Before you begin
Before you can configure a message flow to perform identity
authentication using LDAP, you need to check that an appropriate security
profile exists, or create a new security profile. See Creating a security profile for LDAP.
About this task
To authenticate the identity of a user or system, the
integration node attempts to connect to the LDAP server using the
username and password associated with the identity. To do this, the
integration node needs the following information:
- To resolve the username to an LDAP entry, the integration node
needs to know the base distinguished name (base DN) of the accepted
login IDs. This is required to enable the integration node to differentiate
between different entries with the same name.
- If the identities do not all have a common base DN,
but can be uniquely resolved from a subtree, the DN can be specified
in the integration node configuration. When a subtree search has been
specified, the integration node must first connect to the LDAP server
and search for the given username in order to obtain the full username
distinguished name (DN) to be used for authentication. If your LDAP
directory does not permit login of unrecognized IDs, and does not
grant search access rights on the subtree, you must set up a separate
authorized login ID that the integration node can use for the search.
Use the mqsisetdbparms command
to specify a username and password. For example:
mqsisetdbparms -n ldap::LDAP -u username -p password
ormqsisetdbparms -n ldap::<servername> -u username -p password
where <servername> is
your base LDAP server name, for example, ldap.mydomain.com.
If
you specify ldap::LDAP, it creates a default setting
for the integration node, which the integration node attempts to use
if you have not explicitly used the mqsisetdbparms command to create
a login ID for a specific <servername>. All
servers that do not have an explicit ldap::servername entry
then start using the credentials in the ldap::LDAP entry.
This means that any servers that were previously using anonymous bind
by default will start using the details in ldap::LDAP.
The
username that you specify in the
-u parameter
must be recognized by the LDAP server as a complete user name. In
most cases this means that you need to specify the full DN of the
user. Alternatively, by specifying a username to be anonymous, you
can force the integration node to bind anonymously to this LDAP server.
This might be useful if you have specified a non-anonymous bind as
your default (ldap::LDAP). For example:
mqsisetdbparms -n ldap::<servername> -u anonymous -p password
In
this case, the value specified for
password is
ignored.
Steps for enabling LDAP authentication:
Procedure
To enable an existing message flow to perform identity
authentication, use the BAR editor
to select a security profile that uses LDAP for authentication. You can set a security profile on a message flow or on individual
input nodes. If no security profile is set for the input nodes, the
setting is inherited from the setting on the message flow.
- Switch to the Integration Development
perspective.
- In the Application Development view,
right-click the BAR file and then click Open with > BAR
Editor.
- Click the Manage and Configure tab.
- Click the flow or node on which you want to set the
security profile. The properties that you
can configure for the message flow or for the node are displayed in
the Properties view.
- In the Security Profile Name field,
select a security profile that uses LDAP for authentication.
- Save the BAR file.
What to do next
For a SOAPInput node to use the identity in
the WS-Security header (rather than an underlying transport identity)
an appropriate policy set and bindings must also be defined and specified.
For more information, see Policy sets.
If
the message identity does not contain enough information for authentication,
the information must be taken from the message body. For example,
if a password is required for authentication but the message came
from WebSphere® MQ with
only a username, the password information must be taken from the message
body. For more information, see Configuring the extraction of an identity or security token.