ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatz_5.4.0.1/51/sec/seccldap.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">

<title>Configure LDAP user registries</title>
</head>

<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>

<h5><a name="seccldap"></a>Configure LDAP user registries</h5>

<p>Before you configure an Lightweight Directory Access Protocol (LDAP) user registry for WebSphere security, see these topics:</p>
<ul>
<li><a href="secldap.htm">Lightweight Directory Access Protocol</a></li>
<li><a href="secldaps.htm">Supported directory services</a></li>
<li><a href="secldapu.htm">Use specific directory servers as the LDAP server</a></li>
<li><a href="secldapn.htm">Using nested groups in user registries</a></li>
<li><a href="seccltpa.htm">Add users to the LDAP user registry</a></li>
<li><a href="secldaploc.htm">Locating a user's group memberships in LDAP</a> (Version 5.1.1 or later)</li>
</ul>

<p>To configure WebSphere security to use an LDAP user registry, perform these steps in the administrative console:</p>

<ol>
<li><p>Click <strong>Security --&gt; User Registries --&gt; LDAP</strong>.</p></li>

<li><p>Enter a valid user name in the <strong>Server User ID</strong> field. You can either enter the complete distinguished name (DN) of the user or the shortname of the user as defined by the <strong>User Filter</strong> in the <strong>Advanced LDAP settings</strong> panel.</p></li>

<li><p>Enter the password of the user in the <strong>Server User Password</strong> field.</p></li>

<li><p>Select the type of LDAP server that is used from the <strong>Type</strong> drop-down list.</p>

<p><strong>Note:</strong> If you are using the i5/OS Directory Services product, select <tt>SecureWay</tt> from the <strong>Type</strong> list.</p> 

<p>The type of LDAP server determines the default filters that are used by the WebSphere Application Server - Express. When these default filters are changed the <strong>Type</strong> field changes to <tt>Custom</tt>, which indicates that custom filters are used. This action occurs after <strong>OK</strong> or <strong>Apply</strong> is clicked in the LDAP advanced settings panel. For more information about LDAP filters, see <a href="seccldfi.htm">Configure LDAP search filters</a>.</p>

<p>Choose the <tt>Custom</tt> type from the list and modify the user and group filters to use other LDAP servers, if required. However, it is the customer's responsibility to configure and validate the filters for other LDAP servers. Also, if either IBM_Directory_Server or iPlanet is selected, the <strong>Ignore Case</strong> field should also be selected.</p></li>

<li><p>Enter the fully qualified host name of the LDAP server in the <strong>Host</strong> field.</p></li>

<li><p>Enter the LDAP server port number in the <strong>Port</strong> field. The host name along with the port number represent the realm for this LDAP server in the WebSphere Application Server - Express cell. So, if servers in different cells are communicating with each other (using LTPA tokens), these realms should match exactly in all the cells.</p>

<p><strong>Note:</strong> If you are using single signon between a WebSphere Application Server - Express Version 5 server (either 5.0 or 5.1) and a WebSphere Application Server Version 4 application server, you must specify an LDAP server port number in the administrative console. By default, the default LDAP port number for WebSphere Application Server - Express Version 5 is 0, but for WebSphere Application Server Version 4, it is not 0. Set the LDAP port numbers for both servers to the same value. In the Version 5 administrative console, set the LDAP port number on the LDAP settings page: click <strong>Security</strong> --&gt; <strong>User registries</strong> --&gt; <strong>LDAP</strong>.</p></li>

<li><p>Enter the Base distinguished name (DN) in the <strong>Base Distinguished Name</strong> field. The Base DN indicates the starting point for searches in this LDAP directory server. For example, for a user with a DN of <tt>cn=John Doe, ou=Rochester, o=IBM, c=US</tt>, the Base DN can be specified as any of (assuming a suffix of <tt>c=us</tt>): <tt>ou=Rochester, o=IBM, c=us</tt> or <tt>o=IBM c=us</tt> or <tt>c=us</tt>. This field can be case sensitive, and it is recommended that they match the case in your directory server. This field is required for all LDAP directories except the Domino Directory. The Base DN field is optional for the Domino Server.</p></li>

<li><p>Enter the Bind DN name in the <strong>Bind Distinguished Name</strong> field, if necessary. The Bind DN is required if anonymous binds cannot be performed on the LDAP server to obtain user and group information. If the LDAP server is set up to use anonymous binds, leave this field blank.</p></li>

<li><p>Enter the password that corresponds to the Bind DN in the <strong>Bind password</strong> field, if necessary.</p></li>

<li><p>Modify the <strong>Search Time Out</strong> value if required. This time out value is the maximum amount of time the LDAP server waits to send a response to the product client before aborting the request. The default is 120 seconds.</p></li>

