Configuring LDAP for user authentication

You can configure messaging users and groups by using an LDAP server. You can configure the LDAP server either by using the Amlen WebUI, or by using REST Administration APIs.

Messaging users send and receive messages. Messaging users are used in connection policies, messaging policies, and security policies when you filter access by user ID. Messaging groups are collections of messaging users. Messaging groups are also used in connection policies, messaging policies, and security policies when you filter access by group name. For more information about messaging users and groups, see Messaging users and groups.

If you have an existing LDAP server of users and groups, you can use the server to provide the messaging user and group information. You can only use one LDAP server for your messaging users and groups.

You can configure only one LDAP server. You might need to add a DNS entry to resolve the IP address of the LDAP server. Eclipse Amlen supports the following external LDAP servers: openLDAP, IBM Security Directory Server, and Microsoft Active Directory.

When you configure an LDAP server, you can specify the following components:
  • URL
    The URL to connect to the LDAP server.
    The URL must start with ldap:// or ldaps://
    If you use ldaps://, and Check Server Certificate is set to Use messaging server trust store, you must upload a server certificate to allow verification of the LDAP server connection.
  • Maximum connections
    The maximum number of concurrent connections that can be made to the LDAP server.
    This value must be in the range 1-100.
    The default value is 10.
  • Base DN
    The base distinguished name of the directory service.
    The base DN is the root of the tree that is searched for users and groups. For example, for a user with a DN of cn=user, ou=location, o=company, c=country you can specify the base DN as one of the following strings:
    • ou=location, o=company, c=country
    • o=company, c=country
    • c=country
    The base DN is case-sensitive.
  • Bind DN
    The distinguished name to use when you bind to LDAP.
  • Bind password
    The password to use when you bind to LDAP.
    The password cannot contain a double quotation mark (").
  • Ignore case
    Whether to ignore case during an LDAP search.
  • User suffix
    The distinguished name that is the suffix of the user distinguished name.
    For example, for a user DN of cn=user, ou=users, ou=location, o=company, c=country, the user suffix is ou=users, ou=location, o=company, c=country
    If the user suffix is not specified, Eclipse Amlen searches for the user DN. The user ID map is used as part of this search.
  • Group suffix
    The distinguished name that is the suffix of the group distinguished name.
    For example, for a group DN of cn=Developer, ou=groups, ou=location, o=company, c=country, the group suffix is ou=groups, ou=location, o=company, c=country
  • User ID map
    The LDAP filter that maps the short name of a user to an LDAP entry.
    For example, to show entries of the object class = inetOrgPerson type by ID, specify inetOrgPerson:uid
  • Group ID map
    The LDAP filter that maps the short name of a group to an LDAP entry.
    For example, to show groups by name, specify *:cn. The asterisk (*) is a wildcard character that searches on any object class.
  • Group member ID map
    The LDAP filter that identifies user-to-group relationships.
    For example, for IBM® Directory, the value is ibm-allGroup:member.
  • Timeout
    The timeout for LDAP calls, in seconds.
    This value must be in the range 1-60.
    The default value is 10.
  • Enable cache
    Whether credentials are cached.
    The default value is True.
  • Cache Timeout
    The time to live of the authentication token, in seconds. After a user is authenticated, an authentication token is created for each user. This token is cached. If the cached token is not expired, then this token is used for authentication. If the cached token is expired, the user is authenticated against the configured LDAP server.
    This value must be in the range 1-60.
    The default value is 10.
  • Group Cache Timeout
    The group cache time to live, in seconds.
    This value must be in the range 1-86400.
    The default value is 300.
  • Nested Group Search
    Whether to use nested group searching to find the group membership of a user.
    The default value is False.
  • Certificate
    The certificate that is used to verify the LDAP server, if the LDAP URL uses TLS.
    When you create an LDAP server connection by using the Amlen WebUI, you can upload and specify the certificate in the Edit LDAP Connection pane.
    The certificate must be a pem format certificate. The certificate is renamed to ldap.pem after it is uploaded.
    If you change the LDAP certificate, the new LDAP settings will be used the next time a client or connection is authenticated or authorized.
    When you configure an LDAP server connection by using REST Administration APIs, you must import the certificate before you create the connection. For more information about importing the certificate, see Importing and applying a certificate for an LDAP connection by using REST Administration APIs.
    Check Server Certificate
    Available in version 5.0.0.2 and later releases. Possible options are as follows:
    Use messaging server trust store
    When connecting to the LDAP server, the certificate that is presented by the server is checked using the certificate that is uploaded to the product trust store.
    Use public trust store
    The certificate that is presented by the LDAP server is checked against the public certificates that are installed as part of the operating system.
    Disable certificate verification
    No certificate verification is performed when connecting to the LDAP server. This is an insecure option that is designed for testing purposes only.

If you are updating an LDAP certificate in a High Availability (HA) environment, you must upload the new certificate on the primary server and then replicate this certificate on the standby server.

For more information about how to update certificates in an HA environment, see Updating a certificate for an LDAP connection in a High Availability environment by using REST Administration APIs.

For more information about configuring an LDAP server connection by using the Amlen WebUI, see Configuring an LDAP server by using the Amlen WebUI.

For more information about configuring an LDAP server connection by using REST Administration APIs, see Configuring an LDAP server by using REST Administration APIs.