Configure an LDAP or an LDAP/SDBM connection with the WebSphere Liberty
server.
About this task
LDAP registries contain record of users and groups. When configuring a WebSphere server
(either Liberty or full WAS) for LDAP authentication, you must specify queries to identify records
that represent users and groups. Use the userFilter and
groupFilter attributes to identify user records and group records. The
userFilter attribute identifies only user records. The
groupFilter attribute identifies only group records.For example:
- userFilter="(&(uid=%v)(objectclass=inetOrgPerson))"
- groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=posixGroup)))"
If you use LDAP for user management and you enable the option to not use case-sensitive
user management, make sure that Jazz® Team Server
is also configured to allow user management that is not case sensitive. To configure the Jazz Team Server
login property, on the Advanced Properties page of the Administrative web interface, modify the
Use case insensitive user ID matching
property.
Procedure
- Run the setup wizard and advance through the pages until you reach the Setup User
Registry page. For more information about the setup wizard, see Running the setup by using Custom setup in the setup wizard.
-
In Step 1, under User Registry Type, select LDAP or
LDAP/SDBM .
- In Step 2, complete the fields. See LDAP and LDAP/SDBM configuration parameters\ for
details.
-
Click Save LDAP Config Files.
Tip: Two files are modified with this operation:
ldapUserRegistry.xml and application.xml files. You can
see the name and location of the generated XML files by clicking show details
in the message box.
-
Go to JazzInstallDir/server/liberty/servers/clm and open the server.xml file for
editing. For LDAP/SDBM, replace the basicUserRegistry.xml file with the
generated ldapUserRegistry.xml file. Change the value of
ignoreCase from
false
to
true
.
-
Comment out <include location="conf/basicUserRegistry.xml"> and
uncomment <!--include location="conf/ldapUserRegistry.xml"--> to use the
LDAP user registry.
-
Open JazzInstallDir/server/liberty/servers/clm/conf/ldapUserRegistry.xml for editing and examine the
ldapRegistry
values to ensure that they match your organization's particular LDAP
configuration. By default, the ldapUserRegistry.xml file uses IBM Tivoli
Directory Server as ldapType and idsFilters:
<ldapRegistry
id="sample_ldap" realm="SampleLdapIDSRealm" ignoreCase="true"
host="localhost" port="389"
baseDN="ou=people,dc=jazz,dc=net"
ldapType="IBM Tivoli Directory Server">
<idsFilters
userFilter="(&(uid=%v)(objectclass=inetOrgPerson))"
groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=posixGroup)))"
userIdMap="*:uid"
groupIdMap="*:cn"
groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember">
</idsFilters>
<ldapEntityType name="PersonAccount">
<searchBase>DC=company,DC=com</searchBase>
</ldapEntityType>
<ldapEntityType name="Group">
<searchBase>OU=Groups,OU=America,DC=company,DC=com</searchBase>
</ldapEntityType>
</ldapRegistry>
You can also use Microsoft Active Directory type. Here is an example of a Microsoft Active
Directory type with its default values:
ldapType="Microsoft Active Directory"
<activedFilters userFilter="(&(sAMAccountName=%v)(objectcategory=user))"
groupFilter="(&(cn=%v)(objectcategory=group))" userIdMap="user:sAMAccountName"
groupIdMap="*:cn" groupMemberIdMap="memberof:member">
</activedFilters>
In the above example, userFilter query returns only users, and the
groupFilter query returns only groups.
-
Save and close ldapUserRegistry.xml .
-
Open JazzInstallDir/server/liberty/servers/clm/conf/application.xml and examine each war file group name
and ensure it matches your organization group names. Applications that rely on container
authentication are jts.war, ccm.war,
qm.war, and am.war. Other applications delegate
authentication to Jazz Team Server.
-
Restart the WebSphere Liberty server.
- Open a web browser window and go to
https://host.example.com:9443/jts/setup, where
host.example.com is the fully qualified host name for your
server.
-
Test the connection by logging on to your server by using a user ID that is in your LDAP
external registry.
Note: For the LDAP/SDBM settings, you are recommended to select the check box next to
Compute and save additional LDAP queries based on these configuration values.
You can view and modify the computed settings at any time from the Admin
Configuration UI.
- Optional:
Under the LDAP/SDBM configuration, continue the following steps:
- Ignore the Test Connection warning. Click Save LDAP Config Files.
- Follow the message and click Next to save the LDAP settings.
- Restart the WebSphere Liberty server according to the message that explains you have to restart
the server to connect it to the LDAP RACF user registry.
What to do next
Note: In a distributed environment, carry out steps 5 through 10 to configure the WebSphere Liberty
files on other servers.