You can configure one or more Lightweight Directory Access Protocol (LDAP) servers with the Liberty profile for authentication.
You can use an existing LDAP server for application authentication
on the Liberty profile. To do this,
you add the appSecurity-2.0 feature to the server.xml file
and specify, in the server.xml file, the ldapRegistry-3.0 feature
and the configuration information for connecting to the LDAP server.
For SSL communication with an LDAP server to succeed, the Signer certificate for the LDAP server must be added to the truststore that is referenced by the sslAlias attribute of the <ldapRegistry> element. In the following examples, the Signer certificate must be added to the LdapSSLTrustStore.jks.
If you do not want SSL for the LDAP server, remove all SSL and keystore-related lines from the following examples.
<ldapRegistry id="ldap" realm="SampleLdapIDSRealm"
host="ldapserver.mycity.mycompany.com" port="389" ignoreCase="true"
baseDN="o=mycompany,c=us"
ldapType="IBM Tivoli Directory Server"
sslEnabled="true"
sslRef="LDAPSSLSettings">
<idsFilters
userFilter="(&(uid=%v)(objectclass=ePerson))"
groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)
(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))"
userIdMap="*:uid"
groupIdMap="*:cn"
groupMemberIdMap="mycompany-allGroups:member;mycompany-allGroups:uniqueMember;
groupOfNames:member;groupOfUniqueNames:uniqueMember">
</idsFilters>
</ldapRegistry>
<sslDefault sslRef="LDAPSSLSettings" />
<ssl id="LDAPSSLSettings" keyStoreRef="LDAPKeyStore" trustStoreRef="LDAPTrustStore" />
<keyStore id="LDAPKeyStore" location="${server.config.dir}/LdapSSLKeyStore.jks"
type="JKS" password="{xor}CDo9Hgw=" />
<keyStore id="LDAPTrustStore" location="${server.config.dir}/LdapSSLTrustStore.jks"
type="JKS" password="{xor}CDo9Hgw=" />
<ldapRegistry id="ldap" realm="SampleLdapADRealm"
host="ldapserver.mycity.mycompany.com" port="389" ignoreCase="true"
baseDN="cn=users,dc=adtest,dc=mycity,dc=mycompany,dc=com"
bindDN="cn=testuser,cn=users,dc=adtest,dc=mycity,dc=mycompany,dc=com"
bindPassword="testuserpwd"
ldapType="Microsoft Active Directory"
sslEnabled="true"
sslRef="LDAPSSLSettings">
<activedFilters
userFilter="(&(sAMAccountName=%v)(objectcategory=user))"&(sAMAccountName=%v)(objectcategory=user))"
groupFilter="(&(cn=%v)(objectcategory=group))"
userIdMap="user:sAMAccountName"
groupIdMap="*:cn"
groupMemberIdMap="memberOf:member"
userIdMap="user:sAMAccountName" groupIdMap="*:cn" groupMemberIdMap="memberOf:member">
</activedFilters>
</ldapRegistry>
<sslDefault sslRef="LDAPSSLSettings" />
<ssl id="LDAPSSLSettings" keyStoreRef="LDAPKeyStore" trustStoreRef="LDAPTrustStore" />
<keyStore id="LDAPKeyStore" location="${server.config.dir}/LdapSSLKeyStore.jks"
type="JKS" password="{xor}CDo9Hgw=" />
<keyStore id="LDAPTrustStore" location="${server.config.dir}/LdapSSLTrustStore.jks"
type="JKS" password="{xor}CDo9Hgw=" />
If you use the WebSphere Application Server Developer Tools for Eclipse, the bindPassword password is encoded for you automatically. If you edit the server.xml file directly, you can use the securityUtility encode command to encode the bindPassword password for you. The securityUtility command-line tool is available in the $INSTALL_ROOT/bin directory. When you run the securityUtility encode command, you either supply the password to encode as an input from the command line or, if no arguments are specified, the tool prompts you for the password. The tool then outputs the encoded value. Copy the value output by the tool, and use that value for the bindPassword password.
