Enable security with an LDAP user registry

Enable security with an LDAP user registry
You can enable WebSphere global security using LDAP as the WAS user registry.

Log on as:

AIX|Linux|Solaris|wasuser
I5/OS|Windows:
a user with administrative authority

Start the WAS administration server.
Launch the WAS Administration Console.
In the WAS Administration Console, modify the global security settings as follows:

Expand Security and click Global security.
On the Global security page that is displayed, under User registries, click LDAP.
On the LDAP User Registry page that is displayed...

Fill in the fields under General Properties, depending on the type of directory server you are using:

IBM Tivoli Directory Server or IBM Directory Server for iSeries
Sun Java System Directory Server
IBM Lotus Domino Directory Server
Active Directory

Table 1. IBM Directory Server for iSeries
Field Name Definition Sample Values Notes

Server User ID User ID user_ID

This must not be the LDAP administrator.
Do not use a user that has been specified as cn=xxx.
Ensure that the object class of this user is compatible with the object class specified in the User Filter field of the LDAP Advanced Properties window.
Use the short form of the user name (without the "uid=" or "cn=") of the user defined in the LDAP.

Server User password User Password password
Type Type of LDAP server IBM Tivoli Directory Server
Host Host name of the LDAP server hostname.domain.com
Port Port that the LDAP server is using Default value 389 This field is not required
Base Distinguished Name DN under which searching occurs o=ibm,c=us
Bind Distinguished Name DN for binding to the directory when searching CN=root

Bind Password Password for the Bind DN bind_password

Solaris|

Table 2. Sun Java System Directory Server
Field Name	Definition	Sample Values	Notes
Server User ID	User ID	user_ID	This must not be the LDAP administrator. Do not use a user that has been specified as cn=xxx. Ensure that the object class of this user is compatible with the object class specified in the User Filter field of the LDAP Advanced Properties window. Use the short form of the user name (without the "uid=" or "cn=") of the user defined in the LDAP.
Server User Password	User Password	password
Type	Type of LDAP server	iPlanet
Host	Host name of the LDAP server	hostname.domain.com
Port	Port that the LDAP server is using		This field is not required
Base Distinguished Name	DN under which searching occurs	o=ibm
Bind Distinguished Name	DN for binding to the directory when searching		This field is not required
Bind Password	Password for the Bind DN		This field is not required

AIX|Windows:

Table 3. IBM Lotus Domino Directory Server
Field Name	Definition	Sample Values	Notes
Server User ID	Short Name/User ID	user_ID	Ensure that the object class of this user is compatible with the object class specified in the User Filter field of the LDAP Advanced Properties window. Use the short form of the user name (without the "uid=" or "cn=") of the user defined in the LDAP.
Server User Password	User Password	password
Type	Type of LDAP server	Domino 5.0
Host	Host name of the LDAP server	hostname.domain.com
Port	Port that the LDAP server is using		This field is not required
Base Distinguished Name	DN under which searching occurs		This field is not required
Bind Distinguished Name	DN for binding to the directory when searching		This field is not required
Bind Password	Password for the Bind DN		This field is not required

Windows:

Table 4. Active Directory
Field Name	Definition	Sample Values	Notes
Server User ID	sAMAccountName	user_ID	User Logon Name of any ordinary user. Do not use a user that has been specified as cn=xxx. Ensure that the object class of this user is compatible with the object class specified in the User Filter field of the LDAP Advanced Properties window. Use the short form of the user name (without the "uid=" or "cn=") of the user defined in the LDAP.
Server User Password	User Password	password
Type	Type of LDAP server	Active Directory
Host	Host name of the LDAP server	hostname.domain.com
Port	Port that the LDAP server is using		This field is not required
Base Distinguished Name	DN under which searching occurs	CN=users,DC=domain1,DC=domain2,DC=com
Bind Distinguished Name	DN for binding to the directory when searching	CN=user_ID,CN=users,DC=domain1,DC=domain2,DC=com	The user_ID value is the Display Name. This is not necessarily the same as the User Logon Name.
Bind Password	Password for the Bind DN	bind_password	This should be the same as the Security Server Password.

Click Apply.

