Integration Server 10.11 | Integration Server Administrator's Guide | Configuring a Central User Directory or LDAP | Configuring the Server to Use LDAP
 
Configuring the Server to Use LDAP
 
Defining an LDAP Directory to Integration Server
Mapping an LDAP User's Access to ACLs
Stopping Use of an LDAP as an External Directory
To configure the server to use LDAP, you need to:
*Instruct Integration Server to use the LDAP protocol
*Define one or more configured LDAP servers that the Integration Server is to use for these users
*If an LDAP provider is SSL-enabled, you can set the JVM Truststore Alias field on the Security > Certificates page to point to the trusstore alias that contains the certificates required to establish a secure connection with the LDAP server.
Note:
The value of the JVM Truststore Alias field is used as the value of the watt.server.ssl.trustStoreAlias parameter. As an alternative to using the JVM Truststore Alias, you can set the watt.server.ssl.trustStoreAlias parameter.
Software AG recommends that you use central user management instead of configuring Integration Server to use one more LDAP directories for external user management. For more information about central user management, see Configuring Central User Management and Administering My webMethods Server.
*To specify LDAP as the external provider
1. Open the Integration Server Administrator if it is not already open.
2. Go to Security > User management.
3. Click LDAP Configuration.
4. Click Edit LDAP Configuration.
5. Next to Provider, select LDAP.
Integration Server issues a prompt to verify that you want to change the setting. Click OK. If your Integration Server is configured to central user management, you must disable it before you can configure LDAP. For information about disabling central user management, see Configuring Central User Management.
6. Enter the following information:
For this field...
Specify...
Cache Size (Number of Users)
The maximum number of LDAP users Integration Server can keep in memory in the user cache. The default is 10.
Once the limit is reached, Integration Server selects users for removal from the cache based on how long they have been idle. As a result, activity can extend the time a user remains in the cache.
As a general rule, specify a cache size equivalent to 5-10% of the number of users in your LDAP system. However, if only a few sessions are ever logged on simultaneously, set the cache size to be the same as the number of simultaneous sessions.
Credential Time-to-Live (Minutes)
The number of minutes an LDAP user's credentials (userid and password) can remain in the credential cache before being purged. The default is 60 minutes.
When a user first attempts to log in, Integration Server creates a user object and checks the user's credentials against the LDAP directory. Integration Server stores the credentials so that subsequent requests to authenticate will be made against the cached credentials, not the LDAP directory.
For security reasons, you can control the length of time these cached credentials are valid. The credentials are secure because they are stored using a one-way hashing function, and cannot be recovered from the cache. If a user attempts to log in with credentials that do not match the cached version, Integration Server flushes the cache and checks the credentials against the LDAP directory. If the credentials are valid, the Integration Server caches them; otherwise, the cache remains empty.
For normal secure environments, a time-to-live value between one hour and one day is adequate. For higher security environments, a time-to-live of between one and five minutes may be more appropriate.
The Time-to-Live is absolute; therefore, activity will not cause the credentials to remain in cache longer.
7. Click Save Configuration.
To finish configuring Integration Server to use an LDAP directory, continue to the procedure Defining an LDAP Directory to Integration Server .