Enable only global security with an LDAP user registry

You can enable only WebSphere global security using LDAP as the WAS user registry.

  1. Federate to a WebSphere Application Server Deployment Manager

  2. Log on:

    • AIX|Linux|Solaris|as wasuser

    • I5/OS|Windows:

      as a user with administrative authority.

  3. Start the WAS administration server.

  4. Launch the WAS Administration Console.

  5. In the WAS Administration Console, modify the global security settings as follows:

    1. Expand Security and click Global security.

    2. On the Global security page that is displayed, under User registries, click LDAP.

    3. On the LDAP User Registry page that is displayed...

      1. Fill in the fields under General Properties, depending on the type of directory server you are using:


        I5/OS:

        Field Name Definition Sample Values Notes
        Server User ID User ID user_ID

        • This must not be the LDAP administrator.

        • Do not use a user that has been specified as cn=xxx.

        • Ensure that the object class of this user is compatible with the object class specified in the User Filter field of the LDAP Advanced Properties window.

        • Use the short form of the user name (without the "uid=" or "cn=") of the user defined in the LDAP.

        Server User password User Password password  
        Type Type of LDAP server IBM Tivoli Directory Server  
        Host Host name of the LDAP server hostname.domain.com  
        Port Port that the LDAP server is using Default value 389 This field is not required
        Base Distinguished Name DN under which searching occurs o=ibm,c=us  
        Bind Distinguished Name DN for binding to the directory when searching CN=root  
        Bind Password Password for the Bind DN bind_password  

Solaris|

Field Name Definition Sample Values Notes
Server User ID User ID wasadmin

  • This must not be the LDAP administrator.

  • Do not use a user that has been specified as cn=xxx.

  • Ensure that the object class of this user is compatible with the object class specified in the User Filter field of the LDAP Advanced Properties window.

  • Use the short form of the user name (without the "uid=" or "cn=") of the user defined in the LDAP.

Server User Password User Password password  
Type Type of LDAP server iPlanet  
Host Host name of the LDAP server hostname.domain.com  
Port Port that the LDAP server is using   This field is not required
Base Distinguished Name DN under which searching occurs o=ibm  
Bind Distinguished Name DN for binding to the directory when searching cn=root This field is not required
Bind Password Password for the Bind DN   This field is not required

AIX|Windows:

Field Name Definition Sample Values Notes
Server User ID Short Name/User ID user_ID

  • Ensure that the object class of this user is compatible with the object class specified in the User Filter field of the LDAP Advanced Properties window.

  • Use the short form of the user name (without the "uid=" or "cn=") of the user defined in the LDAP.

Server User Password User Password password  
Type Type of LDAP server Domino 5.0  
Host Host name of the LDAP server hostname.domain.com  
Port Port that the LDAP server is using   This field is not required
Base Distinguished Name DN under which searching occurs   This field is not required
Bind Distinguished Name DN for binding to the directory when searching   This field is not required
Bind Password Password for the Bind DN   This field is not required

Windows:

Field Name Definition Sample Values Notes
Server User ID sAMAccountName user_ID

  • User Logon Name of any ordinary user.

  • Do not use a user that has been specified as cn=xxx.

  • Ensure that the object class of this user is compatible with the object class specified in the User Filter field of the LDAP Advanced Properties window.

  • Use the short form of the user name (without the "uid=" or "cn=") of the user defined in the LDAP.

Server User Password User Password password  
Type Type of LDAP server Active Directory  
Host Host name of the LDAP server hostname.domain.com  
Port Port that the LDAP server is using   This field is not required
Base Distinguished Name DN under which searching occurs CN=users,DC=domain1,DC=domain2,DC=com  
Bind Distinguished Name DN for binding to the directory when searching CN=user_ID,CN=users,DC=domain1,DC=domain2,DC=com The user_ID value is the Display Name. This is not necessarily the same as the User Logon Name.
Bind Password Password for the Bind DN bind_password This should be the same as the Security Server Password.

  • Click Apply.

  • Click Advanced LDAP (LDAP) user registry settings. Ensure that the User filter field contains this value:

    (&(uid=%v)(objectclass=<user parent class defined in LDAP>)

    Where, objectclass is equal to the user parent class name defined in LDAP (for example, inetOrgPerson). The user parent class is specific to the LDAP server. To find the objectclass search for the value of the objectClassesForRead attribute in the following section of WC_profiledir /config/wmm/wmm.xml file:

    <supportedLdapEntryType name="Person"
    rdnAttrTypes="uid" 
    objectClassesForRead="inetOrgPerson" ... />
    
    
    

    If the value of the objectclass is not equal to the user parent class name defined in LDAP, the security role-to-user assignment step will fail to look up the needed user id. For more information, see WebSphere Application Server documentation.

  • Click Global Security.

  • On the Global security page that is displayed again, under Authentication, expand Authentication mechanisms and click LTPA.

  • On the LTPA page that is displayed...

    1. Under General Properties, fill in the LTPA settings as required and click Apply.

    2. Under Additional Properties, click Single Signon (SSO) and clear the Enabled check box if you do not want to use this functionality.

    3. Click Apply.

  • Click Global Security.

    1. Under General Properties, select Enable global security.

    2. Clear the Enforce Java 2 Security check box, which is selected by default, if you do not want to enforce Java 2 security.

    3. From the Active authentication mechanism list, select Lightweight Third Party Authentication (LTPA).

    4. From the Active user registry list, select LDAP.

    5. Click Apply.

      Remember to look at the top of the WAS page for any error message. Sometimes, an error message appear at the top when a verification with the LDAP user id fails. But the global security can still be saved and eventually you will not be able to logon to WebSphere Commerce Server.

  • Disable application security (server level security):

    1. For each server that is running your WebSphere Commerce application:

      1. Expand Servers and click Application Servers

      2. Click the on the server name

      3. Under Security select Server security

      4. Under Additional Properties select Server-level security

      5. Uncheck Enable global security

      6. Uncheck the Enforce Java 2 Security check box which is selected by default

      7. Click OK

    2. Ensure that all users can read and write to the JNDI namespace:

      1. Expand Environment.

      2. Expand Naming and click on CORBA Naming Service Groups

      3. Click on EVERYONE

      4. Select all roles by holding down the CTRL key and clicking on each role

      5. Click OK

    3. Save and synchronize the configuration.

  • Restart all WebSphere Commerce Servers (Deployment Manager, Node Agents, Application Servers) in your cell. From now on, when you open the WAS Administration Console, you will be prompted for the Server User ID and password.

  • Open the WebSphere Commerce Configuration Manager.

    1. Select WebSphere Commerce > node > Commerce > Instance List > instance > Instance Properties > Security.

    2. Ensure that the Enable Server Level Security check box is not checked.

    3. Select the Enable Global Security check box.

    4. Enter the Server User ID and password that you use to login to the WAS Administrative Console.

    5. Click Apply.

    6. Close the Configuration Manager.

  • Your WebSphere Commerce instance will be started automatically.


     

    Related Concepts


    WebSphere Commerce security model
    WebSphere Commerce authentication model

     

    Related tasks


    Enabling WAS security
    Enabling WebSphere global security
    Enabling Java 2 security
    Disable WAS security

     

    Related Reference


    Replication for LDAP