ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/sec/secldapu.htm

84 lines
7.7 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Using specific directory servers as the LDAP server</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h6><a name="secldapu"></a>Using specific directory servers as the LDAP server</h6>
<p>This topic describes considerations for using particular directory server products for WebSphere security.</p>
<p><strong>Using i5/OS Directory Services as the LDAP server</strong></p>
<p>i5/OS Directory Services is included in the base operating system beginning in V5R1, and option 32 is no longer available, beginning with V5R2. Directory Services is part of the IBM Directory Server family of products and services and is sometimes referred to as Directory Server (formerly SecureWay Directory) for iSeries.</p>
<p>For V5R2, select either <strong>SecureWay</strong> or <strong>IBM_Directory_Server</strong> as the directory type. For V5R3, select <strong>IBM_Directory_Server</strong> as the directory type. For V5R4, select <strong>IBM_Directory_Server</strong> as the directory type.</p>
<p><strong>Note:</strong> If you select <strong>IBM_Directory_Server</strong> as the LDAP directory type, you must also upgrade Directory Services to LDAP 4.1. With LDAP 4.1, Directory Services is programmed to use the new group membership attributes to improve the performance of group membership searches. For information regarding the PTFs that are required for LDAP 4.1, see <a href="http://www.ibm.com/servers/eserver/iseries/ldap/whatsnew41.htm" target="_blank">iSeries Directory Services (LDAP): New V5R2 Enhancements</a>. <img src="www.gif" width="18" height="15" alt="Link outside of Information Center"> (http://www.ibm.com/servers/eserver/iseries/ldap/whatsnew41.htm)</p>
<p>Note: Support for groups that contain other groups (nested groups) depends on specific versions of WebSphere Application Server and LDAP. For more information, see <a href="secldapn.htm">Using nested groups in user registries</a>.</p>
<p><strong>Using IBM Directory Server as the LDAP server</strong></p>
<p>You can choose the directory type of either <strong>IBM Directory Server</strong> or <strong>SecureWay</strong> for the IBM Directory Server product. The difference between these two types is how group membership is looked up. It is recommended that you choose <strong>IBM Directory Server</strong> for optimum performance during run time. In the IBM Directory Server product, the group membership is an operational attribute. An entry can be a member directly by the member (<tt>uniqueMember</tt>). With this attribute, a group membership lookup is accomplished by enumerating the <tt>ibm-allGroups</tt> attribute for the entry, rather than selecting a group and browsing through the members list. To utilize this attribute in a security authorization application, use case-insensitive match so that attribute values returned by <tt>ibm-allGroups</tt> are all in upper case. Lower-case values are stored in the directory server.</p>
<p><strong>Note:</strong> Support for groups that contain other groups (nested groups) depends on specific versions of WebSphere Application Server - Express and LDAP. For more information, see <a href="secldapn.htm">Using nested groups in user registries</a>.</p>
<p><strong>Using iPlanet Directory Server as the LDAP server</strong></p>
<p>You can choose the directory type of either iPlanet or NetScape for your iPlanet Directory Server. The difference between these two types is group membership lookup. The iPlanet directory type is selected to use the iPlanet new grouping mechanism only. The new grouping mechanism is called roles in iPlanet, and the attribute is nsRole. Roles are a new entry grouping mechanism in iPlanet that unify entries. Roles are designed to be more efficient and easier to use for applications. For example, an application can locate the role of an entry by enumerating all the roles possessed by a given entry, rather than selecting a group and browsing through the members list. With the iPlanet directory, the WebSphere Application Server - Express security only supports groups defined by nsRole. If you are planning to use traditional grouping methods to group entries in the iPlanet server, select NetScape as the directory type.</p>
<p><strong>Using MS Active Directory server as the LDAP server</strong></p>
<p>To use Microsoft Active Directory as the LDAP server for authentication with WebSphere Application Server - Express, there are specific steps you must take. By default, Microsoft Active Directory does not permit anonymous LDAP queries. To create LDAP queries or browse the directory, an LDAP client must bind to the LDAP server using the distinguished name (DN) of an account that belongs to the administrator group of the Windows system. Group membership search in the Active Directory is done by enumerating the memberof attribute possessed by a given user entry, rather than browsing through the member list in each group. If you change this default behavior to browse each group, you can change the Group Member ID Map field from memberof:member to group:member.</p>
<p>To set up Microsoft Active Directory as your LDAP server, complete the following steps.</p>
<ol>
<li><p>Determine the full distinguished name and password of an account in the administrators group.</p>
<p>For example, if the Active Directory administrator creates an account in the Users folder of the Active Directory Users and Computers Windows NT or Windows 2000 systems control panel and the DNS domain is ibm.com, the resulting DN has the following structure:</p>
<pre>cn=<em>adminUsername</em>, cn=users, dc=ibm, dc=com</pre></li>
<li><p>Determine the short name and password of any account in the Microsoft Active Directory.</p>
<p>This password does not have to be the same account as used in the previous step.</p></li>
<li>Use the WebSphere administrative console to set up the information needed to use Microsoft Active Directory:
<ol type="a">
<li>Start the administrative server for the domain, if necessary.</li>
<li>In the administrative console, click <strong>Security --&gt; User Registries --&gt; LDAP</strong>.</li>
<li>Enter the following information in the LDAP settings fields:
<ul>
<li><strong>Security Server ID:</strong> The short name of the account.</li>
<li><strong>Security Server Password:</strong> The password of the account.</li>
<li><strong>Directory Type:</strong> Active Directory.</li>
<li><strong>Host:</strong> The DNS name of the machine running Microsoft Active Directory.</li>
<li><strong>Base Distinguished Name:</strong> The domain components of the distinguished name of the account. For example: <tt>dc=ibm, dc=com Bind</tt></li>
<li><strong>Distinguished Name:</strong> The full distinguished name of the account. For example: <tt>cn=<em>adminUsername</em>, cn=users, dc=ibm, dc=com</tt></li>
<li><strong>Bind Password:</strong> the password of the account.</li>
</ul></li>
<li>Click <strong>OK</strong> to save the changes.</li>
<li>Stop and restart the administrative server so that changes take effect.</li>
</ol></li>
</ol>
<p><strong>Using a Lotus Domino Server as the LDAP server</strong></p>
<p>If you choose the Lotus Domino LDAP server Version 6, and the attribute shortname is not defined in the schema, you can do either of the following: </p>
<ul>
<li>Change the schema to add the <tt>shortname</tt> attribute.</li>
<li>Change the user ID map filter to replace the shortname with any other defined attribute (preferably to uid). For example, change <tt>person:shortname</tt> to <tt>person:uid</tt>.</li>
</ul>
</body>
</html>