Configure SSO between WebSphere Portal and Team Workplace when each use a different LDAP directory

 

+
Search Tips   |   Advanced Search

 

Overview

This document explains how to configure an environment when IBM WebSphere Portal 5.1.x authenticates against one LDAP directory, Novell eDirectory in this example, and IBM Lotus Team Workplace (QuickPlace) v6.5.1 authenticates against Domino LDAP.

This setup causes the following to occur:

  1. When a user authenticates against WebSphere Portal, he will be known to Portal as the distinguished name saved in Novell eDirectory...

    uid=tuser,ou=user,o=acme

  2. When the same user authenticates against QuickPlace, he will be known to QuickPlace as the distinguished name saved in the Domino LDAP directory...

    CN=Test User,O=acme

The difficulty with this setup is configuring the Single Sign On (SSO) piece between the two products. When WebSphere Portal generates the LTPA token it will set...

uid=tuser,ou=user,o=acme

...into the token as the user's identity. QuickPlace will decode that token, but will not find a match. Portals needs the ability to map to the same user in the Domino LDAP...

CN=Test User,O=acme

Domino uses...

cn=Test User,o=acme

...Novell eDirectory uses...

uid=tuser,ou=people,o=acme

 

SSO Configuration Procedure

  1. Import the LTPA token into QuickPlace.

  2. Ensure you have correctly imported the WebSphere LTPA key into the QuickPlace server.

  3. Configure the Domino LDAP server used by QuickPlace.

    • The server and design of the Domino Directory (public Name and Address Book) must be Domino release 6.5.2 or higher.

    • Sync the username and passwords in the Domino Directory with the names Portal uses to authenticate a user.

      For example, if WebSphere Portal's user directory is Novell eDirectory, and a user's dn from eDirectory is:

      uid=tuser,ou=user,o=acme

      ...then add the following to the Username or Shortname fields of the Person document for Test User in Domino:

      uid=tuser/ou=user/o=acme

      This should be added below the Domino canonical name, which should be the top line of the User Name field, and common name (CN), which should be the second line. Therefore, in our example, the contents of the User Name field of the Person document should be as follows:

      First name: Test
      Middle name:
      Last name: User
      User name: Test User/acme
      Test User
      uid=tuser/ou=users/o=acme

    • Update the Domino Server Configuration document to dereference alias names.

      • In the Domino Directory, go to the view...

        Configuration | Servers | Configurations

        ...and open the Configuration document for [All Servers].

      • Go to the LDAP tab of the Configuration document and at the bottom, set the...

        Allow Deferencing of Aliases on Search Requests?

        ...option to "Yes".

    • Shut down the LDAP task, and update the Domino Directory views for the settings to take effect.

      Run the following commands from the Domino Server console:

      tell ldap q
      load updall names.nsf -r

      Once these tasks complete, run this command:

      load ldap

      At this point be able to run the following ldap search command, and receive Test User's results:

      ldapsearch -h ldapserver.domain.com -D <bind user if necessary> -w <bind user's password> -b "uid=tuser,ou=users,o=acme" objectclass=*

  4. Configure the QuickPlace server to remap users DNs when passed with an LTPA token.

    • For QuickPlace 6.5.1 users, you will need the latest consolidated hotfix for QuickPlace for the following Software Problem Reports (SPRs):

      SPR #CWIR65PTBE
      SPR #CWIR67MQUU
      SPR #CPRE646P6X
      SPR #CPRE645S6B

      If SSL is configured between QuickPlace and Domino LDAP you will need a fix for SPR #SSHD6BMKC6

      If DN from WebSphere Portal contains special characters you will need a fix for SPR #SSHD6ABSY4

    • Configuration changes for QuickPlace to remap users Distinguished Names.

      Notes.ini setting:

      QuickPlaceRemapDN=uid=;ou=

      Add whatever prefixes you need separated by semicolons, in our example on uid= is necessary.

    • If you use the MyTeamWorkplace portlet you will need a fix for the cs.jar file on the QuickPlace server for SPR #SSHD68ZLSG.

 

Troubleshooting

If SSO fails between WebSphere Portal and QuickPlace enable the following debug, and send the output to Lotus software Technical Support.

  1. In the Notes.ini on the QuickPlace server add the following:

    QuickPlaceAuthenticationLogging=5
    debug_outfile=c:\qpoutfile.txt

  2. In the Notes.ini on Domino LDAP add the following:

    ldapdebug=7
    debug_outfile=c:\ldapoutfile.txt

  3. Restart both servers.

  4. Log on to WebSphere Portal.

  5. Change the browser address to http://quickplace.domain.com/quickplace .

  6. Send the two outfiles to Lotus Technical Support.

  7. Remove the debug parameters after your creating your outfiles.

Related Documents:

  • Dual Directory Env: My Team Workplaces Portlet Does not - Document 1177882
  • Dual Directory Env: Accessing a Team Workplace You Are - Document 1177881
  • Troubleshooting WebSphere Portal & Domino Extended Prod - Document 1158269
  • How To Configure SSO between Instant Msg and WebSphere - Document 1205909

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.