Procedure

1. Go to Administration → IMSS Configuration → Connections → LDAP tab.
2. Next to LDAP server type, select the type of LDAP servers on your network:
   • Domino
   • Microsoft Active Directory
   • Sun iPlanet Directory
3. Next to Enable LDAP 1, select the check box.
4. Next to LDAP server, specify the server name or IP address.
5. Next to Listening port number, specify the port number that the LDAP server uses to listen to access requests.
6. Configure the settings under LDAP 2 if necessary.
7. Under LDAP cache expiration for policy services and EUQ services, specify the Time to live in minutes.
   Time To Live: Determines how long IMSS retains the LDAP query results in the cache. Specifying a longer duration enhances LDAP query during policy execution. However, the policy server will be less responsive to changes in the LDAP server. A shorter duration means that IMSS has to perform the LDAP query more often, thus reducing performance.
8. Under LDAP admin, specify the administrator account, the corresponding password and the base distinguished name. Refer to the table below for assistance on what to specify under this section according to the LDAP server type:

   LDAP Server Types

   LDAP Server	LDAP Admin Account (examples)	Base Distinguished Name (examples)	Authentication Method
   Active Directory	Without Kerberos: user1@domain.com (UPN) or domain\user1 With Kerberos: user1@domain.com	dc=domain, dc=com	Simple Advanced (with Kerberos)
   IBM Domino	user1/domain	Not applicable	Simple
   Sun iPlanet Directory	uid=user1, ou=people, dc=domain, dc=com	dc=domain, dc=com	Simple

9. Select an authentication method:
   • Simple
   • Advanced: Uses Kerberos authentication for Active Directory. Configure the following:
     • Kerberos authentication default realm: Default Kerberos realm for the client. For Active Directory use, the Windows domain name must be upper case (Kerberos is case-sensitive).
     • Default domain: The Internet domain name equivalent to the realm.
     • KDC and admin server: Hostname or IP address of the Key Distribution Center for this realm. For Active Directory, it is usually the domain controller.
     • KDC port number: The associated port number.
10. Click Save.
    If you are using the Configuration Wizard, click Next.

    Note IBM Domino and Sun iPlanet only support Simple Authentication method. If the domain name in LDAP administrator account can be resolved by DNS, the Kerberos authentication will succeed no matter what value you type in the default realm. If the domain name in LDAP administrator account cannot be resolved, Kerberos will use the default realm to check.