InfoCenter Home >
6: Administer applications >
6.6: Tools and resources quick reference >
6.6.18: Securing applications >
6.6.18.8: Using Microsoft Active Directory as an LDAP Server
6.6.18.8: Using Microsoft Active Directory as an LDAP Server
To use Miscrosoft Active Directory as the LDAP server for authentication
with WebSphere Application Server, there are some specific steps you must
take. By default, Microsoft Active Directory does not allow
anonymous LDAP queries. To make LDAP queries or browse the
directory, an LDAP client must bind to the LDAP server using
the distinguished name (DN) of an account that belongs to the
Administrator group of the Windows system.
To set up Microsoft Active Directory as your LDAP server, follow
this procedure:
- Determine the full DN and password of an account in the
Administrators group. For example, if the Active Directory
administrator creates an account in the Users folder of
the Active Directory Users and Computers Windows NT/2000
control panel and the DNS domain is ibm.com, the resulting
DN has the following structure:
cn=<adminUsername>, cn=users, dc=ibm, dc=com
- Determine the short name and password of any account in
the Microsoft Active Directory. This does not have to be
the same account as used in the previous step.
- Use the WebSphere Application Server administrative console to set up
the information needed to use Microsoft Active Directory:
- Start the administrative server for the domain,
if necessary.
- Start the administrative console, if necessary.
- On the administrative console, click Console -> Security Center on the console menu bar.
- Select the Authentication tabbed page. On it, select
Lightweight Third Party Authentication (LTPA) as the authentication
mechanism.
- Enter the following information in the LDAP settings fields:
- Security Server ID: The short name of the account chosen in 2
- Security Server Password: the password of the
account chosen in step 2
- Directory Type: Active Directory
- Host: The DNS name of the machine running
Microsoft Active Directory
- Base Distinguished Name: the domain components
of the DN of the account chosen in step 1. For example:
dc=ibm, dc=com
- Bind Distinguished Name: the full DN of the
account chosen in step 1. For example:
cn=<adminUsername>, cn=users, dc=ibm, dc=com
- Bind Password: the password of the
account chosen in step 1
- Click OK button to save the changes.
- Stop and restart the administrative server
to make the changes take effect.
|
|