<li><p>Disable the <strong>Reuse Connection</strong> field only if you are using routers to spray requests to multiple LDAP servers, and if the routers do not support affinity. Leave this field enabled for all other situations.</p></li>

<li><p>Enable the <strong>Ignore Case</strong> flag, if required. When this is enabled, the authorization check is case insensitive. Normally, an authorization check involves checking the complete DN of a user (which is unique in the LDAP server) and is case sensitive. However, when using either IBM Directory Server, i5/OS Directory Services, or the iPlanet LDAP servers, this flag needs to be enabled because the group information obtained from the LDAP servers is not consistent in terms of case. This inconsistency only affects the authorization check.</p></li>

<li><p>Enable secure sockets layer (SSL) if the communication to the LDAP server is through SSL. Check <strong>SSL Enabled</strong> to enable SSL. For more information on setting up LDAP for SSL, refer to <a href="secsslen.htm">Configure SSL connections between WebSphere Application Server - Express and an LDAP server</a>.</p></li>

<li><p>If SSL is enabled, select the appropriate SSL alias configuration from the drop-down list in the <strong>SSL configuration</strong> field.</p></li>

<li><p>Click <strong>OK</strong>.</p>

<p>The validation of the user and password and the setup does not take place in this panel. Validation is only done when you click <strong>OK</strong> or <strong>Apply</strong> in the Global Security panel. If you are enabling security for the first time, complete the remaining steps and then go to the Global Security panel. Select <tt>LDAP</tt> as the <strong>Active User Registry</strong>. If security is already enabled but information on this panel is changed, make sure to go to the Global Security panel and click <strong>OK</strong> or <strong>Apply</strong> to validate your changes. If your changes are not validated, the server may not be able to start.</p></li>

<li><p>(Version 5.1.1 or later) Configure support for dynamic or nested groups. For more information, see <a href="secldapdyn.htm">Dynamic groups and nested group support</a> and <a href="secldapn.htm">Using nested groups in user registries</a>. See the following topics for information about configuring dynamic and nested group support in specific directory services products:</p>
    <ul>
    <li><a href="secldapibm.htm">For the IBM Directory Server</a></li>
    <li><a href="secldapsun.htm">For the Sun ONE or iPlanet Directory Server</a></li>
    </ul></li>
</ol>

</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">`
			`<html>`
			`<head>`
			`<META http-equiv="Content-Type" content="text/html; charset=utf-8">`
			`<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">`

			`<title>Configure LDAP user registries</title>`
			`</head>`

			`<BODY>`
			`<!-- Java sync-link -->`
			`<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>`

			`<h5><a name="seccldap"></a>Configure LDAP user registries</h5>`

			`<p>Before you configure an Lightweight Directory Access Protocol (LDAP) user registry for WebSphere security, see these topics:</p>`
			`<ul>`
			`<li><a href="secldap.htm">Lightweight Directory Access Protocol</a></li>`
			`<li><a href="secldaps.htm">Supported directory services</a></li>`
			`<li><a href="secldapu.htm">Use specific directory servers as the LDAP server</a></li>`
			`<li><a href="secldapn.htm">Using nested groups in user registries</a></li>`
			`<li><a href="seccltpa.htm">Add users to the LDAP user registry</a></li>`
			`<li><a href="secldaploc.htm">Locating a user's group memberships in LDAP</a> (Version 5.1.1 or later)</li>`
			`</ul>`

			`<p>To configure WebSphere security to use an LDAP user registry, perform these steps in the administrative console:</p>`

			`<ol>`
			`<li><p>Click <strong>Security --> User Registries --> LDAP</strong>.</p></li>`

			`<li><p>Enter a valid user name in the <strong>Server User ID</strong> field. You can either enter the complete distinguished name (DN) of the user or the shortname of the user as defined by the <strong>User Filter</strong> in the <strong>Advanced LDAP settings</strong> panel.</p></li>`

			`<li><p>Enter the password of the user in the <strong>Server User Password</strong> field.</p></li>`

			`<li><p>Select the type of LDAP server that is used from the <strong>Type</strong> drop-down list.</p>`

			`<p><strong>Note:</strong> If you are using the i5/OS Directory Services product, select <tt>SecureWay</tt> from the <strong>Type</strong> list.</p>`

			`<p>The type of LDAP server determines the default filters that are used by the WebSphere Application Server - Express. When these default filters are changed the <strong>Type</strong> field changes to <tt>Custom</tt>, which indicates that custom filters are used. This action occurs after <strong>OK</strong> or <strong>Apply</strong> is clicked in the LDAP advanced settings panel. For more information about LDAP filters, see <a href="seccldfi.htm">Configure LDAP search filters</a>.</p>`

			`<p>Choose the <tt>Custom</tt> type from the list and modify the user and group filters to use other LDAP servers, if required. However, it is the customer's responsibility to configure and validate the filters for other LDAP servers. Also, if either IBM_Directory_Server or iPlanet is selected, the <strong>Ignore Case</strong> field should also be selected.</p></li>`

