Installing and configuring LDAP

About this task

A Lightweight Directory Access Protocol (LDAP) server is available as part of IBM® i in the product Directory Services for IBM i. The server provides a network directory which can be accessed by network clients using the LDAP protocol. LDAP defines the transport and format of messages used by a client to access data in an X.500-like directory. Although LDAP does not define the directory service itself, a directory accessed using LDAP is typically called an LDAP directory.

The directory server allows access to a type of database that stores information in a hierarchical structure similar to the way that the IBM i integrated file system is organized. The LDAP directory server model is based on entries which consist of one or more attributes, such as a name or address, and a type. These attributes typically consist of mnemonic strings, such as cn for common name or mail for e-mail address. Refer to the example below to see how entries are stored in LDAP.

LDAP must be configured on an IBM i system to configure EIM. EIM configuration information is stored in an LDAP directory. These are the basic steps for installing and configuring LDAP. See "Networking > TCP/IP applications, protocols and services > Directory Services (LDAP)" in the IBM i Information Center for more details on working with LDAP. Note that although you can use LDAP on other operating systems, these steps describe configuration for IBM i systems only.

Note: Although a valid LDAP ID will allow you to use protected pages when securing your application, to use single signon an EIM user identity must be associated with that LDAP ID (as the source ID), and a target IBM i profile (as the target ID).

The directory server is installed with IBM i using a default configuration. To re-configure the directory server, you must have *ALLOBJ and *IOSYSCFG authorities. To configure LDAP:

Procedure

  1. Using the IBM i Navigator, expand Network > Servers > TCP/IP.
  2. Right-click Directory Server and select Stop.
  3. Right-click Directory and select Configure. If you have previously configured the directory server, select Reconfigure.
  4. Use the Configure Directory Server wizard to configure the directory server. Note the settings you use, such as distinguished names (or suffixes), during configuration. Some of these values are required when you enable security for your applications.

    When the wizard completes, your directory server is set up with a basic configuration. For more detailed information on configuring LDAP, see the "Networking > TCP/IP applications, protocols and services > Directory Services (LDAP)" in the IBM i Information Center.

What to do next

After you have configured your directory server, you can add entries to your LDAP directory using one of the following methods:

  • Using the IBM i Navigator, right-click Directory Server and select Tools > Import. This will allow you to import the directory entries from a previously created LDIF (lightweight directory interchange format) file.
  • In IBM i, use the ldapadd command from Qshell.
  • Use the Directory Management Tool to add entries. The Directory Management Tool is in the IFS at \QIBM\ProdData\OS400\DirSrv\User Tools\Windows\setup.exe.

The following is an example of a simple LDAP file containing two entries: 

  dn: cn=John S. Day, ou=Rochester, o=Big Company, c=US
   objectclass: top
   objectclass: person
   objectclass: organizationalPerson
   cn: John Day
   sn: Day
   uid: johnday
   telephonenumber: +1 408 555 1212
   description: A big sailing fan.
 
   dn: cn=Bjorn Jensen, ou=Rochester, o=Big Company, c=US
   objectclass: top
   objectclass: person
   objectclass: organizationalPerson
   cn: Bjorn Jensen
   sn: Jensen
   uid: bjenson
   telephonenumber: +1 408 555 1212
   description:Babs is a big sailing fan, and travels extensively in 
   search of perfect sailing conditions.
   title:Product Manager, Rod and Reel Division

For more information on adding LDAP entries, see "Networking > TCP/IP applications, protocols and services > Directory Services (LDAP)" in the IBM i Information Center.

Parent topic: Securing your Web applications with single signon