Synchronizing with LDAP server

To synchronize Access Control with the LDAP server, you should synchronize the user ID in Access Control with the LDAP server, so that the users on the LDAP server also exist in Access Control. This is the first step to involve LDAP server with authentication.

To enable the synchronizing function, you should perform the following procedure first.

  1. Configure connection to the LDAP server on the server side.

    In the following sample code, SecurityUserLDAPImpl is the engine to get the user information from the LDAP server. All the LDAP connection information is stored in LDAPConfig class, which is the sample code in Access Control. Attributes in the LDAPConfig class are explained in the table below.

    <com.ibm.btt.bc.ac.dao.ldap.sample.SecurityUserLDAPImpl	id="ldapUser" 
            Instantiate="constructor">
        <arguments CreateParent="constructor">
             <com.ibm.btt.bc.ac.dao.ldap.sample.LDAPConfig
    			       ldapProvider="com.sun.jndi.ldap.LdapCtxFactory" uidAttribute="uid"
    			       referralsIgnore="ignore" rootUser="userName" rootPassword="password"
    			       ldapUrl="ldap://ipAddress:port" secureConnection="true" 
    			       baseSearch="ou=people,dc=ibm,dc=com" searchSecurityLevel="none"
    			       updateSecurityLevel="simple" urlContextPrefix="com.sun.jndi.url"
    			       ArgumentType="com.ibm.btt.bc.ac.dao.ldap.sample.LDAPConfig">
                 <list>
                     <string value=”attributeName”/>
                 </list>
             </com.ibm.btt.bc.ac.dao.ldap.sample.LDAPConfig>
         </arguments>
    </com.ibm.btt.bc.ac.dao.ldap.sample.SecurityUserLDAPImpl>
    Table 1. Attributes in the LDAPConfig class
    Attribute Name Attribute Value
    ldapProvider Specifies the Initial Context Factory name for LDAP
    uidAttribute Specifies the name of attribute that store the information to identify users
    referralsIgnore Specifies how to process referrals
    rootUser The name of the LDAP server root user
    rootPassword The password of the LDAP server root user
    ldapUrl The URL of the LDAP server
    secureConnection Enables the secure connection or not
    baseSearch The default base search value
    searchSecurityLevel Security level to be used for LDAP connections
    updateSecurityLevel Security level for updates
    urlContextPrefix Package Prefix for loading URL context factories
  2. Make some additional configuration on the client side.

    In the following code, ISecurityUserDAO is the service connector definition to invoke the LDAP server query function on the server side; SynchronizeUser is passed into the admin UI, which contains the Access Control persistence definition and LDAP server definition. The following diagram illustrates the synchronizing process.

    <com.ibm.btt.rcp.workshop.synchronizeuser.SynchronizeUser id="synchronizeUser">
         <ref Injection="securityObject" refId="securityObjectManager" />
         <ref Injection="ldapUser" refId="ldapUser" />
    </com.ibm.btt.rcp.workshop.synchronizeuser.SynchronizeUser>
    
    <com.ibm.btt.rcp.workshop.synchronizeuser.ISecurityUserDAO
    	    id="ldapUser" Instantiate="factoryElement"
    	    FactoryClass="com.ibm.btt.remote.ServiceProxyFactory"
    	    serviceUrl="http://localhost:9080/BCAccessControlTestWeb/BTTRemoteConnector"
    	    serviceId="ldapUser">
    </com.ibm.btt.rcp.workshop.synchronizeuser.ISecurityUserDAO>
    The diagram explains the synchronizing process

Now, you can perform this function by clicking a button in the admin UI. The following figure illustrates how to synchronize the user information with the Synchronize User Information window.

Screen capture shows the window to synchronize the user information

Provide the required information in the Search Info group, such as the attribute name, attribute value and so on. Specify the location where the search starts in the Base Search field. You can select one condition from the condition collection, >, ~=, >=, <=, and !=.

Click Quick Search, then the LDAP entry that matches the search conditions is listed in the table. The attribute value which is specified by the user is displayed in the uid field, and the corresponding attribute information is displayed in the Description field.

Select the user or users that you want to import to the Access Control persistence in the table, and click Synchronize to perform the synchronization with Access Control persistence.