Software AG Products 10.11 | Administering Integration Server | Configuring a Central User Directory or LDAP | Configuring the Server to Use LDAP | Defining an LDAP Directory to Integration Server
 
Defining an LDAP Directory to Integration Server
*To define an LDAP directory to Integration Server
1. Open the Integration Server Administrator if it is not already open.
2. Go to Security > User management.
3. Click LDAP Configuration.
4. Click Add LDAP Directory.
Note:
You can add an LDAP directory only after you select LDAP as the provider.
5. On the Settings > LDAP Directory > Add page, enter the following information:
For this parameter
Specify...
Directory URL
The complete URL of the LDAP server. The URL has the format protocol://hostname:portnumber where
*The protocol is LDAP for standard connections or LDAPS for secure connections.
*The host is the host name or IP address of the LDAP server. The port is the port on which the server is running. The port is optional. If omitted, the port defaults to 389 for LDAP, or 636 for LDAPS.
For example, specifying the URL ldaps://ldapserv1:700 would create a secure connection to the LDAP server running on the non-standard port 700 on the host called ldapserv1.
If you specify ldaps, Integration Server attempts to make a secure connection to the directory server using an SSL socket. If the directory server is configured to use SSL, it will have a server certificate in place to identify itself to clients. This certificate must be signed by an authority to prove its validity (i.e. the server certificate is signed by a CA). By default, the Integration Server will only trust certificates signed by a signing authority whose CA certificate is in the Integration Server's trusted CAs directory. Refer to Configuring Integration Server for Secure Communications for instructions on configuring the trusted CAs directory and finding the CA certificate.
Principal
The user ID the Integration Server should supply to connect to the LDAP server, for example, o=webm.com or dc=webm,dc=com.
This user should not be the Administrator account, but a user that has permission to query groups and group membership. If your LDAP server allows anonymous access, leave this field blank.
Credentials
The password the Integration Server should supply to connect to the LDAP server, that is, the Principal's password. The Integration Server encrypts this password according to the settings specified on the Outbound Passwords page. For more information, see Configuring Integration Server for Secure Communications.
Connection Timeout (seconds)
The number of seconds the Integration Server will wait while trying to connect to the LDAP server. After this time has passed, the Integration Server will try the next configured LDAP server on the list. The default is 5 seconds. Increase this number if your network has latency problems. If most requests will be from batch processes, you can increase this number to be 30 seconds or more.
Minimum Connection Pool Size
The minimum number of connections allowed in the pool that the Integration Server maintains for connecting to the LDAP server. When the Integration Server starts, the connection pool initially contains this minimum number of connections. The Integration Server adds connections to the pool as needed until it reaches the maximum allowed, which is specified in the Maximum Connection Pool field. The default is 0.
Maximum Connection Pool Size
The maximum number of connections allowed in the pool that the Integration Server maintains for connecting to the LDAP server. When the Integration Server starts, the connection pool initially contains a minimum number of connections, which are specified in the Minimum Connection Pool field. The Integration Server adds connections to the pool as needed until it reaches the maximum allowed. The default is 10.
Synthesize DN
Builds a distinguished name by adding a prefix and suffix to the user name.
The Synthesize DN method can be faster than the Query DN method (see below) because it does not perform a query against the LDAP directory. However, if your LDAP system does not contain all users in a single flat structure, use the Query DN method instead.
DN Prefix
A string that specifies the beginning of a DN you want to pass to the LDAP server.
DN Suffix
A string that specifies the end of a DN you want to pass to the LDAP server.
For example, if the prefix is "cn=" and the suffix is ",ou=Users" and a user logs in specifying "bob", the Integration Server builds the DN cn=bob,ou=Users and sends it to the LDAP server for authentication.
Note:
Be sure to specify all the characters required to form a proper DN. For instance, if you omit the comma from the suffix above, that is, you specify "ou=Users" instead of ",ou=Users", the Integration Server will build the invalid DN (cn=bobou=Users).
Query DN
Builds a query that searches a specified root directory for the user.
Use this method instead of the Synthesize DN method (see above) if your LDAP directory has a complex structure.
UID Property
A property that identifies an LDAP userid, such as "cn" or "uid".
User Root DN
Enter the full distinguished name. For example, if you specify ou=users,dc=webMethods,dc=com, the Integration Server will issue a query that starts searching in the root directory ou=users for a common name that matches the name the user logged in with.
User Email
Specifies the name of the attribute that is used to store users' email addresses. For example, "mail".
Default Group
An Integration Server group with which the user is associated. The user is allowed to access services that members of this Integration Server group can access. This access is controlled by the ACLs with which the group is associated.
If you also specify a value in the Group Member Attribute field, the user has the same access as members of the Integration Server group and members of LDAP groups that have been mapped to an Integration Server ACL.
Important:
Do not specify Anonymous as the default group if any user in this group needs to have administrator privileges. The default ACL denies the Anonymous group and will not allow access the root page. Choose the appropriate group in the Default Group field to ensure that the required ACLs get assigned to your group.
Important:
You must specify a value in the Group Member Attribute field, the Default Group field, or both.
Group Member Attribute
The name of the attribute in a group's directory entry that identifies each member of the group. This value is usually "member" or "uniqueMember", but can vary depending on the schema of the LDAP directory.
Integration Server uses this information during ACL checking to see if the user attempting to log in belongs to an LDAP group that has been mapped to an ACL.
If no value is specified here, Integration Server does not check for membership in an LDAP group. As a result, the user's ability to access Integration Server services is controlled by the Integration Server group specified in the Default Group field.
Note:
You must specify a value in the Group Member Attribute field, the Default Group field, or both.
Group ID Property
A property that identifies an LDAP group, such as CN.
Group Root DN
The full distinguished name.
For example, if you specify ou=groups,webMethods,dc=com, Integration Server will issue a query that will display all the LDAP groups.
Note:
You must specify values in the Group ID Property and Group Root DN fields.
6. Click Save Changes.
The LDAP Directory List displays the added the LDAP directory.
7. Click Move Up/Move Down to order the directories in the list based on their priority.
Note: 
*If you define multiple LDAP servers, Integration Server will search the LDAP directories in the order in which they are displayed on the Security > User management > LDAP configuration page. If Integration Server does not find the user in the first LDAP directory, it will search in order through the list.
*If the connection between Integration Server and the LDAP server drops intermittently, and you notice the following exception in the Trace logs, connect to the Global Catalog port (3268/3269) on the LDAP server, instead of using the standard LDAP port (389). For example, ldap://<hostname:3268>
PartialResultException in the trace logs : [ISS.0002.0000T]
[LDAPv2] javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException:
[Root exception is java.net.SocketTimeoutException: connect timed out]]
*If the connection issues continue despite using the Global Catalog port (3268/3269), it may be due to the following errors:
*Connection timeout error
*Communication error
*Resource shortage error
*An orphaned domain acts as the Global Catalog
Set appropriate values for the watt.server.ldap.retryCount and watt.server.ldap.retryWait parameters to restore the connection in case of transient errors.