You can optionally use a Lightweight Directory Access Protocol (LDAP) directory to authenticate users with your IBM® WebSphere® DataPower® XC10 Appliance.
You must be assigned the Appliance administration permission to perform these steps.
Using an LDAP server to authenticate users is optional. If you choose to use an external LDAP server, then you must match all of your IBM WebSphere DataPower XC10 Appliance users with the users in the specified LDAP directory. The user name attribute is used to authenticate the IBM WebSphere DataPower XC10 Appliance users with the LDAP directory. Users that are not in the LDAP directory cannot be authenticated except for the primary appliance administrator.
You can set up your
LDAP to use the secure port. The secure sockets layer (SSL) certificate
of the LDAP server must be issued by a publicly trusted certificate
authority (CA), which is already in the <JAVA_HOME>/jre/lib/security/cacerts file. WebSphere DataPower XC10 Appliance does not support using self-signed certificates.
When LDAP authentication is configured, you can only add LDAP groups to the collective. Access and permissions can be granted to specified groups.
When LDAP authentication is configured, you cannot use the administrative console for the appliance or appliance programming interfaces to add or delete members of a group. Group membership is managed with your LDAP directory administration tools.
For IBM WebSphere DataPower XC10 Appliance releases before V2.5, only those users specifically added to the collective are granted permissions and accesses. Support for generalized LDAP access is added in V2.5. For releases before V2.5, the appliance imports group memberships from LDAP when the group is added to the collective. The group is then maintained on the appliance, and the membership might diverge from what was stored in LDAP. Beginning with V2.5, if LDAP authentication is configured group memberships are always resolved by querying the LDAP server.
Migration considerations: In a collective that includes V2.5 along with appliances that run earlier firmware versions, users that are in LDAP but not stored on the appliance collective cannot access restricted resources on the devices with the older firmware. Therefore, clients can only use the user IDs that are added to the appliance collective until all devices are upgraded.
When a collective includes members that are running firmware versions that are older than V 2.5, it is possible that the group memberships as stored on the older appliances will have diverged from what is stored in LDAP. These inconsistencies might cause problems. For example, if a user ID is in a group that is stored on an older appliance and permissions and access are associated with that group, but the group does not exist in LDAP or the group membership as stored on the appliance differs from what is in LDAP, then that userid might not be able to access restricted resources on the new appliance. This behavior occurs because the V2.5 appliance is checking LDAP directly, and not any local version of group membership. When you migrate, ensure that any user IDs that are used to access appliance data have the necessary permissions and access associated with the individual user ID. Also verify that those user IDs represent members of the LDAP groups that have the required authorizations.