Configure WebSphere Portal for Novell eDirectory without realm support

 

+
Search Tips   |   Advanced Search

 


Procedure

  1. Ensure that the LDAP software is installed and any setup required by WebSphere Portal has been performed.

  2. Create a backup copy of...

  3. Edit wpconfig.properties file and enter the values appropriate for your environment.

    Property Value
    WasUserid Description: The user ID for WebSphere Application Server security authentication. This should be the fully qualified distinguished name (DN). For LDAP configuration this value should not contain spaces.

    Note: If a value is specified for WasUserid, a value must also be specified for WasPassword. If WasUserid is left blank, WasPassword must also be left blank.

    Recommended value: uid=wpsbind,ou=people,o=yourco.com

    Default LDAP value: ReplaceWithYourWASUserId

    WasPassword

    Description: The password for WebSphere Application Server security authentication.

    Note: If a value is specified for WasPassword, a value must also be specified for WasUserid. If WasPassword is left blank, WasUserid must also be left blank.

    Recommended value: <none>

    Default value: ReplaceWithYourWASUserPwd

    Section of properties file: Portal configuration properties

    Property Value
    PortalAdminId

    Description: The user ID for the WebSphere Portal the administrator. This should be the fully qualified distinguished name (DN). For LDAP configuration this value should not contain spaces.

    Recommended value: uid=portaladminid,ou=people,o=yourco.com

    Default value: uid=<portaladminid>,o=default organization

    PortalAdminIdShort

    Description: The short form of the user ID for the WebSphere Portal administrator, as defined in the PortalAdminId property.

    Recommended value: <none>

    Default value: <portaladminid>

    PortalAdminPwd

    Description: The password for the WebSphere Portal administrator, as defined in the PortalAdminId property.

    Recommended value: <none>

    Default value: <none>

    PortalAdminGroupId

    Description: The group ID for the group to which the WebSphere Portal administrator belongs.

    Recommended value: cn=wpsadmins,ou=groups,o=yourco.com

    Default value: cn=wpsadmins,o=default organization

    PortalAdminGroupIdShort

    Description: The short form of the group ID for the WebSphere Portal administrator, as defined in the PortalAdminGroupId property.

    Recommended value: <none>

    Default value: wpsadmins

    WpsContentAdministrators

    Description: The group ID for the WebSphere Content Administrator group.

    Recommended value: cn=wpsContentAdministrators,ou=groups,o=yourco.com

    Default value: cn=wpsContentAdministrators,o=default organization

    WpsContentAdministratorsShort

    Description: The WebSphere Content Administrators group ID.

    Recommended value: <none>

    Default value: wpsContentAdministrators

    WpsDocReviewer

    Description: The group ID for the WebSphere Document Reviewer group.

    Recommended value: cn=wpsDocReviewer,ou=groups,o=yourco.com

    Default value: cn=wpsDocReviewer,o=default organization

    WpsDocReviewerShort

    Description: The WebSphere Document Reviewer group ID.

    Recommended value: wpsDocReviewer

    Default value: wpsDocReviewer

    Section of properties file: Database properties

    Property Value
    DbUser

    Description: The user ID for the database administrator.

    Recommended value: <none>

    Default value: db2admin

    DbPassword

    Description: The password for the database administrator.

    Recommended value: <none>

    Default value: ReplaceWithYourDbAdminPwd

    Section of properties file: WebSphere Portal Security LTPA and SSO configuration

    Property Value
    LTPAPassword

    Description: The password for the LTPA bind.

    Recommended value: <none>

    Default value: <none>

    LTPATimeout

    Description: Specifies the number of minutes after which an LTPA token will expire.

    Recommended value: 120

    Default value: 120

    SSODomainName

    Description: Specifies the domain name for all allowable single signon host domains.

    • Enter the part of the domain that is common to all servers that participate in single signon. For example, if WebSphere Portal has the domain portal.us.ibm.com and another server has the domain another_server.ibm.com, enter ibm.com.

    • To specify multiple domains, use a semicolon ; to separate each domain name. For example, your_co.com;ibm.com.

    Single signon (SSO) is achieved via a cookie that is sent to the browser during authentication. When connecting to other servers in the TCP/IP domain specified in the cookie, the browser sends the cookie. If no domain is set in the cookie, the browser will only send the cookie to the issuing server. See the WebSphere Application Server documentation for further details about this setting.