Click Advanced Lightweight Directory Access Protocol (LDAP) user registry settings. Ensure that the User filter field contains this value:

(&(uid=%v)(objectclass=<user parent class defined in LDAP>)

Where, objectclass is equal to the user parent class name defined in LDAP (for example, inetOrgPerson). The user parent class is specific to the LDAP server. To find the objectclass search for the value of the objectClassesForRead attribute in the following section of WC_profiledir /config/wmm/wmm.xml file:

<supportedLdapEntryType name="Person"
rdnAttrTypes="uid" 
objectClassesForRead="inetOrgPerson" ... />

If the value of the objectclass is not equal to the user parent class name defined in LDAP, the security role-to-user assignment step will fail to look up the needed user id. For more information, see WebSphere Application Server documentation.

Click Global Security.

On the Global security page that is displayed again, under Authentication, expand Authentication mechanisms and click LTPA.

On the LTPA page that is displayed...

Under General Properties, fill in each of the fields including Key file name even though it is not marked as mandatory.
Click Apply. LTPA keys will be generated automatically.
Click Save.
If you want to export keys, click on Export Keys ....
Under Additional Properties, click Single Signon (SSO) and clear the Enabled check box if you do not want to use this functionality.
Click Apply.

Click Global Security.

Under General Properties, select Enable global security.
Clear the Enforce Java 2 Security check box, which is selected by default, if you do not want to enforce Java 2 security.
From the Active authentication mechanism list, select Lightweight Third Party Authentication (LTPA).
From the Active user registry list, select LDAP.
Click Apply.
Remember to look at the top of the WAS page for any error message. Sometimes, an error message appear at the top when a verification with the LDAP user id fails. But the global security can still be saved and eventually you will not be able to logon to WebSphere Commerce Server.

Restart WebSphere Commerce Server. From now on, when you open the WAS Administration Console, you will be prompted for the Server User ID and password.

If you are running WAS ND, then you must also stop and restart the node agents, and the deployment manager.)

In the navigation pane, expand Applications and click Enterprise Applications.

In the Enterprise Applications window, click your Commerce application, WC_instance (for example, WC_demo).
Under Additional Properties, click Map security roles to users/groups.
Select WCSecurityRole using the check box on the left and click Look up users. Select any user to map to this role. The following are sample steps to look up an LDAP user and map the WCSecurityRole role to that user. These steps are specific to WAS ND for an LDAP user named "myuser". The steps on your system should be similar but could vary slightly:
1. Use a search string of "*", click Search.
2. In the Available panel, the myuser DN (for example, uid=myuser,cn=users,dc=ibm,dc=com) should be retrieved from the LDAP server. Select it and click the >> button to move it into the Selected panel.
3. Click OK.
4. Click OK again in the "Mapping Users to Roles" panel.
5. If the Dynamic Cache Monitor is installed, repeat this process to also assign the Administrator role to the myuser user.
6. Click Save.
7. If you are using WAS ND, select the Synchronize changes with Nodes check box.
8. Click Save again to apply the changes to the master configuration.

In the navigation pane, expand Applications and click Enterprise Applications.

In the Enterprise Applications window, click your WebSphere Commerce application, WC_instance (for example, WC_demo).
Under Additional Properties, click Map RunAs roles to users.
Select WCSecurityRole using the check box on the left and enter the user name and password that you specified in step 4j.
Click Apply.
Click OK in the "Map RunAs Roles to users" panel.
Click Save.
If you are using WAS ND, select the Synchronize changes with Nodes check box.
Click Save again to apply the changes to the master configuration.

Map security roles to users in the wmmApp. Select Applications -> Enterprise Applications -> wmmApp -> Map security roles to user/groups. For the role "Everyone", the check box "Everyone?" should be checked. For the role "All Authenticated", the check box "All Authenticated?" should be checked.

Open the WebSphere Commerce Configuration Manager.

Select WebSphere Commerce > node > Commerce > Instance List > instance > Instance Properties > Security.
Select the Enable Server Level Security check box.
Select LDAP User Registry as the authentication mode.
Enter the user name and password that you entered in step 4j.
Select the Enable Global Security check box.
Enter the Server User ID and password that you entered in step 4ci.
Click Apply.
Close the Configuration Manager.

Restart your WebSphere Commerce instance.

Related Concepts

WebSphere Commerce security model
WebSphere Commerce authentication model

Related Reference

Replication for LDAP