Parameters Requiring Conversion

ldap_conn_type

The connection type is indirectly supported by the JAAS modules through the protocol portion of the LDAP URL.

  • ldap:// creates a TCP connection.
  • ldaps:// creates a TLS connection.

If the startTLS LDAP extension is required, additional JNDI parameters may be specified through the JAAS configuration. Alternately, you can customize the JAAS module. See Custom JAAS Modules for more information.

ldap_tls Parameters

The JAAS modules have the ability to pass any parameters to JNDI. It is up to the user to determine what java TLS parameters to pass to JNDI through the JAAS configuration.

In most cases, only a certificate key store is required. For convenience, the tibems.ldap.truststore parameter can be used to specify the store. Refer to Java documentation for additional information regarding the use of TLS.

Filters

Filters perform the same function in the JAAS modules as they do when LDAP authentication is configured within the EMS server, but the specification of the filter parameters is slightly different.

Be sure to substitute the EMS server's %s filters for the appropriate {n} JAAS module filter.

ldap_user_class and ldap_static_group_class

The ldap_user_class and ldap_static_group_class parameters are not necessary in the JAAS modules.

LDAP class names are specified in the filters, as in the following examples:

tibems.ldap_user_filter="(&({0}={1})(objectClass=uniqueMember))"

and

tibems.ldap.group_filter="(&({0}={1})(objectClass=groupofUniqueNames))"

Refer to the filter documentation to map various identifiers. For example, in converting the user filter, the former EMS server LDAP parameter, %s maps to {1} in the JAAS filter. Many group searches should work with a filter similar to:

(&{0}={1})(objectClass=<group class>)

However, dynamic groups do allow you to specify the class in order to mirror the search algorithm used by the former EMS server native LDAP functionality.