    Recommended value: your company's domain name

    Default value: <none>

    Section of properties file: LDAP Properties Configuration

    Property Value
    Lookaside

    Description: Specifies if a Lookaside database is to be used in combination with the LDAP server. A Lookaside database stores attributes which cannot be stored in your LDAP server. This combination of LDAP plus a Lookaside database is needed to support Member Manager, however, using a Lookaside database can slow down performance.To enable the LDAP + Lookaside database combination, set this property to true.

    This value cannot be configured after security is enabled. If you intend to use a Lookaside database, set this value before configuring security.

    Recommended value: false

    Default value: false

    LDAPHostName

    Description: The host information for the LDAP server that WebSphere Portal will use; for example, yourserver.yourcompany.com.

    Recommended value: <none>

    Default value: yourldapserver.com

    LDAPPort

    Description: The server port of the LDAP directory.

    Recommended value (non-SSL): 389

    Recommended value (SSL): 636

    Default value: 389

    LDAPAdminUId

    Description: The LDAP administrator id.

    Recommended value: <none>

    Default value: cn=root

    LDAPAdminPwd

    Description: The LDAP administrator password. If the LDAPAdminUId is blank, this property must be blank as well.

    Recommended value: <none>

    Default value: <none>

    LDAPServerType

    Description: Type of LDAP Server to be used.

    Recommended value: NDS

    Default value: IBM_DIRECTORY_SERVER

    LDAPBindID

    Description: The user ID for LDAP Bind authentication. This user ID is used by WebSphere Application Server to bind to the LDAP to retrieve user attributes required for authentication. If this property is omitted, the LDAP is access anonymously and is then read-only.

    Recommended value: bind_user

    Default value: uid=wpsbind,cn=users,dc=yourco,dc=com

    LDAPBindPassword

    Description: Password for LDAP Bind authentication. If the LDAPBindID is blank, this property must be blank as well.

    Recommended value: bind_password

    Default value: <none>

    WmmSystemId

    Description: The fully-qualified distinguished name (DN) of a user in the LDAP. This DN is stored in the credential vault for PUMA's use to access the Member Manager EJB. The Member Manager EJB is secured by WebSphere Application Server Security starting with WebSphere Portal 5.1. An authenticated security context is now established before WebSphere Portal can access Member Manager.

    This value should not contain spaces and must not contain any suffixes in the custom user registry case.

    Recommended value: uid=wmmsystemid,ou=people,o=yourco.com

    Default value: <none>

    WmmSystemIdPassword

    Description: Password for WmmSystemId.

    Recommended value: <none>

    Default value: <none>

    Section of properties file: Advanced LDAP Configuration

    Property Value
    LDAPSuffix

    Description: The LDAP Suffix. Choose a value appropriate for your LDAP server. This is the distinguished name (DN) of the node in the LDAP containing all user and group information for the Portal being configured. As such, it is the lowest container in the LDAP tree still containing all users that will log into the Portal and all Portal groups.

    If WebSphere Application Server configuration tasks (e.g., enable-security-ldap) are used to activate WebSphere Application Server Security, this value will be used as the single Base Distinguished Name for the Application Server LDAP configuration. This value will be qualified with the LDAPUserSuffix and LDAPGroupSuffix values in order to configure Member Manager.

    Recommended value: o=yourco.com

    Default value: dc=yourco,dc=com

    LdapUserPrefix

    Description: RDN prefix attribute name for user entries.

    Recommended value: uid

    Default value: uid

    LDAPUserSuffix

    Description: The DN suffix attribute name for user entries. Choose the value appropriate for your LDAP server. With the "LDAPSuffix" appended to this value, it is the DN of the common root node in the LDAP containing all user information for the Portal being configured. As such, it is the lowest container in the LDAP tree still containing all users that will log into the Portal including the Portal admin users (e.g., wpsadmin and wpsbind).

    Recommended value: ou=people

    Default value: cn=users

    LdapGroupPrefix

    Description: RDN prefix attribute name for user entries.

    Recommended value: cn

    Default value: cn

    LDAPGroupSuffix

    Description: The DN suffix attribute name for group entries. Choose a value appropriate for your LDAP server. With the "LDAPSuffix" appended to this value, it is the DN of the common root node in the LDAP containing all group information for the Portal being configured. As such, it is the lowest container in the LDAP tree still containing all group entries for the Portal including the Portal admin group (e.g., wpsadmins).

