Example configurations of LDAP servers for Microsoft Active Directory

Refer to this template if you are using Microsoft Active Directory. This file describes a default configuration. For more advanced and specific configurations, refer to the relevant WebSphere Application Server Liberty documentation at Configuring LDAP user registries in Liberty or to your LDAP administrator.
<server description="federated_basicLDAP">
	This variable specifies the group name containing the primary DWC's Administrator users.
	It can be a group defined in file based userRegisty (into <basicRegistry> section) or in your LDAP-based 
       directory services authentication.
	<variable name="admin.group.name" value="Admins"/>
	The value of your Base distinguished name (DN) of the directory service, which indicates the starting point
	for LDAP searches in the directory service.
	Sample: <variable name="ldap.base.DN" value="o=domain,c=us"/>
	<variable name="ldap.base.DN" value="DC=TWS,DC=COM"/>
	The Port number of the LDAP server.
	Sample:	<variable name="ldap.port" value="389"/>
	<variable name="ldap.port" value="389"/>
	The Address of the LDAP server in the form of an IP address or a domain name service (DNS) name.
	Sample:	<variable name="ldap.host" value="host.domain.com"/>
	<variable name="ldap.host" value="<your_host_name>"/>
	The Distinguished name (DN) for the application server, which is used to bind to the directory service.
        Specify a user defined in Microsoft Active Directory Server with look-up rights.
        Sample:	<variable name="ldap.adminDN" value="cn=testuser,o=domain,c=us"/>
	<variable name="ldap.adminDN" value="CN=Operators,DC=TWS,DC=COM"/>
	The Distinguished name (DN) for the application server, which is used to bind to the directory service.
	You can use the liberty provided tool <wlp_dir>/bin/securityUtility to know the encrypted value 
      of your password.
		1. run: <wlp_dir>/bin/securityUtility encode mypassword
		2. output: {xor}MiYvPiwsKDAtOw==
		3. fill the value field with the printed output value
	Sample:	<variable name="ldap.password" value="{xor}MiYvPiwsKDAtOw=="/>
	<variable name="ldap.password" value=""/>
	<jndiEntry value="${admin.group.name}" jndiName="admin.group.name" /> 
	<!-- Assign 'admin' to Administrator -->
	 Details about how to configure LDAP registry and federate it with basic registry, can be found following this link: 
	 To troubleshoot any LDAP authentication issues, copy trace.xml in overrides with the following traceSpecification:
	<federatedRepository searchTimeout="20m">
		 <primaryRealm name="TWSRealm" allowOpIfRepoDown="true">
	            <participatingBaseEntry name="o=BasicRealm"/>
	            <participatingBaseEntry name="${ldap.base.DN}"/>
	            <uniqueGroupIdMapping inputProperty="uniqueName" outputProperty="uniqueName"/>
				<groupSecurityNameMapping inputProperty="cn" outputProperty="cn"/>
				<groupDisplayNameMapping inputProperty="cn" outputProperty="cn"/>
				<userDisplayNameMapping inputProperty="principalName" outputProperty="principalName"/>
				<userSecurityNameMapping inputProperty="principalName" outputProperty="principalName"/>
				<uniqueUserIdMapping inputProperty="uniqueName" outputProperty="uniqueName"/>					            
		Note for LDAP directory service configured in SSL:
			1. the settings sslEnabled to "true"
			2. Import the LDAP certificate in trustStore used by the server, 
			   (it is defined in configDropins/defaults/ssl_comfig.xml file, the default one is 
			   For importing the exported LDAP certificate your_ldap.cert run 
				$JAVA_HOME/bin/keytool -import -file ./your_ldap.cert -alias ldapCA -keystore 
	 <ldapRegistry id="AD" 
		    host="${ldap.host}" port="${ldap.port}" ignoreCase="true" 
		    ldapType="Microsoft Active Directory" 
		    groupMemberIdMap="memberOf:member" >
	<basicRegistry id="basic" realm="BasicRealm">
	       <!--  DO NOT DELETE -->
	       <user name="${user.twsuser.id}" password="${user.twsuser.password}"/>
	       <!--  END DO NOT DELETE -->
	       <group name="${admin.group.name}">
           		<member name="${user.twsuser.id}"/>
	   <!-- Sample for adding other users or group in file based user registry. -->
	  	 <user name="nonadmin" password="nonadmin"/>
	 	 <user name="analyst" password="analyst"/>
	     <user name="developer" password="developer"/>
	     <user name="configurator" password="configurator"/>
	     <user name="operator" password="operator"/>
	     <group name="Admins">
             <member name="${user.twsuser.id}"/>
If you have nested groups in your Microsoft Active Directory, ensure you set the recursiveSearch property in the ldapRegistry id="AD" section to true, as follows:
<ldapRegistry id="AD" 
		    host="${ldap.host}" port="${ldap.port}" ignoreCase="true" 
		    ldapType="Microsoft Active Directory" 