WAS v8.5 > Secure applications > Authenticate users > Select a registry or repository > Manage the realm in a federated repository configuration

Migrating a stand-alone LDAP repository to a federated repositories LDAP repository configuration

When configuring the security for the application server, we might need to migrate a stand-alone LDAP registry to a federated repositories LDAP repository configuration.

Note the specifications of your stand-alone LDAP repository to migrate, for reference when configuring the LDAP repository in federated repositories. To access these fields, on the dmgr console, click Security > Global security, and then under User account repository, select Standalone LDAP registry or Federated repositories from the Available realm definitions field and click Configure. To access these fields in a multiple security domain environment, click Security > Global Security > Security domains > domain_name, and then, under Security Attributes, expand User Realm, and click Customize for this domain. Select the Realm type as Standalone LDAP registry or Federated repositories, and then click Configure.

The following table shows the dmgr console panels and fields of the stand-alone LDAP repository configuration and their corresponding fields in a federated repositories LDAP repository configuration for mapping.

Mapping between a stand-alone LDAP repository configuration and a federated repositories LDAP repository configuration. This table illustrates the mapping between a stand-alone LDAP repository configuration and a federated repositories LDAP repository configuration.

Stand-alone LDAP repository configuration LDAP repository in a federated repositories configuration
Global security > Standalone LDAP registry

General properties – Primary administrative user name

Global security > Federated repositories

General properties – Primary administrative user name

Global security > Standalone LDAP registry

LDAP server – Type of LDAP server

Global security > Federated repositories > Manage repositories > repository_ID

LDAP server – Directory Type

Global security > Standalone LDAP registry

LDAP server – Host

Global security > Federated repositories > Manage repositories > repository_ID

LDAP server – Primary host name

Global security > Standalone LDAP registry

LDAP server – Port

Global security > Federated repositories > Manage repositories > repository_ID

LDAP server – Port

Global security > Standalone LDAP registry

LDAP server – Failover hosts

Global security > Federated repositories > Manage repositories > repository_ID

LDAP server – Failover server used when primary is not available

Global security > Standalone LDAP registry

LDAP server – Base distinguished name (DN)

Global security > Federated repositories > Repository reference (Click Add Base entry to realm)

General properties – Distinguished name of a base entry that uniquely identifies this set of entries in the realm

and

General properties – Distinguished name of a base entry in this repository

Global security > Standalone LDAP registry

LDAP server – Search timeout

Global security > Federated repositories > Manage repositories > repository_ID > Performance

General properties - Limit search time

Global security > Standalone LDAP registry

LDAP server – Custom properties

Global security > Federated repositories > Custom properties
Global security > Standalone LDAP registry

LDAP server – Server user identity

Global security > Federated repositories

General properties – Server user identity

Global security > Standalone LDAP registry

Security – Bind distinguished name (DN)

Global security > Federated repositories > Manage repositories > repository_ID

Security – Bind distinguished name

Global security > Standalone LDAP registry

Security – Bind password

Global security > Federated repositories > Manage repositories > repository_ID

Security – Bind password

Global security > Standalone LDAP registry > Advanced LDAP user registry settings

General properties – Kerberos user filter

Global security > Federated repositories > Manage repositories > repository_ID

Security – LDAP attribute used for Kerberos principal name

Global security > Standalone LDAP registry > Advanced LDAP user registry settings

General properties – Certificate map mode

Global security > Federated repositories > Manage repositories > repository_ID

Security – Certificate mapping

Global security > Standalone LDAP registry > Advanced LDAP user registry settings

General properties – Certificate filter

Global security > Federated repositories > Manage repositories > repository_ID

Security – Certificate filter

The Realm name field under General Properties on the federated repositories LDAP configuration panel is not listed in the previous table because it does not have a one-to-one correspondence with a field in the stand-alone LDAP configuration panel. The host name and the port number represent the realm name for the standalone LDAP server in the WAS cell. For information on changing the realm name, see the topic Realm configuration settings.

The User Filter, Group Filter, User ID map, Group ID map, and Group member ID map fields also are not listed in the previous table as they do not have a one-to-one correspondence with fields in the federated repositories LDAP repository configuration panel. These LDAP attributes are set differently in the federated repositories LDAP repository configuration and involve multiple steps. These settings are explained in detail in the following sections and procedure. Migrating from a stand-alone LDAP repository configuration to a federated repositories LDAP repository configuration involves migrating the configuration parameters, most of which are straight forward as shown in Table 1 in the previous section. Migrating the search filters is an important part of migrating a stand-alone LDAP repository configuration to a federated repository LDAP configuration; therefore, the concept and migration of LDAP search filters is described here in detail.

