Configuring
LDAP on WebSphere Application Server
You can configure LDAP when IBM® Rational®
Quality Manager is configured to run on WebSphere®
Application Server.
About this task
To configure LDAP:
Procedure
1. From the WebSphere Admin console, click Security > Secure
administration, applications, and infrastructure. (On WebSphere Application
Server 7.0.0.7, click Security > Global security.)
2. Update the security settings as follows:
o Enable administrative
security: on
o Enable application
security: on
o User account
repository/Available realm definitions: standalone LDAP
registry
o In the User account
repository section, click Configure, and supply the General Properties.
§ Primary
administrative user name - Your user ID
§ Server user identity
- Automatically generated server identity
§ Host - Name of the
LDAP server
§ Port - Port of the
LDAP server
§ Type of LDAP server -
Custom
§ Search timeout - 120
seconds
§ Base distinguished
name (DN) - The base distinguished name of the directory service
3. Click Apply, and save the changes.
4. In the Configuration section, click Test connection.
5. In the Additional Properties section, click Advanced Lightweight
Directory Access Protocol (LDAP).
6. Specify the General Properties fields as follows:
o User filter:
(&(emailaddress=%v)(objectclass=ePerson))
o Group filter:
(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))
o User ID map:
*:emailaddress
o Group member ID map:
(replace ibm with your own ID)
ibm-allGroups:member;ibm-allGroups:uniqueMember
o Certificate map mode:
EXACT_DN
7. Click Apply when done and save the changes.
8. Click Apply and Save for each of the screens to confirm each
setting.
Note: On the last page, make sure the Current realm
definition is set to Standalone LDAP registry.
9. Stop and restart the WebSphere Application Server.
10. After the WebSphere Application Server restarts, validate the
changes by logging into the Admin Console.
11. To map user groups to the specific applications, click
Applications > Enterprise Applications. (On WebSphere Application Server
7.0.0.7 and newer, click Applications > Application Types > WebSphere
enterprise applications.)
12. In the Enterprise Applications list, select the jazz_war
application and click Stop.
13. When the application stops, click the jazz_war application to open
it for editing.
14. In the Detail properties section, click Security role to
user/group mapping.
15. Select a specific group, such as JazzAdmins and JazzUsers, and
click Look up groups. ( On WebSphere Application Server 7.0.0.7 and newer,
click Map groups.)
These groups are associated with every Jazz™ implementation
and must be mapped to a particular LDAP group that contains the authorized
users. These groups must be set up on the LDAP server prior to performing this
mapping.
16. Enter a search string to return your group names from the LDAP
server. Click Search to run the query.
17. From the list of available groups returned, select the particular
group and move it to the Selected column.
18. Click OK to map the LDAP groups to the Jazz groups.
19. Map the appropriate LDAP group for all Jazz groups:
o JazzAdmins
o JazzProjectAdmins
o JazzDWAdmins
o JazzUsers
o JazzGuests
Note: Do not enable the All authenticated? option.
20. Save the changes, and restart the jazz_war application.
21. Log out of the Admin Console, and close the browser window.
Configuring
WebSphere Application Server to use LDAP
To switch from an internal user registry to use an LDAP user
registry, you must first update the WebSphere® Application Server security
settings and configure WebSphere Application Server to use the LDAP user
registry.
About this task
To configure WebSphere Application Server to use LDAP:
1.
Log in to the WebSphere
Application Server Administrator console. The URL for the console takes the
following form: http://[hostname:WSadminport]/IBM/console.
2.
Click Security > Global
Security.
3.
Ensure that the Use
domain-qualified user IDs option is not selected.
4.
In the User registries section,
click the LDAP link.
5.
Enter the information for
connecting to your LDAP server including the following fields. The
server user ID and password must be valid for connecting to the LDAP server. If
you provide a base distinguished name or bind distinguished name, the
distinguished names must use LDAP syntax. For example, CN=John Doe,OU=Rochester,O=IBM,C=US.
Server user ID
Type the WebSphere
Application Server username. You can either enter the complete distinguished
name (DN) of the user or the short name of the user, as defined by the user
filter in the Advanced LDAP settings panel.
Server user password
Type the
WebSphere Application Server password.
Type
Select the type
of LDAP server from the list. The type of LDAP server determines the default
filters that are used by WebSphere Application Server.
Host
Enter the fully
qualified host name of the LDAP server. You can enter either the IP address or
the domain name system (DNS) name.
Port
Enter the LDAP
server port number. The default value is 389.
Base distinguished name (DN)
Enter the base
distinguished name (DN) of the directory service, which indicates the starting
point for LDAP searches of the directory service. For example, for a user with
a DN of cn=John Doe , ou=Rochester, o=IBM, c=US, specify the Base DN as any of
the following options: ou=Rochester, o=IBM, c=US or o=IBM c=US or c=US. For
authorization purposes, this field is case sensitive. This field is used to
limit search scope.
Optional: Bind distinguished name (DN)
Enter the bind
DN name. The Bind DN is required only if anonymous access to the LDAP server is
not allowed.
Optional: Bind password
Enter the
password that corresponds to the bind DN.
Reuse connection
Ensure that this
option is selected. This option specifies that the server should reuse the LDAP
connection. Clear this option only in rare situations where a router is used to
send requests to multiple LDAP servers and when the router does not support
affinity. Leave this option selected for all other situations.
Optional: SSL enabled
Select this
option if you want to use Secure Sockets Layer communications with the LDAP
server.
Optional: SSL configuration
Select the
Secure Sockets Layer configuration to use for the LDAP connection. This
configuration is used only when SSL is enabled for LDAP. The default is
DefaultSSLSettings. To modify or create a new SSL configuration, click Security > SSL .
Note: The DN that you provide in this
screen must be carefully typed and checked. It must match the default casing
that the LDAP server uses.
6.
Click Apply.
7.
To modify advanced settings, such
as which ID the user can use to authenticate, click Advanced Lightweight
Directory Access Protocol (LDAP) user registry settings in the Additional Properties section. For more
information, refer to publib.boulder.ibm.com/infocenter/wasinfo/v6r0/topic/com.ibm.websphere.base.doc/info/aes/ae/usec_advldap.html.
8.
Click OK and on the next page
click the Save link.
9.
On the Global Security panel,
select Lightweight Directory Access Protocol (LDAP) user registry from the
Active User Registry field. Validation is only done when you
click OK or Apply in the Global
Security panel.
10.
Click Apply. After you
click Apply, WebSphere Application Server attempts to
authenticate the user against the LDAP registry. This authentication tests the
information that you entered and, if any information is incorrect, the
authentication fails. If the authentication fails, check the information in
Step 5.
11.
Click the Save button to confirm
your changes to your configuration. The registry changes take effect
when you restart IBM® WebSphere Application Server later
in the procedure.
What to do next
For additional instructions on configuring
WebSphere Application Server to use LDAP, refer to Configuring
WebSphere Application Server for LDAP.
- Determining the
LDAP distinguished name (DN)
If you are configuring IBM Information Server to use an LDAP user registry, the full LDAP distinguished name (DN) of the suite administrator is required. If you cannot get the LDAP DN from your LDAP administrator, you might be able to use the following procedures to determine the LDAP DN.
Parent topic: Switching
to an LDAP user registry
Related tasks
Related reference
This topic is also in the IBM
InfoSphere Information Server Administration Guide. 