Using Microsoft Active Directory for authentication

WebSphere® Application Server supports the Microsoft® Active Directory. Many installations use the Microsoft Active Directory as their primary component for managing user authentication and user data. Authenticating a user across multiple repositories or across a distributed Lightweight Directory Access Protocol (LDAP), such as a Microsoft Active Directory forest can be challenging. In any search of the whole registry, if there is more than one match at run time, authentication fails because ambiguous matches result.

About this task

User IDs are guaranteed to be unique within a single domain, but there is no automatic guarantee that a given user ID is unique across a tree or a forest. The following figure exemplifies the condition of a given user ID not being unique across a tree or forest.
Figure 1. Forest search strategy. Search illustration of a non-unique sAMAccountName across the entire forest
Authenticating users across trees or forests can be a difficult task and the following steps should be performed.

Procedure

  1. Analyze the Microsoft Active Directory construct that defines your installation. Your analysis can conclude with the following forms:
    • Single LDAP registry - Simple configuration.
    • Federated repository (a forest )- Typical configuration.
    • Merger of federated repositories (a merger of trees into a forest )- Less typical configuration
    • Combination of user and group forests - Rare configuration
  2. Develop strategies for user look up that match your Microsoft Active Directory installation. Remember that user IDs are guaranteed to be unique within a single domain, but there is no automatic guarantee that a given user ID is unique across a tree or a forest.
  3. Evaluate with testing to ensure that your authentication search strategies successfully authenticate users in your Microsoft Active Directory installation.

Results

You will be in the position to authenticate users with LDAP registries in a Microsoft Active Directory forest.

What to do next

Avoid trouble Avoid trouble: When you select any of these scenarios, consult appropriate Microsoft Active Directory information to completely understand any implications the scenarios might have on your configuration planning.gotcha



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 30, 2013 10:47:11 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-iseries&topic=tsec_was_ad
File name: tsec_was_ad.html