LDAP authentication

You can use a directory server that implements the Lightweight Directory Access Protocol (LDAP) for authentication and for storing user and group information.

When LDAP-based authentication is used, user and security group information is stored in LDAP and managed by default at the LDAP level. If IBM® WebSphere® is used as the supporting application server, the data is synchronized with the Maximo® database using IBM WebSphere VMM and VMMSYNC cron task instances.

The synchronization is one way from the directory server to the Maximo database and permits create and update actions only. Deleting a user from LDAP does not delete the user from the Maximo database.

Setting up LDAP authentication

Complete the following steps to set up LDAP authentication and synchronize the data between the directory server and the Maximo database:

  1. Enable application server security.
  2. Configure the base framework to use application server security:
    • In the maximo.properties file, set the value of the mxe.useAppServerSecurity property to 1 (one).
    • Modify the web.xml file to allow login page redirection.
    • Map the Maximousers J2EE role to All Authenticated.
  3. Set federated repository (VMM) configured as the current realm for the application server.
  4. Federate LDAPs (IBM Security Directory Server or Microsoft Active Directory) under the application server realm.
  5. Configure and activate crontask instances.

Override default behavior

LDAP-based authentication affects the availability of some product features. When LDAP-based authentication is used, the LDAP server, by default, manages user and group creation. As a result, the following features are disabled:
  • Create users
  • Change passwords
  • Self registration
  • Create security groups
  • Associate users and security groups
You can override the default behavior by setting the mxe.LDAPUserMgmt property to 0 (zero). This property cannot be changed in the System Properties application, instead, issue the following SQL commands in your database:
  • To check whether the property is in database, run the following command:
     
SELECT PROPNAME, PROPVALUE
FROM MAXPROPVALUE
WHERE PROPNAME = 'mxe.LDAPUserMgmt'
  • To set value to 0, run the following command:
     
UPDATE MAXPROPVALUE
SET PROPVALUE = '0'
WHERE PROPNAME = 'mxe.LDAPUserMgmt'

Setting these properties has the following results:

Feature Available?
Add and delete security groups Yes
Modify security groups Yes
Manager user and group relationships Yes
Add and delete users Yes
Modify user information (other than password) Yes
User self registration No
Change password No
Parent topic: Security

Feedback