LDAP

Owned by David Russo
Last updated: May 21, 2024 by Emily Seage
4 min read

Authentication against an LDAP server is provided by IBM HTTP Server for i. Configuration is done in 3 steps:

  1. Create an LDAP configuration file

  2. Configure Profound UI HTTP server instance for LDAP authentication

  3. (Optional) Configure Profound UI for Enterprise Identity Mapping (EIM)

Creating an LDAP Configuration File

LDAP-related configuration is stored in a separate file, stored at /www/INSTANCE_NAME/conf/ldap.prop. For example:

/www/profoundui/conf/ldap.prop
LDAP.URL "ldap://my_ldap_server:389/dc=mycompany,dc=mydomain,dc=com" LDAP.Application.DN cn=Administrator LDAP.Application.Password.StashFile /QIBM/UserData/HTTPSVR/LDAP/PROFOUNDUI/1509465782112.stash LDAP.User.Name.Filter (&(objectclass=person)(uid=%v1))

See the documentation at the IBM Knowledge Center for details about about each configuration directive.

If your LDAP server requires a log on before queries can be run, then the ldap.prop file must be created with the IBM Web Administration for i GUI. This is because the LDAP password is stored in a separate, encrypted, 'stash file' that must be generated using the GUI. To create the 'ldap.prop' file and password stash using IBM Web Administration for i, open your web browser to http://ibmi:2001/HTTPAdmin, and then follow these steps:

Configuring the Profound UI HTTP Server Instance for LDAP Authentication

The necessary configuration directives are provided in comments in the default configuration file, /www/INSTANCE_NAME/conf/httpd.conf. To enable LDAP authentication, comment out the section of directives for IBM i user profile authentication, and uncomment the section for LDAP authentication: 

LDAP configuration directives in /www/profoundui/conf/httpd.conf
<DirectoryMatch "^/QSYS\.LIB/PROFOUNDUI\.LIB/PUI000(3.{3}|2130)\.PGM"> LDAPConfigFile /www/profoundui/conf/ldap.prop PasswdFile %%LDAP%% AuthType Basic AuthName "Profound UI" Require valid-user </DirectoryMatch> <LocationMatch "^/profoundui/auth/(.*)"> LDAPConfigFile /www/profoundui/conf/ldap.prop PasswdFile %%LDAP%% AuthType Basic AuthName "Profound UI" Require valid-user </LocationMatch>

(Optional) Configuring Profound UI for Enterprise Identity Mapping (EIM)

This is an optional step.

With the configuration described above, Profound UI Rich Display File application sessions and Atrium will authenticate against the LDAP server, and the IBM i job will run as user profile QTMHHTP1. The environment variable REMOTE_USER will be set to the LDAP user name.

This step allows you to configure Profound UI so that the LDAP user name is mapped to an IBM i user profile, via IBM's Enterprise Identity Mapping (EIM) system. Once configured, the user's Rich Display File session jobs and also Atrium will run as the mapped IBM i user. This step also enables Genie to work with LDAP authentication – i.e. the user signs into the HTTP server using LDAP credentials and then Genie starts a 5250 session as the mapped IBM i user, bypassing the 5250 sign on display. 

See the IBM documentation at the Knowledge Center for more information about EIM.

To configure Profound UI for EIM, create a configuration file /www/INSTANCE_NAME/conf/eim-config.xml. 

/www/profoundui/conf/eim-config.xml
<?xml version="1.0" encoding="UTF-8" ?> <profoundui-eim> <source-registry>MY_EIM_SOURCE_REGISTRY</source-registry> <target-registry>MY_EIM_LOCAL_REGISTRY</target-registry> <!-- The EIM domain controller URL is required only if you wish to connect to an EIM domain controller which is different than the default EIM domain controller that is configured for this server. <domain-url>ldap://my_ldap_server:389/ibm-eimdomainname=MY_EIM_DOMAIN_NAME</domain-url> --> </profoundui-eim>

The following line also needs to be uncommented in the Profound UI HTTP server instance configuration file: 

/www/profoundui/conf/httpd.conf


URLs for LDAP Authentication

Once the configuration is complete and the Profound UI HTTP server instance is restarted, users can access Profound UI with the following URLs:

Note: When using LDAP authentication, sessions cannot be started with http://ibmi:8080/profoundui/start, http://ibmi:8080/profoundui/genie, or http://ibmi:8080/profoundui/atrium