Stand-alone LDAP registry search filters follow the LDAP filter syntax, where we specify the attribute on which the search is based and its value.

The user filter is used for searching the registry for users. It is used to authenticate a user using the attribute specified in the filter.

The group filter is used for searching the registry for groups. It specifies the property by which to look up groups.

Examples of commonly used LDAP user filters: In the following examples of search filters, %v is replaced with the corresponding search pattern of the user or group at run time.

(&(uid=%v)(objectclass=ePerson))

Searches for users where the uid attribute matches the specified search pattern of the ePerson object class.

(&(cn=%v)(objectclass=user))

Searches for users where the cn attribute matches the specified search pattern of the user object class.

(&(sAMAccountName=%v)(objectcategory=user))

Searches for users where the sAMAccountName attribute matches the specified search pattern of the user object category.

(&(userPrincipalName=%v)(objectcategory=user))

Searches for users where the userPrinciplalName attribute matches the specified search pattern of the user object category.

(&(mail=%v)(objectcategory=user))

Searches for users where the mail attribute matches the specified search pattern of the user object category.

(&(|(sAMAccountName=%v)(userPrincipalName=%v))(objectcategory=user))

Searches for users where the sAMAccountName or the userPrincipalName matches the specified search pattern of the user object category.

Examples of commonly used group filters:

(&cn=%v)(objectCategory=group)

Looks up groups based on their common names (cn).

(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))

Looks up groups based on their common names (cn) and using the object class of either groupOfNames or groupOfUniqueNames.

As shown in these examples, a stand-alone LDAP registry search filter consists of LDAP attributes and object classes, based on which the search or login is performed.

We can also specify the LDAP attributes and object classes in the LDAP adapter configuration of federated repositories, but they are configured differently and provide more flexibility. In federated repositories the user is represented as PersonAccount entity type and group as Group entity type. Each entity type can have its own RDN (Relative Distinguished Name) property (rdnProperties) and object class. For example, the default RDN property of PersonAccount is uid, and the default RDN property of Group is cn. The default object class mapping depends on the LDAP server type. For example, for Tivoli Directory Server, the object class for PersonAccount is inetOrgPerson and object class for Group is groupOfNames. PersonAccount can also have login properties. When a user logs in or a search is performed for a user in a user registry, these login properties are matched with the pattern. For example, if the login properties are uid and mail, then for the search pattern, a*, all the users who match uid=a* or mail=a* are returned.

We can specify the value of User ID Map property (userIdMap) of the stand-alone LDAP repository as the RDN property (rdnProperties) or the first login property (loginProperties) in federated repositories. Though we can set both the RDN property and the login property in federated repositories, it is sufficient if you set only the RDN property. The login property is optional and you need to set it only if the login property is different from RDN property or if there are more than one login properties. If both the RDN property and login property are set, the login property takes precedence over RDN property.

Migrating search filters involves one or more of the following steps: setting the correct login properties, mapping the attributes of the back-end repository to the federated repositories properties, setting the object class, setting the search filter using object class or object category, and setting the member or membership attribute. This mapping and configuration for federated repositories is maintained in the wimconfig.xml file.

The stand-alone LDAP registry search filter can be split into two parts:

For example, in the search filter, (&(cn=%v)(objectclass=user)):

These two filters are mapped separately in a federated repositories configuration:

The default attribute and object class mapping is set based on the LDAP server type but additional steps might be required to migrate these two filters:

Some of the steps in the following procedure include two examples. In these steps:

  1. Add the LDAP repository to migrate to the federated repositories configuration.

    See Table 1 in the Before beginning section of this topic, and follow the steps described in the topic Configure a single, LDAP repository in a new configuration under Federated repositories. These steps include links to other procedures that you must complete such as:

    • Adding an external repository in a federated repository configuration.
    • Configuring supported entity types in a federated repository configuration.
    • Configuring LDAP in a federated repository configuration.

    After completing these steps, the LDAP repository to migrate will be successfully configured in the federated repository configuration.

