81 lines
8.4 KiB
HTML
81 lines
8.4 KiB
HTML
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
|
<html>
|
||
|
<head>
|
||
|
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
|
||
|
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
|
||
|
|
||
|
<title>Configure LDAP search filters</title>
|
||
|
</head>
|
||
|
|
||
|
<BODY>
|
||
|
<!-- Java sync-link -->
|
||
|
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
|
||
|
|
||
|
<h6><a name="seccldfi"></a>Configure LDAP search filters</h6>
|
||
|
|
||
|
<p>Lightweight Directory Access Protocol (LDAP) filters are used by the WebSphere Application Server - Express to search and obtain information about users and groups from a LDAP directory server. A default set of filters are provided for each LDAP server that the product supports. These filters can be modified to fit your LDAP configuration. Once the filters are modified (and OK or Apply is clicked) the directory type in the LDAP registry panel changes to custom, which indicates that custom filters are being used. Also, you can develop filters to support any additional type of LDAP server. The effort to support additional LDAP directories is optional, and IBM does not provide support for other LDAP directory types.</p>
|
||
|
|
||
|
<p>To configure search filters for LDAP, perform these steps in the administrative console:</p>
|
||
|
|
||
|
<ol>
|
||
|
<li><p>Click <strong>Security --> User Registries --> LDAP</strong>. Under <strong>Additional Properties</strong>, click <strong>Advanced LDAP Settings</strong>.</p></li>
|
||
|
|
||
|
<li><p>Modify the <strong>user filter</strong>, if necessary.</p>
|
||
|
<p>The user filter is used for searching the registry for users. It is typically used for Security Role to User assignment. It is also used to authenticate a user using the attribute specified in the filter. It specifies the property for which to look up users in the directory service. For example, to look up users based on their user IDs (uid) and using the object class inetOrgPerson, specify this property:</p>
|
||
|
<pre> (&(uid=%v)(objectclass=inetOrgPerson)</pre>
|
||
|
<p>At run time, <tt>%v</tt> is replaced with the uid attribute of the user. The user's uid attribute must be a unique key. This means that two LDAP entries with the same object class cannot have the same uid.</p>
|
||
|
<p>For more information about this syntax, see your LDAP directory service documentation.</p></li>
|
||
|
|
||
|
<li><p>Modify the <strong>group filter</strong> if necessary.</p>
|
||
|
<p>The group filter is used for searching the registry for groups. It is typically used for Security Role to Group assignment. It specifies the property by which to look up groups in the directory service. For example, to look up groups based on their common names (CN) and using the object class of either groupOfNames or groupOfUniqueNames, specify this property:</p>
|
||
|
<pre> (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))</pre>
|
||
|
<p>For more information about this syntax, see your LDAP directory service documentation.</p></li>
|
||
|
|
||
|
<li><p>Modify the <strong>User ID Map filter</strong> if necessary.</p>
|
||
|
<p>This filter maps the short name of a user to an LDAP entry. This specifies the piece of information that should represent users when users are displayed using their short names. For example, to display entries of the type object class <tt>inetOrgPerson</tt> by their IDs, specify <tt>inetOrgPerson:uid</tt>.</p>
|
||
|
<p>This field takes multiple objectclass:property pairs delimited by a semicolon (;). To provide a consistent value for methods like getCallerPrincipal() and getUserPrincipal(), the short name that is obtained by using this filter is used. For example the user <tt>CN=Bob Smith, ou=austin.ibm.com, o=IBM, c=US</tt> can log in using any attributes that were defined for him (for example, e-mail address, social security number, and so on) but when the above methods are called, the user ID <tt>bob</tt> is returned no matter how he logs in.</p></li>
|
||
|
|
||
|
<li><p>Modify the <strong>Group ID Map filter</strong>, if necessary.</p>
|
||
|
<p>This filter maps the short name of a group to an LDAP entry. This specifies the piece of information that should represent groups when groups are displayed. For example, to display groups by their names, specify <tt>*:cn</tt>. The asterisk (*) is a wildcard character that searches on any object class in this case. This field takes multiple <tt>objectclass:property</tt> pairs delimited by a semicolon (;).</p></li>
