HCL Workload Automation, Version 9.4

LDAP Panel

Complete this panel if configuring for an LDAP user registry.

################################################################
LDAP Panel
################################################################
LDAPServerType=IDS
LDAPHostName=
LDAPPort=389
LDAPBaseDN=
LDAPBaseDNEntry=
LDAPBindDN=
LDAPBindPassword=
LDAPloginProperties=
LDAPsearchTimeout=120
LDAPsslEnabled=false
LDAPsslConfig=
LDAPCertificateFilter=
LDAPCertificateMapMode=EXACT_DN

Note to users of previous versions of HCL Workload Automation: This is not a new panel, but is significantly different from previous versions.

LDAPServerType=<name>
Specifies the type of LDAP server to which you connect. If you use the IBM® Tivoli® Directory Server for z/OS®, you must specify IDS . Allowed values are:
IDS
IBM Tivoli Directory Server (the default LDAP value)
AD
Microsoft Windows Active Directory
ZOSDS
z/OS Integrate Security Service LDAP Server
LDAPHostName=<IP_address_or_hostname>
Specifies the host name of the primary LDAP server. This host name is either an IP address or a domain name service (DNS) name.
LDAPPort=<number>
Specifies the LDAP server port. The default value is 389, which is not a Secure Sockets Layer (SSL) connection. Use port 636 for an SSL connection. For some LDAP servers, you can specify a different port for a non-SSL or SSL connection.
LDAPBaseDN=<distinguished_name_list>
Specifies the LDAP distinguished name (DN) of the base entry within the repository, which indicates the starting point for LDAP searches of the directory service. The entry and its descendants are mapped to the subtree that is identified by the "twaLDAP" base entry. If this field is left blank, then the subtree defaults to the root of the LDAP repository.
For example, for a user with a DN of cn=John Doe , ou=Rochester, o=IBM, c=US, specify that the LDAPBaseDN has any of the following options:
  • ou=Rochester, o=IBM, c=US
  • o=IBM c=US
  • c=US
For authorization purposes, this field is case sensitive. This specification implies that if a token is received, for example, from another cell or Lotus® Domino®, the base DN in the server must match the base DN from the other cell or Lotus Domino server exactly. If case sensitivity is not a consideration for authorization, enable the Ignore case for authorization option.
LDAPBaseDNEntry=<distinguished_name_list>
Specifies the LDAP distinguished name (DN) of a base entry that uniquely identifies the external repository in the realm. If multiple repositories are included in the realm, use this field to define an additional distinguished name (DN) that uniquely identifies this set of entries within the realm. If this field is left blank, then the default is:
LDAPBaseDN
For the first customization.
old value
For the succeeding customization. The default value is o=twaLDAP.

For example, repositories LDAP1 and LDAP2 might both use o=ibm, c=us as the base entry in the repository. Use the DN in this field to uniquely identify this set of entries in the realm. For example: o=ibm,c=us for LDAP1 and o=ibm2,c=us for LDAP2. The specified DN in this field maps to the LDAP DN of the base entry within the repository.

LDAPBindDN=<name>
Specifies the distinguished name (DN) for the application server to use when binding to the LDAP repository. If no name is specified, the application server binds anonymously. In most cases, LDAPBindDN and LDAPBindPassword are needed. However, when anonymous bind can satisfy all of the required functions, LDAPBindDN and LDAPBindPassword are not needed.
LDAPBindPassword=<password>
Specifies the password for the application server to use when binding to the LDAP repository.
LDAPloginProperties=<login_token_list>
Specifies the login tokens to use to log into the application server. This field takes multiple login tokens, delimited by a semicolon (;). For example, uid;mail. All login properties are searched during login. If multiple entries or no entries are found, an error is given. For example, if you specify the login properties as uid;mail and the login ID as Bob, the search filter searches for uid=Bob or mail=Bob. When the search returns a single entry, then authentication can proceed. Otherwise, an error is given.

If you supply more than one login token, the order you give to the login tokens is very important, because regardless of the token by which the user is authenticated, VMM sets the first property as the principal name. This principal name is then passed to HCL Workload Automation. For example, if you set the login properties to cn;mail, even if the user logs in with "mail", the principal name returned will be "cn"and the HCL Workload Automation security checks (in the security file, for example) are performed using the "cn" value for that user.

LDAPsearchTimeout=<value>
Specifies the timeout value in milliseconds for an LDAP server to respond before the request is aborted. A value of 0 specifies that no search time limit exists.
LDAPsslEnabled=true|false
Specifies whether secure socket communication is enabled to the LDAP server.
  • If true, SSL is enabled, and the Secure Sockets Layer (SSL) settings for LDAP are used, if specified.
  • If false, SSL is not enabled.
LDAPsslConfig=<alias>
Specifies the SSL configuration alias to use for LDAP outbound SSL communications. This option overrides the centrally managed configuration for the JNDI platform. The default value is "DefaultNode/DefaultSSLSettings".
LDAPCertificateFilter=<filter_specification>
Specifies the filter certificate mapping property for the LDAP filter. The filter is used to map attributes in the client certificate to entries in the LDAP repository. If more than one LDAP entry matches the filter specification at run time, authentication fails because the result is an ambiguous match. The syntax or structure of this filter is:
<LDAP_attribute>=${<Client_certificate_attribute>}

For example, uid=${SubjectCN}.

The left side of the filter specification is an LDAP attribute that depends on the schema that your LDAP server is configured to use. The right side of the filter specification is one of the public attributes in your client certificate. The right side must begin with a dollar sign ($) and open bracket ({) and end with a close bracket (}). You can use any of the following certificate attribute values on the right side of the filter specification (the case of the strings is important):
  • ${UniqueKey}
  • ${PublicKey}
  • ${PublicKey}
  • ${Issuer}
  • ${NotAfter}
  • ${NotBefore}
  • ${SerialNumber}
  • ${SigAlgName}
  • ${SigAlgOID}
  • ${SigAlgParams}
  • ${SubjectCN}
  • ${Version}
LDAPCertificateMapMode=<value>
Specifies whether to map X.509 certificates into an LDAP directory by EXACT_DN or CERTIFICATE_FILTER.