Configuring LDAP Directories

Contents

General Configuration

A filter that uses an LDAP directory to authenticate a user or retrieve attributes for a user must have an LDAP directory associated with it. The Configure LDAP Server screen is used to configure connection details of the LDAP directory.

When a filter that uses an LDAP directory is run for the first time after a server refresh/restart, the server will bind to the LDAP directory using the connection details configured on the Configure LDAP Server dialog. Usually the connection details include the username and password of an administrator user who has read access to all users in the LDAP directory for whom we wish to retrieve attributes or authenticate.

To configure LDAP connection information:

  1. Select or enter a name for the LDAP filter in the Filter Name dropdown list.
  2. Enter the location of the LDAP directory in the URL field. The URL is a combination of the protocol (LDAP), the IP address of the host machine and the port number for the LDAP service. By default, port 389 is reserved for LDAP connections. The following is an example of a valid LDAP directory URL:
    ldap://192.168.0.45:389

Authentication Configuration

If the configured LDAP directory requires clients to authenticate to it, you must select the appropriate authentication method in the Authentication Type field. When the Enterprise Gateway connects to the LDAP directory, it will be authenticated using the selected method. The Enterprise Gateway can authenticate to an LDAP directory using the following methods:

It is important to note that if any of the following methods are to connect to the LDAP server over SSL, then that server's SSL certificate must be imported into the Oracle Trusted Certificate Store.

None:
No authentication credentials need be submitted to the LDAP server for this method. In other words, the client connects anonymously to the server. Typically a client is only allowed to perform "read" operations when connected anonymously to the LDAP server. It is not necessary to enter any details for this authentication method.

Simple:
Simple authentication involves sending a user name and corresponding password in clear-text to the LDAP server. Since the password is passed in clear-text to the LDAP server, it is recommended to connect to the server over an encrypted channel, for example, over SSL.

It is not necessary to specify a Realm for the Simple authentication method. The realm is only used when a hash of the password is supplied (i.e. for Digest-MD5). However, in cases where the LDAP server contains multiple realms, and the specified user name is present in more than one of these realms, then it is at the discretion of the specific LDAP server as to which user name will actually bind to it.

Click the SSL Enabled checkbox to force the Enterprise Gateway to connect to the LDAP directory over SSL. In order to successfully establish SSL connections with the LDAP directory, the directory's certificate must be imported into the Enterprise Gateway's certificate store.

Digest-MD5:
With Digest-MD5 authentication, the server generates some data and sends it to the client. The client encrypts this data with its password according to the MD5 algorithm. The LDAP server then uses the client's stored password to decrypt the data and hence authenticate the user.

The Realm field is optional here, but may be necessary in cases where the LDAP server contains multiple realms. If a realm is specified here, the LDAP server will attempt to authenticate the user for the specified realm only.