|
||
|
|
||
|
<li><p>Modify the <strong>Group Member ID Map</strong> if necessary.</p>
|
||
|
<p>This filter identifies User to Group memberships. For SecureWay, Netscape, and Domino directory types, this field is used to query all the groups that match the specified object class or classes to find if the user is contained in the attribute specified. For example, to get all the users belonging to groups whose object class is <tt>groupOfNames</tt> and the users are contained in the member attributes, specify <tt>groupOfNames:member</tt>. This specifies which property of an objectclass stores the list of members belonging to the group represented by the objectclass.</p>
|
||
|
|
||
|
<p>This field takes multiple objectclass:property pairs delimited by a semicolon (;). For more information about this syntax, see your LDAP directory service documentation. For the IBM Directory Server, iPlanet, and Active Directory, this is used to query all users in a group by using the information stored in the user object (instead of querying all the groups individually to find if the user exists in that group). For example, the filter <tt>memberof:member</tt> (for Active Directory) is used to get the <tt>memberof</tt> attribute of the user object to get all the groups that the user belongs to. The member attribute is used to get all the users in a group using the group object. Using the user object to obtain the group information is expected to improve performance.</p></li>
|
||
|
|
||
|
<li><p>Modify the <strong>certificate Map Mode</strong>, if necessary.</p>
|
||
|
<p>The X.590 certificates can be used for user authentication when LDAP is selected as the user registry. This field is used to indicate whether to map the X.509 certificates into an LDAP directory user by EXACT_DN or CERTIFICATE_FILTER. If EXACT_DN is selected, the distinguished name in the certificate should exactly match the user entry in the LDAP server (including case and spaces). You can use the <strong>Ignore Case</strong> field in the LDAP settings to make the authorization case insensitive. If CERTIFICATE_FILTER is selected, fill in the appropriate certificate filter (in the next field) that should be used for mapping the certificate to a user in the LDAP.</p></li>
|
||
|
|
||
|
<li><p>If you specified the filter certificate mapping option, use this property to specify the LDAP filter to use to map attributes in the client certificate to entries in LDAP.</p>
|
||
|
|
||
|
<p>If more than one LDAP entry matches the filter specification at run time, then authentication fails because it results in an ambiguous match. The syntax or structure of this filter is:</p>
|
||
|
<pre> LDAP <em>attribute</em>=${<em>Client certificate attribute</em>}</pre>
|
||
|
<p>where <em>attribute</em> an LDAP attribute that depends on the schema that your LDAP server is configured to use, and <em>Client certificate attribute</em> is one of the public attributes in your client certificate. For example, <tt>uid=${SubjectCN})</tt>. Note that the client certificate attribute side must start with <tt>${</tt> and end with <tt>}</tt>.</p>
|
||
|
|
||
|
<p>Here is a list of client certificate attribute values. The case of the strings is important.</p>
|
||
|
|
||
|
<ul>
|
||
|
<li>${UniqueKey}</li>
|
||
|
<li>${PublicKey}</li>
|
||
|
<li>${Issuer}</li>
|
||
|
<li>${NotAfter}</li>
|
||
|
<li>${NotBefore}</li>
|
||
|
<li>${SerialNumber}</li>
|
||
|
<li>${SigAlgName}</li>
|
||
|
<li>${SigAlgOID}</li>
|
||
|
<li>${SigAlgParams}</li>
|
||
|
<li>${SubjectDN}</li>
|
||
|
<li>${Version}</li>
|
||
|
</ul>
|
||
|
|
||
|
<p>To enable this field, select CERTIFICATE_FILTER for the certificate mapping.</p></li>
|
||
|
|
||
|
<li><p>Click <strong>OK</strong>.</p>
|
||
|
|
||
|
<p>The validation of the changes (if any) does not take place in this panel. Validation is only done when the <strong>OK</strong> or <strong>Apply</strong> buttons are pressed in the Global Security panel. If you are in the process of enabling security for the first time, complete the remaining steps and go to the Global Security panel, select <tt>LDAP</tt> as the <strong>Active User Registry</strong>. If security was already enabled and any information on this panel is changed, make sure to go to the Global Security panel and click <strong>OK</strong> or <strong>Apply</strong> to validate your changes. If your changes are not validated the server may not be able to start.</p></li>
|
||
|
</ol>
|
||
|
|
||
|
</body>
|
||
|
</html>
|
||
|
|