You can configure a Sun JMS IQ Manager to use an LDAP server for user management.
A realm is a collection of users, groups, and roles that are used in enforcing security policies. The JMS IQ Manager supports multiple LDAP realms running at the same time.
When you perform the following steps, access to the JMS IQ Manager is granted only when the connection has a valid user name and password.
The following LDAP servers are supported:
Sun Java System Directory Server versions 5.1, 5.2, and 6.x
Microsoft's Active Directory (the version delivered with Windows Server 2003)
OpenLDAP Directory Server 2.x
Managing Java CAPS Users provides basic information about Sun JMS IQ Manager user management.
In the following procedure, you create users and roles in the LDAP server.
Create one or more JMS IQ Manager users.
Create one or more of the following roles:
Role |
Description |
---|---|
application |
Enables clients to access the JMS IQ Manager. |
asadmin |
Enables use of the JMS control utility (stcmsctrlutil) or Enterprise Manager, and enables clients to access the JMS IQ Manager. |
Assign the roles to your users as needed.
You must configure the JMS IQ Manager so that it can locate the LDAP server and find the appropriate information.
You can enable more than one LDAP server. In addition, you can specify the default realm.
If the application server is not running, then start the application server.
Log in to the Configuration Agent. The format of the URL is http://hostname:port-number/configagent. Set the hostname to the TCP/IP host name of the computer where the application server is installed. Set the port number to the administration port number of the application server. For example:
http://localhost:4848/configagent
In the left pane, click the JMS IQ Manager node (for example, IQ_Manager_18007).
Click the Access Control tab.
Ensure that the check box to the right of the Require Authentication label is selected.
If you want to enable Sun Java System Directory Server, then select the check box to the right of the Enable Sun Java System Directory Server label and click Show Properties.
The following table describes the properties that appear. The default values are intended to match the standard schema of Sun Java System Directory Server. Review the default value for each property. If necessary, modify the default value.
Property |
Description |
---|---|
Naming Provider URL |
The URL of the Java Naming and Directory Interface (JNDI) service provider. The default value is ldap://IP_address:589. |
Naming Initial Factory |
The fully qualified name of the factory class that creates the initial context. The initial context is the starting point for JNDI naming operations. The default value is com.sun.jndi.ldap.LdapCtxFactory. |
Naming Security Authentication |
The security level to use in JNDI naming operations. The default value is simple. |
Naming Security Principal |
The security principal used for connecting to the LDAP server. |
Naming Security Credentials |
The password of the naming security principal. The default value is STC. The value is encrypted when you save and then view it again. |
Group DN Attribute Name in Group |
The name of the Distinguished Name attribute in group entries. The default value is entrydn. |
Group Name Field in Group DN |
The name of the group name field in group Distinguished Names. The default value is cn. |
Groups of User Filter Under Groups Parent DN |
The LDAP search filter used to retrieve all of a user’s groups. This property follows the syntax supported by the java.text.MessageFormat class with {1} indicating where the user’s Distinguished Name should be inserted. The default value is uniquemember={1}. |
Groups Parent DN |
The parent Distinguished Name of the group entries. In other words, this property specifies the root entry of the groups portion of the LDAP directory. |
Role Name Attribute Name in User |
The name of the role name attribute in user entries. The default value is nsroledn. |
Role Name Field in Role DN |
The name of the role name field in role Distinguished Names. The default value is cn. |
Roles Parent DN |
The parent Distinguished Name of the role entries. In other words, this property specifies the root entry of the roles portion of the LDAP directory. |
Search Groups Sub Tree |
By default, the groups portion of the LDAP directory is searched only one level below the root entry. To enable searches of the entire subtree, set the value to true. The default value is false. |
Search Roles Sub Tree |
By default, the roles portion of the LDAP directory is searched only one level below the root entry. To enable searches of the entire subtree, set the value to true. The default value is false. |
Search Users Sub Tree |
By default, the users portion of the LDAP directory is searched only one level below the root entry. To enable searches of the entire subtree, set the value to true. The default value is false. |
User DN Attribute Name in User |
The name of the Distinguished Name attribute in user entries. The default value is entrydn. |
User ID Attribute Name in User |
The name of the user ID attribute in user entries. The default value is uid. |
Users Parent DN |
The parent Distinguished Name of the user entries. In other words, this property specifies the root entry of the users portion of the LDAP directory. |
If you want to enable Active Directory, then select the check box to the right of the Enable Microsoft Active Directory Server label and click Show Properties.
The following table describes the properties that appear. The default values are intended to match the standard schema of Active Directory. Review the default value for each property. If necessary, modify the default value.
