (PowerDesignerRole)
    Optionally, specify the designer rights for all of the users in the specified user group.
    Power Designer Role (PowerDesignerRole)
    Optionally, specify the designer rights for all of the users in the specified user group.
    Role Class (ldapGroupClass)
    Defaults to groupOfUniqueNames. This is an invalid value for MSAD, so use group instead. When using this property, you must also supply the ldapUseridAttr, ldapGroupClass, and ldapGroupMemberAttr overrides.
    Userid Attribute (ldapUseridAttr)

    This value defaults to uid. Replace that default with the MS-specific schema element sAMAccountName. This element is always unique, and is used as the login name in Windows environments. When using this property, you must also specify the ldapGroupMemberAttr, ldapGroupClass,and ldapUserDNMask override values.

    Role Member Attribute (ldapGroup/MemberAttr)
    Defaults to uniqueMember. This is not a valid value for MSAD, so use member instead. When using this property, you must also specify the ldapUseridAttr, ldapGroupClass, and ldapUserDNMask override values.
    LDAP Mask Type (ldapMaskType)
    This setting is not used in the MSAD authentication provider.
    User DN Mask (ldapUserDNMask)
    This value is not used in the MSAD authenticator. Instead, the schema is searched for a matching sAMAccountName.
  3. Click Save Changes.
  4. In Websphere, stop and start your Framework Services application server.