(iseries)Add users to the Lightweight Directory Access Protocol user registry
We can use the LDAP user registry with any of the authentication mechanisms supported by WebSphere Application Server. Therefore, it is necessary to add users into the LDAP directory to have authorization to access Application Server resources.
This information is specific to the iSeries Directory Services product.
A variety of methods are available to add users. However, the easiest way is to create an LDAP Data Interchange Format (LDIF) file. The file contains the set of users to add into the directory. The file is used by the LDAP utilities, such as idsldapmodify. We can run these utilities from either the operating system or from a workstation. If we run these LDAP utilities from the operating system, the LDIF file must reside in the integrated file system.
Complete the following steps to add users to the LDAP user registry:
- Create an LDIF file and save it in the integrated file system. Use either the Edit File (EDTF) utility or your workstation text editor to create the file. Save the file in the integrated file system either by mapping a drive or using the file transfer protocol (FTP).
For WebSphere Application Server and LDAP directory services, create entries in the directory that correspond to the ePerson schema definition.
A simple ePerson LDIF entry resembles the following example:
dn: cn=John Doe, ou=Rochester, o=IBM, c=US objectclass: person objectclass: inetOrgPerson objectclass: top objectclass: organizationalPerson objectclass: ePerson cn: John Doe sn: Doe uid: jdoe userpassword: secretpassThis LDIF entry defines an ePerson for user John Doe. The user identification (uid) for John is set to jdoe and his password is set to secretpass. This entry resides within the Rochester organizational unit, which is within the IBM organization in the United States. Each of the ou, o, and c containing entries are defined before this ePerson entry is defined. We can define a series of LDIF entries in the same file to define LTPA users for WebSphere Application Server.
If we do not specify a value for the userpassword attribute, the LDAP server attempts to authenticate LTPA users with the user profile for the local operating system that is identified by the uid attribute value. This action might be desirable if users have user profiles for the operating system and do not want to manage passwords in both the operating system user registry and the LDAP directory.
When creating an ePerson entry, verify the cn and uid attributes each have a unique value. Do not create two entries that have the same value for the cn and uid attributes.
Important: If we have a large user registry, login performance might be severely impacted if the Group Member ID Map property is left at its default value, which is both groupOfNames:member and groupOfUniqueNames:uniqueMember.
To address this performance problem, specify one of these object classes and not both. We must then exclusively use the selected object class to implement groups in the user registry.
- Import the LDIF file entries into the directory on the server. Use the LDAP ldapadd utility in Qshell Interpreter (QSH) or from a workstation.
What to do next
For more information on importing LDIF entries, see the Directory Services documentation in the Information Centers for IBM i 6.1 and 7.1.
Related concepts
Standalone Lightweight Directory Access Protocol registries
Related tasks
Configure Lightweight Directory Access Protocol user registries Select a registry or repository
Related information:
IBM Tivoli Directory Server for IBM i (LDAP) 6.1 IBM Tivoli Directory Server for IBM i (LDAP) 7.1