    Recommended value: ou=groups

    Default value: cn=groups

    LDAPUserObjectClass

    Description: The LDAP object class of the Portal users in your LDAP directory that will log into the Portal being configured.

    Recommended value: inetOrgPerson

    Default value: inetOrgPerson

    LDAPGroupObjectClass

    Description: The LDAP object class of all the groups in your LDAP directory that the Portal will access.

    Recommended value: groupOfNames

    Default value: groupOfUniqueNames

    LDAPGroupMember

    Description: The attribute name in the LDAP group object of the "membership" attribute. Choose a value appropriate for your LDAP server.

    Recommended value: uniqueMember

    Default value: uniqueMember

    LDAPUserFilter

    Description: The filter used by WebSphere Application Server for finding users in the LDAP.

    Recommended value: (&(uid=%v)(objectclass=inetOrgPerson))

    Default value: (&(uid=%v)(objectclass=inetOrgPerson))

    LDAPGroupFilter

    Description: The filter used by WebSphere Application Server for finding groups in the LDAP.

    Recommended value: (&(cn=%v)(objectclass=groupOfUniqueNames))

    Default value: (&(cn=%v)(objectclass=groupOfUniqueNames))

    LDAPsslEnabled

    Description: Specifies whether secure socket communications is enabled to the LDAP server.

    Recommended value (non-SSL): false

    Recommended value (SSL): true

    Default value: false

  4. Optional: If you installed WebSphere Application Server as part of the WebSphere Portal installation and you plan to use WebSphere Application Server single signon, ensure that the following property in the wpconfig.properties file has the recommended value and not the default value. WebSphere Portal uses Form-based login for authentication, which requires SSO to be enabled; otherwise, you will be no longer able to login to WebSphere Portal.

    If you installed WebSphere Portal onto a pre-existing instance of WebSphere Application Server, skip this step. Any pre-existing settings for WebSphere Application Server SSO are automatically detected and preserved when you run the appropriate task to configure security.

    Section of properties file: WebSphere Portal Security LTPA and SSO Configuration

    Property Value
    SSORequiresSSL

    Description: Specifies that single signon is enabled only when requests are over HTTPS Secure Sockets Layer (SSL) connections. Choose False unless SSL is already enabled for WebSphere Portal. In most cases, SSL for WebSphere Portal will not yet be in place. After SSL for WebSphere Portal is set up, change this value using the WebSphere Application Server administrative console.

    Recommended value (non-SSL): false

    Recommended value (SSL): true

    Default value: false

  5. Save the file.

  6. In a command prompt, change to the WebSphere Application Server /bin directory.

      was_root/bin

  7. Enter the following commands:

    1. startServer server1

    2. stopServer WebSphere_Portal

  8. Change to the WebSphere Portal configuration directory.

      wp_root/config

  9. Enter the following command to run the appropriate configuration task for your specific operating system:

    If the configuration task fails, validate the values in the wpconfig.properties file.

  10. If you installed WebSphere Portal on a pre-existing instance of WebSphere Application Server which had Global Security enabled or if you followed the steps in Manually configure WebSphere Application Server Global Security.

    1. If you disabled WebSphere Application Server Global Security before installing WebSphere Portal, enable it now.

    2. Run the following configuration task.

      Note: This task configures WebSphere Portal for security but does not modify your WebSphere Application Server existing security settings. Enter the appropriate command to run the configuration task:

      Check the output for any error messages before proceeding with any additional tasks. If any the configuration task fails, verify the values in the wpconfig.properties file.

  11. If you meet either of the following criteria:

    • You installed WebSphere Portal on a pre-existing instance of WebSphere Application Server which did not have Global Security enabled

    • You installed WebSphere Application Server as part of the WebSphere Portal installation

    Enter the appropriate command to run the configuration task for your specific operating system:

    If this is a cluster environment, stop all cluster members before enabling security using the enable-security-ldap task.

  12. Check the output for any error messages before proceeding with any additional tasks. If the configuration task fails, verify the values in the wpconfig.properties file. Before running the task again, be sure to stop the WebSphere Portal appserver. Follow these steps to stop the server:

    1. In a command prompt, change to the WebSphere Application Server /bin directory.

        was_root/bin

    2. Enter the following command and specify the WebSphere Application Server user ID and password (as defined by the WasUserid and WasPassword properties):

      stopServer WebSphere_Portal -user was_admin_userid -password was_admin_password

  13. If you are using LDAP over SSL, refer to Set up LDAP over SSL and be sure your LDAP is properly configured.

  14. Stop and start the servers.

    1. In a command prompt, change to the WebSphere Application Server /bin directory.

        was_root/bin

    2. Enter the following commands. If you are running with security enabled on WebSphere Application Server, specify a user ID and password for security authentication when entering the commands.

