Define configuration parameters for Microsoft Active Directory to provide extra security options for your environment.
Before you begin
Before setting configuration parameters, perform authentication tests to confirm that user, group, and membership search filters work properly. For more information, see the Related tasks section.
You must be assigned the Security administration role with permission to Manage security (Full permission) to perform these steps.
About this task
You might need to modify the example search parameters in the following steps to match your LDAP server schema.
You can use the system console, the command line interface, or the REST API to complete this task. For the command line and REST API information, see the Related information section.
Procedure
- Click System > Security.
- Set the following configuration parameters.
- LDAP provider URL
- The LDAP server host name, port number, and LDAP or LDAPS protocol. The host name must be either the fully qualified domain name or IP address of your LDAP server. The host name must begin with either ldap:// for standard LDAP or ldaps:// when connecting to the LDAP server through a Secure Sockets Layer (SSL) tunnel.The LDAPS protocol is recommended for protecting sensitive user credential information. When selecting LDAPS, you must verify and accept the LDAP server X.509 certificate.
- LDAP security authentication
- The distinguished name (DN) of an LDAP user who is allowed to search the LDAP directory if the LDAP server does not allow anonymous access.
- Password
- The password of the LDAP security authentication user.
- LDAP base DN (users)
- The base DN subtree that is used when searching for user entries on the LDAP server. Use LDAP Data Interchange Format (LDIF) syntax for the entries.
- LDAP base DN (groups)
- The base DN subtree that is used when searching for group entries on the LDAP server.
- Search filter (users)
-
Note: Confirm that the user search filter is effective by performing an LDAP authentication test. For more information, click Testing LDAP authentication settings in the Related tasks section below.
Filter for finding entries in the LDAP base DN (users) subtree that match the user name. For example, see the following example LDAP user entry:
dn: CN=testuser,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: testuser givenName: testuser distinguishedName: CN=testuser,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com instanceType: 4 whenCreated: 20121016115033.0Z whenChanged: 20121128154238.0Z displayName: testuser uSNCreated: 12880 uSNChanged: 30679 name: testuser objectGUID:: FHdAtR/CQEyxvINHhsGnLw== userAccountControl: 2687488 badPwdCount: 1 codePage: 0 countryCode: 0 badPasswordTime: 129954117792502335 lastLogoff: 0 lastLogon: 129949649905545787 pwdLastSet: 129948648233962943 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAABP7bJiQPVlNtcWUsVAQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: testuser sAMAccountType: 805306368 userPrincipalName: testuser@secfvt2.austin.ibm.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=secfvt2,DC=austin,DC=i bm,DC=com dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 129985909582341952The following filter searches for entries with a user ID attribute sAMAccountName matches the user ID that was used to log in to the system. This filter only looks for entries within the organizationalPerson and person object classes.
"(&(sAMAccountName={0})(ObjectClass=organizationalPerson)(ObjectClass=person))"When the match occurs, the {0} placeholder is replaced by the user ID from the login screen.
- Search filter (groups)
-
Note: Confirm that the group search filter is effective by performing an LDAP authentication test. For more information, click Testing LDAP authentication settings in the Related tasks section below.
Filter for finding entries in the LDAP base DN (groups) subtree that match the group name. For example, see the following example LDAP group entry:
dn: CN=group1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com objectClass: top objectClass: group cn: group1 member: CN=WIMUser3,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com member: CN=WIMUser1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com member: CN=user3,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com member: CN=user1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com member: CN=KRBUser3,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com member: CN=KRBUser1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com member: CN=LDAPUser3,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com member: CN=LDAPUser1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com distinguishedName: CN=group1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com instanceType: 4 whenCreated: 20121016162937.0Z whenChanged: 20121016214016.0Z uSNCreated: 12972 uSNChanged: 22942 name: group1 objectGUID:: RyfdOC8kXEyOk7Q+qjtjSg== objectSid:: AQUAAAAAAAUVAAAABP7bJiQPVlNtcWUsXwQAAA== sAMAccountName: group1 sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=secfvt2,DC=austin,DC=ib m,DC=com dSCorePropagationData: 16010101000000.0ZThe following filter searches for entries with a group ID attribute sAMAccountName that match the group name. This filter only searches for entries that are within the Group object class.
"(&(sAMAccountName={0})(ObjectClass=Group))"When the match occurs, the {0} placeholder is replaced by the group name.
- LDAP membership search filter pattern
-
Note: Confirm that the member search filter is effective by performing an LDAP authentication test. For more information, click Testing LDAP authentication settings in the Related tasks section below.
Filter used for returning a list of group member entries that are in the LDAP base DN (groups) subtree. For example, the following filter searches for entries in the group object class that contain a particular group as a member.
"(&(member={0}) (objectclass=group))" - LDAP user search attribute
- The name of the attribute that represents the unique ID of the user. Typically, the LDAP user search attribute matches the user ID attribute (sAMAccountName) that is used in the user search filter.
Note: The value of the LDAP user search attribute must match the value that was used when adding the user to system.
- LDAP group search attribute
- The name of the attribute in the group search filter that represents the group name. Typically, the LDAP group search attribute matches the group ID attribute that is used in the group search filter. For example, if the attribute name is sAMAccountName in the group search filter, the LDAP group search attribute should also be sAMAccountName. The sAMAccountName value is the default value if none is specified.
- LDAP membership search attribute
- The member user attribute in a group. If this attribute is not provided, the membership search uses the full distinguished name (DN) of the user, for example member: cn=Test User1, ou=WebSphere, o=IBM, c=US. Only specify a different value when you want to use a particular attribute of the DN instead of the full DN in the search query.
- LDAP JNDI connect pool
- JNDI connection pooling is enabled when the value is set to Yes, which is the default value. Consult an IBM service engineer before changing this setting.
- LDAP JNDI read timeout (in milliseconds)
- The amount of time to wait for the LDAP server to respond. The default value is five minutes. Specify a value of 0 to disable the timeout option.
- LDAP server type
- The type of LDAP server. When using Microsoft Active Directory, select Microsoft Active Directory.
Recent Comments