The application server is configured to authenticate against a Lightweight Directory Access Protocol (LDAP) server user registry. The system supports integration with Microsoft Active Directory or IBM Tivoli Directory Server LDAP server. You can move LDAP server data into product database tables. The application server that you use determines which directory provides support.
You add users and delete users and groups from the LDAP server, but the system provides the authorization. By default, the property mxe.LDAPGroupMgmt is set so that group creation and group membership is managed by the directory server.
You can configure all application-specific authorization rules for users and groups using the security module applications. In the system, you disable password information in the start center, the Change Password application, self-registration, and the Users application.
LDAP server users and groups are moved into product database tables to identify users as system users, and to provide user with details in system applications.
Users and groups that are deleted from the LDAP server are not deleted from database tables; audits might be conducted for users or groups.
If user accounts are disabled from the LDAP server, the application server has to expire the users cached information.
Before users can access the system, the application server authentication must be passed. Application servers use role records to identify users and groups that have access to the system. All roles that were configured in an application are mapped to users or groups using application server-specific deployment descriptors or application server-provided administrative tools.