<ldapRegistry id="LDAP" realm="SampleLdapIDSRealm"
host="myldap.ibm.com" port="389" ignoreCase="true"
baseDN="o=ibm,c=us"
ldapType="IBM Tivoli Directory Server" searchTimeout="8m"
certificateMapMode="CERTIFICATE_FILTER"
certificateFilter="uid=${SubjectCN}">
<idsFilters
userFilter="(&(uid=%v)(objectclass=ePerson))"
groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)
(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))"
userIdMap="*:uid"
groupIdMap="*:cn"
groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember;
groupOfNames:member;groupOfUniqueNames:uniqueMember">
</idsFilters>
</ldapRegistry>
For more information about certificate
map mode in the Liberty profile, see Liberty profile: LDAP certificate map mode.<ldapRegistry id="LDAP" realm="SampleLdapIDSRealm"
host="ldapserver1.mycity.mycompany.com" port="389" ignoreCase="true"
baseDN="o=ibm,c=us" ldapType="IBM Tivoli Directory Server" idsFilters="ibm_dir_server">
<failoverServers name="failoverLdapServersGroup1">
<server host="ldapserver2.mycity.mycompany.com" port="389" />
<server host="ldapserver3.mycity.mycompany.com" port="389" />
</failoverServers>
<failoverServers name="failoverLdapServersGroup2">
<server host="ldapserver4.mycity.mycompany.com" port="389" />
</failoverServers>
</ldapRegistry>
<idsLdapFilterProperties id="ibm_dir_server"
userFilter="(&(uid=%v)(objectclass=ePerson))"
groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)
(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))"
userIdMap="*:uid" groupIdMap="*:cn"
groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember;
groupOfNames:member;groupOfUniqueNames:uniqueMember">
</idsLdapFilterProperties>
For more information about the ldapRegistry and failoverServers elements, see Liberty profile: Configuration elements in the server.xml file.
<ldapRegistry host="ldapserver1.mycity1.mycompany.com" baseDN="o=mycompany,c=us"
port="123" ldapType="IBM Tivoli Directory Server">
</ldapRegistry>
<ldapRegistry host="ldapserver2.mycity2.mycompany.com"
baseDN="cn=users,dc=secfvt2,dc=mycity2,dc=mycompany,dc=com"
port="456"
ldapType="Microsoft Active Directory"
bindDN="cn=testuser,cn=users,dc=secfvt2,dc=mycity2,dc=mycompany,dc=com"
bindPassword="{xor}KzosKyosOi0vKDs=">
</ldapRegistry>
<ldapRegistry host="ldapserver1.mycity1.mycompany.com" baseDN="o=mycompany,ou=myou,c=us"
port="123" ldapType="IBM Tivoli Directory Server" name="o=mybaseentry">
</ldapRegistry>
<ldapRegistry host="ldapserver2.mycity2.mycompany.com"
baseDN="cn=users,dc=secfvt2,dc=mycity2,dc=mycompany,dc=com"
port="456"
ldapType="Microsoft Active Directory"
bindDN="cn=testuser,cn=users,dc=secfvt2,dc=mycity2,dc=mycompany,dc=com"
bindPassword="{xor}KzosKyosOi0vKDs=">
</ldapRegistry>
<federatedRepository>
<primaryRealm name="RealmName" delimiter="@" allowOpIfRepoDown="true">
<participatingBaseEntry name="o=mybaseentry"/>
<participatingBaseEntry name="cn=users,dc=secfvt2,dc=mycity2,dc=mycompany,dc=com"/>
<uniqueUserIdMapping inputProperty="uniqueName" outputProperty="uniqueName"/>
<userSecurityNameMapping inputProperty="principalName" outputProperty="principalName"/>
<userDisplayNameMapping inputProperty="principalName" outputProperty="principalName"/>
<uniqueGroupIdMapping inputProperty="uniqueName" outputProperty="uniqueName"/>
<groupSecurityNameMapping inputProperty="cn" outputProperty="cn"/>
<groupDisplayNameMapping inputProperty="cn" outputProperty="cn"/>
</primaryRealm>
</federatedRepository>
For more information about the federated ldapRegistry elements, see Liberty profile: Configuration elements in the server.xml file.
<ldapRegistry id="IBMDirectoryServerLDAP" realm="SampleLdapIDSRealm"
host="host.domain.com" port="389" ignoreCase="true"
baseDN="o=domain,c=us"
bindDN="cn=testuser,o=domain,c=us"
bindPassword="mypassword"
ldapType="IBM Tivoli Directory Server"
searchTimeout="8m">
<contextPool enabled="true" initialSize="1" maxSize="0" timeout="0s" waitTime="3000ms" preferredSize="3"/>
<ldapCache>
<attributesCache size="4000" timeout="1200s" enabled="true" sizeLimit="2000"/>
<searchResultsCache size="2000" timeout="600s" enabled="true" resultsSizeLimit="1000"/>
</ldapCache>
</ldapRegistry>
com.ibm.ws.wim.*=all:com.ibm.websphere.wim.*=all