How to configure LDAP in WebSphere

Home > Search > How-to
  by

There are two ways to configure WebSphere to authenticate against LDAP. You can either configure WebSphere to authenticate against a standalone LDAP repository, or you can configure WebSphere to authenticate against a federated repository, and then add LDAP to the federated repository. Adding LDAP to a federated repository is usually preferred over a standalone LDAP repository, because a federated repository includes the ability to authenticate against LDAP, as well as other authentication systems, so there is an alternate authentication resource if authentication against LDAP fails.

 


Let's take an example of a LDAP server with the following structure.

 

In the left panel of the WebSphere admin console, expand Security > Global Security. If you are going to configure a standalone LDAP repository, select Standalone LDAP repository and select Configure. If you are going to add LDAP to a federated repository, select Federated repository and select Configure.

In primary administrative username, enter one of your LDAP users.

 

Select the type of LDAP server you are using. If your LDAP server is not listed, select Custom.

 

Enter the hostname and port of your primary LDAP server.

 

In Base distinguished name, enter only your LDAP domain.

 

In Bind distinguished name, enter your main LDAP user, the organization unit (OU) the user is in (usually People), and the domain name. Some LDAP servers will use common name (cn) and some will use user id (uid). For example, these two entries are completely different records in LDAP.

 cn=johndoe,ou=people,dc=example,dc=com
uid=johndoe,ou=people,dc=example,dc=com

 

Use cn or uid based on how your LDAP server is configured.

 

Select OK. Select Save.

If you selected a custom LDAP server type, check to see if your LDAP server is using "ePerson" or "inetOrgPerson".

~]# ldapsearch -x -b dc=example,dc=com
dn: uid=JohnDoe,ou=People,dc=example,dc=com
objectClass: inetOrgPerson

 

If your LDAP server is using inetOrgPerson, select Advanced Lightweight Directory Access Protocol (LDAP) user registry settings. By default, the User filter field will have (&(uid=%v)(objectclass=ePerson)). Update the User filter field to mirror how your LDAP server is configured. For example, OpenLDAP uses "uid" and "inetOrgPerson". 

In this example, the User filter field would be updated to be (&(uid=%v)(objectclass=inetOrgPerson)). If User filter is updated to have cn=%v, you should also updated the User ID map to be *:cn.

 

Making a change to the advanced LDAP user registry settings will create this event in was_home/profiles/your_profile/logs/dmgr/SystemOut.log.

ADMR0016I: User defaultWIMFileBasedRealm/your_username modified document cells/your_cell/security.xml

Test LDAP connection

If you are setting up a standalone LDAP repository, at Security > Global security > Configure, select Test connection. There is no LDAP test connection option in a federated repository. The result of the test connection must be successful. If the test connection is not successful, you either provided an invalid ldap hostname or port, or there is some issue between WebSphere and LDAP (eg. LDAP is down, firewall refusing connection, et cetera).

 


Test LDAP Query

At Security > Global security > Configure, select LDAP Test Query. Enter the bind password, and then enter a search string. In this example, we are searching LDAP for a user with ID JohnDoe.

 

If LdapSearc Result produces a result, this verifies that LDAP is working as expected.

 


Configure WebSphere to authenticate against LDAP

If you are setting up a standalone LDAP repository, select Standalone LDAP repository and select Set as current. The Realm name and Current realm definition should update to display LDAP. Select Apply, and then select Save.

 

If you are adding LDAP to a federated repository, select Federated repository and select Set as current. The Realm name and Current realm definition should update to display Federated Repository. Select Apply, and then select Save.

 

The following event should be recorded in ${was_install_root}/profiles/your_profile/logs/dmgr/SystemOut.log. Restart the dmgr for this change to take effect. 

SECJ0419I: The user registry is currently connected to LDAP server ldap://ldap.example.com:389

 

Sign out of the WebSphere admin console, and you should now be able to sign in using your primary administrative LDAP user account.



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments