Configuring authorization with LDAP
This topic describes how to configure a message flow to perform authorization on an identity using Lightweight Directory Access Protocol (LDAP).
Before you begin
Before you can configure a message flow to perform authorization, you need to check that an appropriate security profile exists, or create a new security profile. See Creating a security profile for LDAP.
About this task
- To resolve the username to an LDAP entry, the integration node needs to know the base distinguished name (Base DN) of the accepted login IDs. This is required to enable the integration node to differentiate between different entries with the same name.
- To get an entry list from a group name, the group name must be the distinguished name of the group, not just a common name. An LDAP search is made for the group, and the username is checked by finding an entry matching the distinguished name of the user.
- If your LDAP directory does not permit login by unrecognized IDs, and does not grant search access rights on the subtree, you must set up a separate authorized login ID that the integration node can use for the search. Use the mqsisetdbparms command to specify a username and password:
ormqsisetdbparms <INodeName> -n ldap::LDAP -u username -p password
where <servername> is your base LDAP server name. For example:mqsisetdbparms <INodeName> -n ldap::<servername> -u username -p password
ldap.mydomain.com
.If you specify
ldap::LDAP
, it creates a default setting for the integration node, which the integration node attempts to use if you have not explicitly used the mqsisetdbparms command to create a login ID for a specific <servername>. All servers that do not have an explicitldap::servername
entry then start using the credentials in theldap::LDAP
entry. This means that any servers that were previously using anonymous bind by default will start using the details inldap::LDAP
.The username that you specify in the -u parameter must be recognized by the LDAP server as a complete user name. In most cases this means that you need to specify the full DN of the user. Alternatively, by specifying a username to be anonymous, you can force the integration node to bind anonymously to this LDAP server. This might be useful if you have specified a non-anonymous bind as your default (ldap::LDAP). For example:
In this case, the value specified for password is ignored.mqsisetdbparms <INodeName> -n ldap::<servername> -u anonymous -p password
Steps for enabling LDAP authorization:
Procedure
- Switch to the Integration Development perspective.
- In the Application Development view, right-click the BAR file and then click Open with > BAR Editor.
- Click the Manage and Configure tab.
- Click the flow or node on which you want to set the
security profile. The properties that you can configure for the message flow or for the node are displayed in the Properties view.
- In the Security Profile Name field, select a security profile that uses LDAP for authorization.
- Save the BAR file.
What to do next
For a SOAPInput node to use the identity in the WS-Security header (rather than an underlying transport identity) an appropriate policy set and bindings must also be defined and specified. For more information, see Policy sets.