+

Search Tips   |   Advanced Search

Configure LDAP ACL management with VMM (WebSphere Application Server V7)

Use LDAP to define the users and groups who can install mobile applications with the Application Center with the Virtual Member Manager (VMM) API.

Since IBM Worklight v6.0, two configuration approaches are available: the JNDI API or the VMM API. This procedure shows you how to use the VMM API to configure LDAP based on the federated repository configuration.

We must configure LDAP based on the federated repository configuration. The stand-alone LDAP registry is not supported. Several different repositories, LDAP and non-LDAP, can be configured in the federated repository.

  1. Configure the attribute mapping. For users, the Application Center refers to these VMM attributes:

    • uid: represents the user login name.

    • sn: represents the full name of the user.

    For groups, the Application Center refers only to the VMM attribute cn.

    If VMM attributes are not identical to LDAP attributes, map the VMM attributes to the corresponding LDAP attributes.

    In WebShere Application Server V7, we cannot configure this mapping with the WebSphere Application Server console.

    1. Find in the file {WAS_HOME/profiles/{profileName/config/cells/{cellName/wim/config/wimconfig.xml the section containing the LDAP repository configuration with id="your LDAP id": 
      <config:repositories xsi:type="config:LdapRepositoryType" adapterClassName="com.ibm.ws.wim.adapter.ldap.LdapAdapter"
               id="your LDAP id"....

      Where your LDAP id is the user ID configured for you in the LDAP repository.

    2. In this section, after the element <config:attributeConfiguration>, add these entries: 
      <config:attributes name="your LDAP attribute for the user full name" propertyName="sn">
                  <config:entityTypes>PersonAccount</config:entityTypes>
            </config:attributes>
            <config:attributes name="your LDAP attribute for the user login name " propertyName="uid">
                  <config:entityTypes>PersonAccount</config:entityTypes>
            </config:attributes>

    3. Save the file and restart the server.

  2. Configure the Application Center for ACL management with LDAP. In WebSphere Application Server V7, only a WebSphere administrator user can run VMM access. (VMM roles are only supported by WebSphere Application Server V8.)

    You must define these properties:

    • ibm.appcenter.ldap.active = true.

    • ibm.appcenter.ldap.vmm.active = true.

    • ibm.appcenter.ldap.vmm.adminuser = WebSphere administrator user.

    • ibm.appcenter.ldap.vmm.adminpwd = WebSphere administrator password. The password can be encoded or not.

    • ibm.appcenter.ldap.cache.expiration.seconds = : the delay in seconds before the LDAP cache expires. If no value is entered, the default value is 86400, which is equal to 24 hours.

      See List of JNDI properties for the Application Center for a complete list of properties we can set

      Changes to users and groups on the LDAP server become visible to the Application Center after a delay, which is specified by ibm.appcenter.ldap.cache.expiration.seconds. The Application Center maintains a cache of LDAP data and the changes only become visible after the cache expires. By default, the delay is 24 hours. If we do not want to wait for this delay to expire after changes to users or groups, we can call this command to clear the cache of LDAP data:

        acdeploytool.sh -clearLdapCache -s serverurl -c context -u user -p password

      See Using the stand-alone tool to clear the LDAP cache for details.

    See List of JNDI properties for the Application Center for a complete list of properties we can set.

    1. Log in to the WebSphere Application Server console.

    2. Select Applications > Application Types > WebSphere enterprise applications.

    3. In the "Web Module Properties" section, select IBM_Application_Center_Services and then select Environment entries for Web modules.

    4. Set the values for the properties.

    5. Click OK and save the configuration. The application is automatically restarted.

  3. Optional: Encode the password with the PropFilePasswordEncoder utility.

    1. Create a file pwd.txt containing the entry adminpwd=your clear password, where your clear password is the unencoded administrator password.

    2. Run this command:

        {WAS_HOME}/profiles/profile name/bin/PropFilePasswordEncoder "file path/ pwd.txt" adminpwd

    3. Open the pwd.txt file and copy the encoded password into the value of the ibm.appcenter.ldap.vmm.adminpwd property.


Parent topic: LDAP with WebSphere Application Server V7