			`<li><p>Enter the fully qualified host name of the LDAP server in the <strong>Host</strong> field.</p></li>`

			`<li><p>Enter the LDAP server port number in the <strong>Port</strong> field. The host name along with the port number represent the realm for this LDAP server in the WebSphere Application Server - Express cell. So, if servers in different cells are communicating with each other (using LTPA tokens), these realms should match exactly in all the cells.</p>`

			<p><strong>Note:</strong> If you are using single signon between a WebSphere Application Server - Express Version 5 server (either 5.0 or 5.1) and a WebSphere Application Server Version 4 application server, you must specify an LDAP server port number in the administrative console. By default, the default LDAP port number for WebSphere Application Server - Express Version 5 is 0, but for WebSphere Application Server Version 4, it is not 0. Set the LDAP port numbers for both servers to the same value. In the Version 5 administrative console, set the LDAP port number on the LDAP settings page: click <strong>Security</strong> --> <strong>User registries</strong> --> <strong>LDAP</strong>.</p></li>

			<li><p>Enter the Base distinguished name (DN) in the <strong>Base Distinguished Name</strong> field. The Base DN indicates the starting point for searches in this LDAP directory server. For example, for a user with a DN of <tt>cn=John Doe, ou=Rochester, o=IBM, c=US</tt>, the Base DN can be specified as any of (assuming a suffix of <tt>c=us</tt>): <tt>ou=Rochester, o=IBM, c=us</tt> or <tt>o=IBM c=us</tt> or <tt>c=us</tt>. This field can be case sensitive, and it is recommended that they match the case in your directory server. This field is required for all LDAP directories except the Domino Directory. The Base DN field is optional for the Domino Server.</p></li>

			`<li><p>Enter the Bind DN name in the <strong>Bind Distinguished Name</strong> field, if necessary. The Bind DN is required if anonymous binds cannot be performed on the LDAP server to obtain user and group information. If the LDAP server is set up to use anonymous binds, leave this field blank.</p></li>`

			`<li><p>Enter the password that corresponds to the Bind DN in the <strong>Bind password</strong> field, if necessary.</p></li>`

			`<li><p>Modify the <strong>Search Time Out</strong> value if required. This time out value is the maximum amount of time the LDAP server waits to send a response to the product client before aborting the request. The default is 120 seconds.</p></li>`

			`<li><p>Disable the <strong>Reuse Connection</strong> field only if you are using routers to spray requests to multiple LDAP servers, and if the routers do not support affinity. Leave this field enabled for all other situations.</p></li>`

			<li><p>Enable the <strong>Ignore Case</strong> flag, if required. When this is enabled, the authorization check is case insensitive. Normally, an authorization check involves checking the complete DN of a user (which is unique in the LDAP server) and is case sensitive. However, when using either IBM Directory Server, i5/OS Directory Services, or the iPlanet LDAP servers, this flag needs to be enabled because the group information obtained from the LDAP servers is not consistent in terms of case. This inconsistency only affects the authorization check.</p></li>

			`<li><p>Enable secure sockets layer (SSL) if the communication to the LDAP server is through SSL. Check <strong>SSL Enabled</strong> to enable SSL. For more information on setting up LDAP for SSL, refer to <a href="secsslen.htm">Configure SSL connections between WebSphere Application Server - Express and an LDAP server</a>.</p></li>`

			`<li><p>If SSL is enabled, select the appropriate SSL alias configuration from the drop-down list in the <strong>SSL configuration</strong> field.</p></li>`

			`<li><p>Click <strong>OK</strong>.</p>`

			<p>The validation of the user and password and the setup does not take place in this panel. Validation is only done when you click <strong>OK</strong> or <strong>Apply</strong> in the Global Security panel. If you are enabling security for the first time, complete the remaining steps and then go to the Global Security panel. Select <tt>LDAP</tt> as the <strong>Active User Registry</strong>. If security is already enabled but information on this panel is changed, make sure to go to the Global Security panel and click <strong>OK</strong> or <strong>Apply</strong> to validate your changes. If your changes are not validated, the server may not be able to start.</p></li>

			`<li><p>(Version 5.1.1 or later) Configure support for dynamic or nested groups. For more information, see <a href="secldapdyn.htm">Dynamic groups and nested group support</a> and <a href="secldapn.htm">Using nested groups in user registries</a>. See the following topics for information about configuring dynamic and nested group support in specific directory services products:</p>`
			`<ul>`
			`<li><a href="secldapibm.htm">For the IBM Directory Server</a></li>`
			`<li><a href="secldapsun.htm">For the Sun ONE or iPlanet Directory Server</a></li>`
			`</ul></li>`
			`</ol>`

			`</body>`
			`</html>`