      1. Stop server 1.

        • stopServer server1

        • Security enabled: stopServer server1 -user was_admin_userid -password was_admin_password

      2. Start server 1.

      3. Start WebSphere Portal appserver

  15. Perform this step only if you installed WebSphere Portal on a pre-existing instance of WebSphere Application Server, do one of the following:

    • If you disabled Global Security before installing: Manually reactivate Global Security. From the WebSphere Application Server Administrative Console, select Security > Global Security. Make the appropriate selections and click OK. Restart WebSphere Portal.

    • If you installed WebSphere Portal without configuring it during installation: Use the procedure below to manually deploy portlets.

      Cluster note: If you are installing WebSphere Portal on a WebSphere Application Server node that is part of managed cell, this step is only required if you are installing on the primary node. It is not necessary to deploy portlets if you are installing on a secondary node.

      1. Ensure that WebSphere Portal is running.

      2. In a command prompt, change to the WebSphere Portal /config directory.

          wp_root/config

      3. Enter the appropriate command to run the configuration task for your specific operating system:

        • UNIX: ./WPSconfig.sh portlets -DPortalAdminPwd=password

        • Windows: WPSconfig.bat portlets -DPortalAdminPwd=password

  16. If you installed WebSphere Portal into a pre-existing SSO environment. Because you will not be given the option to import your existing token file, perform the following steps:

    • To import your SSO Token:

    • In the WebSphere Application Server Administrative Console, select Security>Authentication Mechanisms>LTPA.

    • Enter the LTPA token password in the Password field.

    • Enter the password again in the Confirm password field.

    • In the Key File Name field, enter the LTPA token file.

    • Click Import Keys.

    • Click Save.

    • To set your SSO Domain:

      1. In the WebSphere Application Server Administrative Console, select Security>Authentication Mechanisms>LTPA.

      2. Click Single Signon in Additional Properties.

      3. Enter the domain name in the Domain Name field.

      4. Click OK.

  17. If you want to allow users or portal administrators to create and modify directory attributes through self-registration and self-care screens or the user management portlet. Perform the following steps:

    1. Open PumaService.properties file. You can find this file in the wp_root/shared/app/config/services directory.

    2. Add user.sync.remove.attributes=cn,CN.

    3. Save the file.

    4. Restart the WebSphere_Portal appserver.

    5. Note: If you do not perform these steps WebSphere Portal will not be able to create or update a user by using portal functions because of a misconfiguration.

    WebSphere Portal can be configured to create the distinguished name (DN) for a user account created through WebSphere Portal interfaces (self-registration or the user management portlet create new user functions) by using the common name (cn) as the first Relative Distinguished Name (RDN) component. The default configuration of WebSphere Portal generates this attribute based on the surname and givenname attribute. The configuration is located in the puma.properties file

    The following entry defines the user common name pattern and can be used to customize common name. In the pattern, you can define which attribute is used. Therefore the maximum amount of attributes has to be provided by puma.commonname.parts. See the following example for more details:

    e.g.: firstname+" "+lastname
          puma.commonname = {0} {1}
          puma.commonname.parts = 2
          puma.commonname.0 = firstname
          puma.commonname.1 = lastname
    

 

Verifying configuration

Access WebSphere Portal via http://hostname.yourco.com:port_number/wps/portal and verify that you can log in.

Configuring WebSphere Portal to work with an LDAP directory automatically enables WebSphere Application Server Global Security. Once security is enabled, type the fully qualified host.name when accessing WebSphere Portal and the WebSphere Application Server Administrative Console.

 

Security is enabled

Once you have enabled security with your LDAP directory, provide the user ID and password required for security authentication on WebSphere Application Server when you perform certain administrative tasks with WebSphere Application Server. For example, to stop the WebSphere Portal appserver, you would issue the following command:

stopServer WebSphere_Portal -user was_admin_userid -password was_admin_password

 

Next steps

You have completed this step. Continue to the next step by choosing the following topic:

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.