Use this page to configure Lightweight Directory Access Protocol (LDAP) settings when users and groups reside in an external LDAP directory.
When security is enabled and any of these properties change, go to the Global security panel and click Apply to validate the changes.
Specifies the user ID that is used to run WebSphere Application Server for security purposes.
Although this ID is not the LDAP administrator user ID, specify a valid entry in the LDAP directory that is located under the base distinguished name.
Specifies the password that corresponds to the security server ID.
Specifies the type of LDAP server to which you connect.
IBM SecureWay Directory Server is not supported.
Specifies the host ID (IP address or domain name service (DNS) name) of the LDAP server.
Specifies the host port of the LDAP server.
Default: | 389 |
Specifies the base distinguished name of the directory service, which indicates the starting point for LDAP searches of the directory service.
For example, for a user with a distinguished name (DN) of cn=John Doe, ou=Rochester, o=IBM, c=US, you can specify the base DN as, which assumes a suffix of c=us: ou=Rochester, o=IBM, c=us. For authorization purposes, this field is case sensitive. This specification implies that if a token is received, for example, from another cell or Lotus Domino, the base DN in the server must match the base DN from the other cell or Lotus Domino server exactly. If case sensitivity is not a consideration for authorization, enable the Ignore case option. This option is required for all Lightweight Directory Access Protocol (LDAP) directories except for the Lotus Domino Directory, where this field is optional.
If you need to interoperate between WebSphere Application Server Version 5 and a Version 5.0.1 or later server, you must enter a normalized base distinguished name. A normalized base distinguished name does not contain spaces before or after commas and equal symbols. An example of a non-normalized base distinguished name is o = ibm, c = us or o=ibm, c=us. An example of a normalized base distinguished name is o=ibm,c=us. In WebSphere Application Server, Version 5.0.1 or later, the normalization occurs automatically during runtime.
Specifies the distinguished name for the application server to use when binding to the directory service.
If no name is specified, the application server binds anonymously. See the Base Distinguished Name field description for examples of distinguished names.
Specifies the password for the application server to use when binding to the directory service.
Specifies the timeout value in seconds for an Lightweight Directory Access Protocol (LDAP) server to respond before stopping a request.
Default: | 120 |
Specifies whether the server reuses the Lightweight Directory Access Protocol (LDAP) connection. Clear this option only in rare situations where a router is used to distribute requests to multiple LDAP servers and when the router does not support affinity.
Default: | Enabled |
Range: | Enabled or Disabled |
If you are using WebSphere Edge Server for LDAP failover, you must enable TCP resets with the Edge server. A TCP reset causes the connection to be immediately closed, and a failover to the backup server. For more information, please see "Sending TCP resets when server is down" at http://www-3.ibm.com/software/webservers/appserv/doc/v50/ec/infocenter/edge/LBguide.htm#HDRRESETSERVER and the Edge Server V2 - TCP Reset feature in PTF #2 described in: ftp://ftp.software.ibm.com/software/websphere/edgeserver/info/doc/v20/en/updates.pdf.
Specifies that a case insensitive authorization check is performed when using the default authorization.
This option is required when IBM Tivoli Directory Server is selected as the LDAP directory server.
This option is required when Sun ONE Directory Server is selected as the LDAP directory server. For more information, see "Using specific directory servers as the LDAP server" in the documentation.
Otherwise, this option is optional and can be enabled when a case-sensitive authorization check is required. For example, use this option when the certificates and the certificate contents do not match the case that is used for the entry in the LDAP server. You can enable the Ignore case option when using single sign-on (SSO) between WebSphere Application Server and Lotus Domino.
Default: | Enabled |
Range: | Enabled or Disabled |
Specifies whether secure socket communication is enabled to the Lightweight Directory Access Protocol (LDAP) server. When enabled, the LDAP Secure Sockets Layer (SSL) settings are used, if specified.
Specifies the Secure Sockets Layer configuration to use for the Lightweight Directory Access Protocol (LDAP) connection. This configuration is used only when SSL is enabled for LDAP.
Default: | DefaultSSLSettings |