December 2024
M T W T F S S
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Categories

December 2024
M T W T F S S
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Setting LDAP parameters for Microsoft Active Directory

Define configuration parameters for Microsoft Active Directory to provide extra security options for your environment.

Before you begin

Before setting configuration parameters, perform authentication tests to confirm that user, group, and membership search filters work properly. For more information, see the Related tasks section.

You must be assigned the Security administration role with permission to Manage security (Full permission) to perform these steps.

About this task

You might need to modify the example search parameters in the following steps to match your LDAP server schema.

You can use the system console, the command line interface, or the REST API to complete this task. For the command line and REST API information, see the Related information section.

Procedure

  1. Click System > Security.
  2. Set the following configuration parameters.
    LDAP provider URL
    The LDAP server host name, port number, and LDAP or LDAPS protocol. The host name must be either the fully qualified domain name or IP address of your LDAP server. The host name must begin with either ldap:// for standard LDAP or ldaps:// when connecting to the LDAP server through a Secure Sockets Layer (SSL) tunnel.The LDAPS protocol is recommended for protecting sensitive user credential information. When selecting LDAPS, you must verify and accept the LDAP server X.509 certificate.
    LDAP security authentication
    The distinguished name (DN) of an LDAP user who is allowed to search the LDAP directory if the LDAP server does not allow anonymous access.
    Password
    The password of the LDAP security authentication user.
    LDAP base DN (users)
    The base DN subtree that is used when searching for user entries on the LDAP server. Use LDAP Data Interchange Format (LDIF) syntax for the entries.
    LDAP base DN (groups)
    The base DN subtree that is used when searching for group entries on the LDAP server.
    Search filter (users)
    Note: Confirm that the user search filter is effective by performing an LDAP authentication test. For more information, click Testing LDAP authentication settings in the Related tasks section below.

    Filter for finding entries in the LDAP base DN (users) subtree that match the user name. For example, see the following example LDAP user entry:

    dn: CN=testuser,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: user
    cn: testuser
    givenName: testuser
    distinguishedName: CN=testuser,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
    instanceType: 4
    whenCreated: 20121016115033.0Z
    whenChanged: 20121128154238.0Z
    displayName: testuser
    uSNCreated: 12880
    uSNChanged: 30679
    name: testuser
    objectGUID:: FHdAtR/CQEyxvINHhsGnLw==
    userAccountControl: 2687488
    badPwdCount: 1
    codePage: 0
    countryCode: 0
    badPasswordTime: 129954117792502335
    lastLogoff: 0
    lastLogon: 129949649905545787
    pwdLastSet: 129948648233962943
    primaryGroupID: 513
    objectSid:: AQUAAAAAAAUVAAAABP7bJiQPVlNtcWUsVAQAAA==
    accountExpires: 9223372036854775807
    logonCount: 0
    sAMAccountName: testuser
    sAMAccountType: 805306368
    userPrincipalName: testuser@secfvt2.austin.ibm.com
    objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=secfvt2,DC=austin,DC=i
     bm,DC=com
    dSCorePropagationData: 16010101000000.0Z
    lastLogonTimestamp: 129985909582341952

    The following filter searches for entries with a user ID attribute sAMAccountName matches the user ID that was used to log in to the system. This filter only looks for entries within the organizationalPerson and person object classes.

    "(&(sAMAccountName={0})(ObjectClass=organizationalPerson)(ObjectClass=person))" 

    When the match occurs, the {0} placeholder is replaced by the user ID from the login screen.

    Search filter (groups)
    Note: Confirm that the group search filter is effective by performing an LDAP authentication test. For more information, click Testing LDAP authentication settings in the Related tasks section below.

    Filter for finding entries in the LDAP base DN (groups) subtree that match the group name. For example, see the following example LDAP group entry:

    dn: CN=group1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
    objectClass: top
    objectClass: group
    cn: group1
    member: CN=WIMUser3,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
    member: CN=WIMUser1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
    member: CN=user3,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
    member: CN=user1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
    member: CN=KRBUser3,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
    member: CN=KRBUser1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
    member: CN=LDAPUser3,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
    member: CN=LDAPUser1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
    distinguishedName: CN=group1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
    instanceType: 4
    whenCreated: 20121016162937.0Z
    whenChanged: 20121016214016.0Z
    uSNCreated: 12972
    uSNChanged: 22942
    name: group1
    objectGUID:: RyfdOC8kXEyOk7Q+qjtjSg==
    objectSid:: AQUAAAAAAAUVAAAABP7bJiQPVlNtcWUsXwQAAA==
    sAMAccountName: group1
    sAMAccountType: 268435456
    groupType: -2147483646
    objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=secfvt2,DC=austin,DC=ib
     m,DC=com
    dSCorePropagationData: 16010101000000.0Z

    The following filter searches for entries with a group ID attribute sAMAccountName that match the group name. This filter only searches for entries that are within the Group object class.

    "(&(sAMAccountName={0})(ObjectClass=Group))" 

    When the match occurs, the {0} placeholder is replaced by the group name.

    LDAP membership search filter pattern
    Note: Confirm that the member search filter is effective by performing an LDAP authentication test. For more information, click Testing LDAP authentication settings in the Related tasks section below.

    Filter used for returning a list of group member entries that are in the LDAP base DN (groups) subtree. For example, the following filter searches for entries in the group object class that contain a particular group as a member.

    "(&(member={0}) (objectclass=group))" 
    LDAP user search attribute
    The name of the attribute that represents the unique ID of the user. Typically, the LDAP user search attribute matches the user ID attribute (sAMAccountName) that is used in the user search filter.

    Note: The value of the LDAP user search attribute must match the value that was used when adding the user to system.
    LDAP group search attribute
    The name of the attribute in the group search filter that represents the group name. Typically, the LDAP group search attribute matches the group ID attribute that is used in the group search filter. For example, if the attribute name is sAMAccountName in the group search filter, the LDAP group search attribute should also be sAMAccountName. The sAMAccountName value is the default value if none is specified.
    LDAP membership search attribute
    The member user attribute in a group. If this attribute is not provided, the membership search uses the full distinguished name (DN) of the user, for example member: cn=Test User1, ou=WebSphere, o=IBM, c=US. Only specify a different value when you want to use a particular attribute of the DN instead of the full DN in the search query.
    LDAP JNDI connect pool
    JNDI connection pooling is enabled when the value is set to Yes, which is the default value. Consult an IBM service engineer before changing this setting.
    LDAP JNDI read timeout (in milliseconds)
    The amount of time to wait for the LDAP server to respond. The default value is five minutes. Specify a value of 0 to disable the timeout option.
    LDAP server type
    The type of LDAP server. When using Microsoft Active Directory, select Microsoft Active Directory.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>