Property |
Description |
---|---|
Naming Provider URL |
The URL of the Java Naming and Directory Interface (JNDI) service provider. The default value is ldap://IP_address:389. |
Naming Initial Factory |
The fully qualified name of the factory class that creates the initial context. The initial context is the starting point for JNDI naming operations. The default value is com.sun.jndi.ldap.LdapCtxFactory. |
Naming Security Authentication |
The security level to use in JNDI naming operations. The default value is simple. |
Naming Security Principal |
The security principal used for connecting to the LDAP server. |
Naming Security Credentials |
The password of the naming security principal. The default value is STC. The value is encrypted when you save and then view it again. |
Users Parent DN |
The parent Distinguished Name of the user entries. In other words, this property specifies the root entry of the users portion of the LDAP directory. |
User DN Attribute Name in User |
The name of the Distinguished Name attribute in user entries. The default value is distinguishedName. |
User ID Attribute Name in User |
The name of the user ID (that is, the login ID) attribute in user entries. The default value is sAMAccountName. |
Roles Parent DN |
The parent Distinguished Name of the role entries. In other words, this property specifies the root entry of the roles portion of the LDAP directory. |
Role DN Attribute Name in Role |
The name of the Distinguished Name attribute in role entries. The default value is cn. |
Roles of User Filter Under Roles Parent DN |
The LDAP search filter used to retrieve all of a user’s roles. This property follows the syntax supported by the java.text.MessageFormat class with {1} indicating where the user’s Distinguished Name should be inserted. The default value is (&(member={1})(objectclass=group)). |
Groups Parent DN |
The parent Distinguished Name of the group entries. In other words, this property specifies the root entry of the groups portion of the LDAP directory. |
Group DN Attribute Name in Group |
The name of the Distinguished Name attribute in group entries. The default value is distinguishedName. |
Group Name Field in Group DN |
The name of the group name field in group Distinguished Names. The default value is cn. |
Groups of User Filter Under Groups Parent DN |
The LDAP search filter used to retrieve all of a user’s groups. This property follows the syntax supported by the java.text.MessageFormat class with {1} indicating where the user’s Distinguished Name should be inserted. The default value is (&(member={1})(objectclass=group)). |
By default, the groups portion of the LDAP directory is searched only one level below the root entry. To enable searches of the entire subtree, set the value to true. The default value is false. |
|
Search Users Sub Tree |
By default, the users portion of the LDAP directory is searched only one level below the root entry. To enable searches of the entire subtree, set the value to true. The default value is false. |
Search Roles Sub Tree |
By default, the roles portion of the LDAP directory is searched only one level below the root entry. To enable searches of the entire subtree, set the value to true. The default value is false. |
If you want to enable OpenLDAP Directory Server, then select the check box to the right of the Enable Generic LDAP Server label and click Show Properties.
The following table describes the properties that appear. Review the default value for each property. If necessary, modify the default value.
Property |
Description |
---|---|
Naming Provider URL |
The URL of the Java Naming and Directory Interface (JNDI) service provider. The default value is ldap://IP_address:489. |
Naming Initial Factory |
The fully qualified name of the factory class that creates the initial context. The initial context is the starting point for JNDI naming operations. The default value is com.sun.jndi.ldap.LdapCtxFactory. |
Naming Security Authentication |
The security level to use in JNDI naming operations. The default value is simple. |
Users Parent DN |
The parent Distinguished Name of the user entries. In other words, this property specifies the root entry of the users portion of the LDAP directory. |
User ID Attribute Name in User |
The name of the user ID attribute in user entries. The default value is uid. |
Roles Parent DN |
The parent Distinguished Name of the role entries. In other words, this property specifies the root entry of the roles portion of the LDAP directory. |
Role Name Attribute Name in Role |
The name of the role name attribute in user entries. The default value is cn. |
Roles of User Filter Under Roles Parent DN |
The LDAP search filter used to retrieve all of a user’s roles. This property follows the syntax supported by the java.text.MessageFormat class with {1} indicating where the user’s Distinguished Name should be inserted. The default value is uniquemember={1}. |
Group Name Field in Group DN |
The name of the group name field in group Distinguished Names. The default value is cn. |
Groups Parent DN |
The parent Distinguished Name of the group entries. In other words, this property specifies the root entry of the groups portion of the LDAP directory. |
Groups of User Filter Under Groups Parent DN |
The LDAP search filter used to retrieve all of a user’s groups. This property follows the syntax supported by the java.text.MessageFormat class with {1} indicating where the user’s Distinguished Name should be inserted. The default value is uniquemember={1}. |
By default, the groups portion of the LDAP directory is searched only one level below the root entry. To enable searches of the entire subtree, set the value to true. The default value is false. |
|
Search Users Sub Tree |
By default, the users portion of the LDAP directory is searched only one level below the root entry. To enable searches of the entire subtree, set the value to true. The default value is false. |
Search Roles Sub Tree |
By default, the roles portion of the LDAP directory is searched only one level below the root entry. To enable searches of the entire subtree, set the value to true. The default value is false. |
If you want to change the default realm, then select the realm from the Default Realm drop-down list.
Click Save.