Manually configure an LDAP repository in a federated repository configuration
As a prerequisite, add an LDAP repository to the WebSphere Application Server configuration, where we define the following information:
Item Name Example Repository identifier ldaprepo1 Directory type IBM Security Directory Server Primary host name localhost Port 389 Bind distinguished name cn=ldapadmin Bind password yourpwd Login properties uid (a property containing login information) See LDAP repository configuration settings for the specific steps we must perform to establish this LDAP repository.
At this point, we have a valid LDAP repository ready to be manually configured in a federated repository configuration.
Tasks
- Map the federated repository entity types to the LDAP object classes.
- Configure the LDAP repository to match the used LDAP object class for users.
- In the administrative console, click...
Security > Global security > User account repository > Available realm definitions > Federated repositories > Configure
To configure for a specific domain in a multiple security domain environment, click...
Security domains > domain_name > Security Attributes > User Realm > Customize for this domain > Realm type > Federated repositories Configure
- Under Related items, click Manage repositories.
- Select the repository (for example, ldaprepo1).
- Click LDAP entity types.
- Click PersonAccount.
- Insert the objectclass name used in our LDAP server, for example, inetOrgPerson.
- Click Apply.
- Click Save.
See LDAP for a description of the LDAP default mappings.
- Configure the LDAP repository to match the used LDAP objectclass for groups
- In the administrative console, click...
Security > Global security > User account repository > Available realm definitions > Federated repositories Configure
To configure for a specific domain in a multiple security domain environment, click...
Security domains > domain_name > Security Attributes > User Realm > Customize for this domain > Realm type > Federated repositories > Configure
- Under Related items, click Manage repositories.
- Select ldaprepo1.
- Click LDAP entity types.
- Click Group.
- Insert the objectclass name used for our LDAP server, for example, groupOfUniqueNames.
- Click Apply.
- Click Save.
See Group attribute definition settings for an explanation of group attribute definitions.
- Map the federated repository property names to the LDAP attribute names.
- Configure the supported LDAP repository attributes.
- In the administrative console, click...
Security > Global security User account repository > Available realm definitions > Federated repositories > Configure
To configure for a specific domain in a multiple security domain environment, click...
Security domains > domain_name > Security Attributes > User Realm > Customize for this domain > Realm type > Federated repositories > Configure
- Under Related items, click Manage repositories > repository_ID, and then, under Additional properties, click the LDAP attributes link.
- If the attribute mapping exists, first delete the existing mapping for the LDAP attribute, and then add a new mapping for the attribute. Select the checkbox next to the LDAP attribute name and click Delete.
- To add an attribute mapping, click Add, and select Supported.
- Enter the LDAP attribute name in the Name field, the federated repositories property name in the Property name field, and the entity type which applies the attribute mapping in the Entity types field.
For all given federated repository properties, a one-to-one mapping is assumed. If no explicit mapping of the given type is defined, for example the federated repository property departmentNumber, the underlying LDAP attribute name, departmentNumber is assumed. See Configure LDAP attributes in a federated repository configuration for more information.
- Configure the unsupported properties of the federated repository. To indicate that a given federated repository property, such as departmentNumber is not supported by any LDAP attributes, define an unsupported property.
- On the LDAP attributes panel, click Add, and select Unsupported from the drop-down menu.
- Enter the federated repositories property name in the Property name field, and the entity type in the Entity types field.
- Click Apply and then Save.
- Configure the LDAP repository to match the used LDAP attributes for a user.
- Edit the file...
{WAS_HOME}\profiles\{profileName}\config\cells\{cellName}\wim\config\wimconfig.xml
- Look for the section in this file containing the LDAP repository configuration, For example,
<config:repositories xsi:type="config:LdapRepositoryType" adapterClassName="com.ibm.ws.wim.adapter.ldap.LdapAda pter" id="ldaprepo1" ...>
<config:attributeConfiguration>
...
<config:attributes name="anLDAPattribute" propertyName="aVMMattribute"/>
...
<config:attributeConfiguration>
- Add an element of type config:attributes to define the mapping between a given federated depository property name, such as departmentNumber, to a desired LDAP attribute name, such as warehouseSection.
For all given federated depository properties, a one-to-one mapping is assumed. If no explicit mapping of the given type is defined, for example the federated repository property departmentNumber, the underlying LDAP attribute name, departmentNumber is assumed.
- Configure the unsupported properties of the federated repository.
To indicate that a given federated repository property, such as departmentNumber is not supported by any LDAP attributes, define the following type of element:
<config:repositories xsi:type="config:LdapRepositoryType" adapterClassName="com.ibm.ws.wim.adapter.ldap.LdapAdapter" id="ldaprepo1" ...>
<config:attributeConfiguration>
...
<config:propertiesNotSupported name=" departmentNumber"/>
...
<config:attributeConfiguration>- Configure the LDAP repository to match the used LDAP user membership attribute in the groups.
- In the administrative console, click Security > Global security.
- Under User account repository, select Federated repositories from the Available realm definitions field and click Configure.
To configure for a specific domain in a multiple security domain environment, click Security domains > domain_name. Under Security Attributes, expand User Realm, and click Customize for this domain. Select the Realm type as Federated repositories and then click Configure.
- Under Related items, click Manage repositories.
- Select ldaprepo1
- Click Group attribute defintions.
- Click Member attributes.
- Check if the LDAP attributes (for example, uniqueMember) is specified for our LDAP objectclass (for example, groupOfUniqueNames).
- If not specified, click New and add the pair (objectclass / member attribute name) that applies to the LDAP schema (for example, uniqueMember / groupOfUniqueNames
- If specified, proceed.
- Click Apply.
- Click Save.
- Map other LDAP settings by configuring a new base entry for the new LDAP repository.
- In the administrative console, click...
Security > Global security > User account repository > Available realm definitions > Federated repositories Configure
To configure for a specific domain in a multiple security domain environment, click...
Security domains > domain_name > Security Attributes > User Realm > Customize for this domain > Realm type > Federated repositories Configure
- Click Add Base Entry to Realm.
- Select ldaprepo1.
- Specifiy:
- The base entry within the federated repository realm, for example, o=Default Organization
- The base entry within the LDAP repository, for example, o=Default Organization
- Click Apply.
- Click Save.
For an explanation of base entries, see the Configuring supported entity types in a federated repository configuration topic.
After completing these steps, the federated repository matches the LDAP server settings.
What to do next
RelatedConfigure supported entity types in a federated repository configuration LDAP repository configuration settings http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.wim.doc.en/ldap.html