Prepare LDAP with WebSphere Commerce and WebSphere Portal

Before you begin, decide what Distinguished Name (DN) you want to use for root organization and default organization. These fundamental organizations are part of the WebSphere Commerce member subsystem. The WebSphere Commerce Member Subsystem can only access the root organization, and all entries that are descendants of it. Since WebSphere Portal is sharing a user registry with WebSphere Commerce, both applications must be able to find the users therefore the users must be created anywhere beneath the WebSphere Commerce Root organization. The WebSphere Commerce default organization (Default Organization) is a direct descendant of the WebSphere Commerce root organization (Root Organization), and is the parent of guest and B2C users. However, B2B users should not be created under the Default Organization. Instead, they should be created under their respective buyer and seller organizations. If a user is manually created in the LDAP server, then when the user logs on to WebSphere Portal which triggers a single sign-on to WebSphere Commerce, the user will be automatically replicated into the WebSphere Commerce database. The attributes that are replicated is determined based on the ldapentry.xml file. When the user is created in the WebSphere Commerce database, the profile type of the user will be specified as 'C' (B2C user) if the parent organization of the user is Default Organization, and 'B' (B2B user) otherwise. This is important because only 'B' type users can be managed from the Organization Administration Console, whereas 'C' type users can be managed from the Accelerator.About this task

WebSphere Commerce uses a default DN for the root organization and the default organization as follows: "o=root organization" and "o=default organization,o=root organization". You can customize these names to your own settings. For example, use "dc=domain,dc=ibm,dc=com" to replace "o=root organization" and "cn=users,dc=domain,dc=ibm,dc=com" to replace "o=default organization,o=root organization". This customization can be done during the configuration of WebSphere Commerce and WebSphere Portal with basic authentication.

MemberRegistrationAttributes.xml can be used to dynamically assign WebSphere Commerce roles to authenticated users when performing single sign on to WebSphere Commerce. A typical usage can be if the LDAPUserSuffix in WebSphere Portal does not refer to the same organization as the WebSphere Commerce default organization, you can modify the memberAncestor attribute in the MemberRegistrationAttributes.xml in WebSphere Commerce with the full DN of the WebSphere Portal default DN suffix, LDAPUserSuffix. This will allow users from that LDAPUserSuffix organization to be assigned with the specified WebSphere Commerce roles for accessing the required WebSphere Commerce functions. The following example illustrates how, upon single sign on to WebSphere Commerce from WebSphere Portal, to automatically assign WebSphere Commerce roles to B2C users that belongs to a default organization with the LDAPUserSuffix name. In the file named MemberRegistrationAttributes.xml, search for the following section:

<User registrationType="LDAPLogon" memberAncestor="o=Default Organization,o=Root Organization" storeAncestor="o=Root Organization"> 
 <Role name="Registered Customer" roleContext="storeOwner" DN="o=Reseller Organization,o=Root Organization"/> 
 <Role name="Registered Customer" roleContext="storeOwner" DN="o=Extended Sites Seller Organization,o=Root Organization"/> 
 <Role name="Registered Customer" roleContext="storeOwner" DN="o=Seller Organization,o=Root Organization"/> 
 <Role name="Registered Customer" roleContext="storeOwner" DN="o=Supplier Organization,o=Root Organization"/> 
</User> 

Replace "o=default organization, o=root organization" with the full DN of the LDAPUserSuffix organization. More information about this file can be found on the MemberRegistrationAttributes XML and DTD files page.

The relationship of the user to its parent organizations is defined in the MBRREL table and also mirrored in the DN for the user.

Basic authentication members

Enabling basic authentication requires that you create one member. This member is the LDAP administrator (for example, "cn=root,cn=users,dc=domain,dc=ibm,dc=com"). Use the following criteria when creating the member:

After you decide on the DN for root organization and default organization, complete the following steps:

  1. Create these organizations on your directory server. For more information, see:

  2. Optional: Set up LDAP over SSL.

  3. If the site administrator user ID (for example, wcsadmin) exists on the LDAP server but is not directly under the root organization in the LDAP server, and the WebSphere Commerce instance has not yet been configured to use LDAP, ensure that the user is deleted from the LDAP server. Alternatively, if the user already exists in LDAP but is directly under root organization, then it does not have to be deleted. However, once WebSphere Commerce is configured to use LDAP, authentication for this user will done by checking against the password that is stored on the LDAP server for this user. If the user does not exist on the LDAP server, but only in WebSphere Commerce database, then it will automatically be synchronized to the LDAP server when the user first logs on to WebSphere Commerce.


Related concepts

Organization structure


Related tasks

Configure WebSphere Portal with WebSphere Commerce Configure basic authentication for WebSphere Commerce Configure simulated single sign-on for WebSphere Commerce - - -