Enable only global security with an LDAP user registry
You can enable only WebSphere global security using LDAP as the WAS user registry.
- Federate to a WebSphere Application Server Deployment Manager
- Log on:
- AIX|Linux|Solaris|as wasuser
- I5/OS|Windows:
as a user with administrative authority.
- Start the WAS administration server.
- Launch the WAS Administration Console.
- In the WAS Administration Console, modify the global security settings as follows:
- Expand Security and click Global security.
- On the Global security page that is displayed, under User registries, click LDAP.
- On the LDAP User Registry page that is displayed...
- Fill in the fields under General Properties, depending on the type of directory server you are using:
- IBM Tivoli Directory Server or IBM Directory Server for iSeries
- Sun Java System Directory Server
- IBM Lotus Domino Directory Server
- Active Directory
Field Name Definition Sample Values Notes Server User ID User ID user_ID
- This must not be the LDAP administrator.
- Do not use a user that has been specified as cn=xxx.
- Ensure that the object class of this user is compatible with the object class specified in the User Filter field of the LDAP Advanced Properties window.
- Use the short form of the user name (without the "uid=" or "cn=") of the user defined in the LDAP.
Server User password User Password password Type Type of LDAP server IBM Tivoli Directory Server Host Host name of the LDAP server hostname.domain.com Port Port that the LDAP server is using Default value 389 This field is not required Base Distinguished Name DN under which searching occurs o=ibm,c=us Bind Distinguished Name DN for binding to the directory when searching CN=root Bind Password Password for the Bind DN bind_password
Field Name | Definition | Sample Values | Notes |
---|---|---|---|
Server User ID | User ID | wasadmin |
|
Server User Password | User Password | password | |
Type | Type of LDAP server | iPlanet | |
Host | Host name of the LDAP server | hostname.domain.com | |
Port | Port that the LDAP server is using | This field is not required | |
Base Distinguished Name | DN under which searching occurs | o=ibm | |
Bind Distinguished Name | DN for binding to the directory when searching | cn=root | This field is not required |
Bind Password | Password for the Bind DN | This field is not required |
AIX|Windows:
Field Name | Definition | Sample Values | Notes |
---|---|---|---|
Server User ID | Short Name/User ID | user_ID |
|
Server User Password | User Password | password | |
Type | Type of LDAP server | Domino 5.0 | |
Host | Host name of the LDAP server | hostname.domain.com | |
Port | Port that the LDAP server is using | This field is not required | |
Base Distinguished Name | DN under which searching occurs | This field is not required | |
Bind Distinguished Name | DN for binding to the directory when searching | This field is not required | |
Bind Password | Password for the Bind DN | This field is not required |
Windows:
Field Name | Definition | Sample Values | Notes |
---|---|---|---|
Server User ID | sAMAccountName | user_ID |
|
Server User Password | User Password | password | |
Type | Type of LDAP server | Active Directory | |
Host | Host name of the LDAP server | hostname.domain.com | |
Port | Port that the LDAP server is using | This field is not required | |
Base Distinguished Name | DN under which searching occurs | CN=users,DC=domain1,DC=domain2,DC=com | |
Bind Distinguished Name | DN for binding to the directory when searching | CN=user_ID,CN=users,DC=domain1,DC=domain2,DC=com | The user_ID value is the Display Name. This is not necessarily the same as the User Logon Name. |
Bind Password | Password for the Bind DN | bind_password | This should be the same as the Security Server Password. |
(&(uid=%v)(objectclass=<user parent class defined in LDAP>)
Where, objectclass is equal to the user parent class name defined in LDAP (for example, inetOrgPerson). The user parent class is specific to the LDAP server. To find the objectclass search for the value of the objectClassesForRead attribute in the following section of WC_profiledir /config/wmm/wmm.xml file:
<supportedLdapEntryType name="Person" rdnAttrTypes="uid" objectClassesForRead="inetOrgPerson" ... />
If the value of the objectclass is not equal to the user parent class name defined in LDAP, the security role-to-user assignment step will fail to look up the needed user id. For more information, see WebSphere Application Server documentation.
Remember to look at the top of the WAS page for any error message. Sometimes, an error message appear at the top when a verification with the LDAP user id fails. But the global security can still be saved and eventually you will not be able to logon to WebSphere Commerce Server.