  2. Set the login properties (if applicable).

    Login properties are the property names used to log on to the WAS. We can specify multiple login properties using the semicolon (;) as a delimiter. The federated repositories properties commonly used as login properties are uid, cn, sn, givenName, mail, and so on.

    To set login properties on the dmgr console, follow the steps in the topic LDAP repository configuration settings, and apply the settings under the section, Login properties.

    Example 1: In the Login properties field, enter cn.

    Example 2: In the Login properties field, enter uid;cn.

    Complete Step 3 to map these properties to LDAP attributes.

  3. Map the federated repository property to the LDAP attribute (if applicable).

    If the LDAP attribute is not a federated repository property, then the login property definedd must be mapped to the LDAP attribute.

    1. In the dmgr console, click Security > Global security.

    2. Under User account repository, select Federated repositories from the Available realm definitions field and click Configure. To configure for a specific domain in a multiple security domain environment, click Security domains > domain_name. Under Security Attributes, expand User Realm, and click Customize for this domain. Select the Realm type as Federated repositories and then click Configure.

    3. Under Related items, click Manage repositories > repository_ID, and then, under Additional properties, click the LDAP attributes link.

    4. If the attribute mapping exists, first delete the existing mapping for the LDAP attribute, and then add a new mapping for the attribute. Select the checkbox next to the LDAP attribute name and click Delete.
    5. To add an attribute mapping, click Add, and select Supported from the drop-down menu. Enter the LDAP attribute name in the Name field, the federated repositories property name in the Property name field, and the entity type which applies the attribute mapping in the Entity types field.

    Example 1: Because the federated repository property cn is implicitly mapped to the cn LDAP attribute, no additional mapping is required.

    Example 2: Here the search filter includes two LDAP attributes, sAMAccountName and userPrincipalName.

    • For the LDAP server type, Active Directory, the LDAP attribute sAMAccountName is mapped by default to the federated repositories property, uid, as shown in the list of attributes on LDAP attributes panel. Therefore, we do not have to execute the addIdMgrLDAPAttr command to add an attribute configuration for sAMAccountName.

    • If an attribute mapping for the LDAP attribute userPrincipalName exists, then delete the existing attribute mapping before adding a new configuration.

      1. Select the checkbox next to userPrincalName and click Delete.

      2. Click Add, and select Supported from the drop-down menu.
      3. In the Name field, enter userPrincipalName.
      4. In the Property name field, enter cn.
      5. In the Entity types field, enter PersonAccount.

  4. Set the object class for an entity type (if applicable).

    Before executing this step, check the current mapping . If the object class mapping is already set, skip this step.

    To set the object class for an entity type on the dmgr console, follow the steps in the topic Lightweight Directory Access Protocol entity types settings, and apply the following settings under the section, Object classes:

    • Specify PersonAccount as the entity type name for user filters

    • Specify Group as the entity type name for group filters.

    Example 1: In the Entity type field, enter PersonAccount.

    In the Object classes field, enter ePerson.

    Example 2: In the Entity type field, enter PersonAccount.

    In the Object classes field, enter user.

  5. Set the search filter for the entity type (if applicable).

    Federated repositories performs the search based on the object class setting. To change this default setting and use object category as the filter, follow the steps in topic Lightweight Directory Access Protocol entity types settings, and apply the settings under the section, Search Filter.

    Example 1: Because the search is based on object class, no additional configuration is required.

    Example 2: In the Search filter field, enter (objectcategory=user).

  6. To migrate group filters, you must also configure the group attribute definition settings.

    The steps to configure the group attribute definition settings through the dmgr console are specified in the topic Locating user group memberships in a LDAP registry, under the section, LDAP Registry within a Federated Repositories Registry. We can also use wsadmins addIdMgrLDAPGroupDynamicMemberAttr or addIdMgrLDAPGroupMemberAttr that are described in the topic IdMgrRepositoryConfig command group for AdminTask.

  7. Save your configuration changes

  8. Restart the application server.


Results

After completing these steps, the LDAP repository is configured for use within the federated repositories configuration.


Related


Manually configuring an LDAP repository in a federated repository configuration
Configure LDAP search filters
Configure LDAP in a federated repository configuration
Configure group attribute definition settings in a federated repository configuration


Reference:

IdMgrRepositoryConfig command group for AdminTask
LDAP repository configuration settings
Standalone LDAP registry settings
Group attribute definition settings
Realm configuration settings


+

Search Tips   |   Advanced Search