Administer > Manage WebSphere Commerce features > WebSphere Commerce integration with WebSphere Portal > WebSphere Portal integration prerequisites > WebSphere Portal integration prerequisites for the WebSphere Commerce machine
Prepare Lightweight Directory Access Protocol with WebSphere Commerce and WebSphere Portal
Before you begin, decide what Distinguished Name (DN) to use for root organization and default organization. These fundamental organizations are part of the WebSphere Commerce member subsystem. The WebSphere Commerce Member Subsystem can only access the root organization, and all entries that are descendants of it. Since WebSphere Portal is sharing a user registry with WebSphere Commerce, both applications must be able to find the users therefore the users must be created anywhere beneath the WebSphere Commerce Root organization. The WebSphere Commerce default organization (Default Organization) is a direct descendant of the WebSphere Commerce root organization (Root Organization), and is the parent of guest and B2C users. However, B2B users should not be created under the Default Organization. Instead, they should be created under their respective buyer and seller organizations. If a user is manually created in the LDAP server, then when the user logs on to WebSphere Portal which triggers a single sign-on to WebSphere Commerce, the user will be automatically replicated into the WebSphere Commerce database. The attributes that are replicated is determined based on the ldapentry.xml file. When the user is created in the WebSphere Commerce database, the profile type of the user will be specified as 'C' (B2C user) if the parent organization of the user is Default Organization, and 'B' (B2B user) otherwise. This is important because only 'B' type users can be managed from the Organization Administration Console, whereas 'C' type users can be managed from the Accelerator.
WebSphere Commerce uses a default DN for the root organization and the default organization... "o=root organization" and "o=default organization,o=root organization". You can customize these names to the own settings. For example, you can use "dc=domain,dc=ibm,dc=com" to replace "o=root organization" and "cn=users,dc=domain,dc=ibm,dc=com" to replace "o=default organization,o=root organization". This customization can be done during the configuration of WebSphere Commerce and WebSphere Portal with basic authentication.
MemberRegistrationAttributes.xml can be used to dynamically assign WebSphere Commerce roles to authenticated users when performing single sign on to WebSphere Commerce. A typical usage can be if the LDAPUserSuffix in WebSphere Portal does not refer to the same organization as the WebSphere Commerce default organization, you can modify the memberAncestor attribute in the MemberRegistrationAttributes.xml in WebSphere Commerce with the full DN of the WebSphere Portal default DN suffix, LDAPUserSuffix. This will allow users from that LDAPUserSuffix organization to be assigned with the specified WebSphere Commerce roles for accessing the required WebSphere Commerce functions. The following example illustrates how, upon single sign on to WebSphere Commerce from WebSphere Portal, to automatically assign WebSphere Commerce roles to B2C users that belongs to a default organization with the LDAPUserSuffix name. In the file named MemberRegistrationAttributes.xml, search for the following section:
<User registrationType="LDAPLogon" memberAncestor="o=Default Organization,o=Root Organization" storeAncestor="o=Root Organization"> <Role name="Registered Customer" roleContext="storeOwner" DN="o=Reseller Organization,o=Root Organization"/> <Role name="Registered Customer" roleContext="storeOwner" DN="o=Extended Sites Seller Organization,o=Root Organization"/> <Role name="Registered Customer" roleContext="storeOwner" DN="o=Seller Organization,o=Root Organization"/> <Role name="Registered Customer" roleContext="storeOwner" DN="o=Supplier Organization,o=Root Organization"/> </User>
Replace "o=default organization, o=root organization" with the full DN of the LDAPUserSuffix organization. More information about this file can be found on the MemberRegistrationAttributes XML and DTD files page.
The relationship of the user to its parent organizations is defined in the MBRREL table and also mirrored in the DN for the user.
Basic authentication membersEnable basic authentication requires that you create one member. This member is the LDAP administrator (for example, "cn=root,cn=users,dc=domain,dc=ibm,dc=com"). Use the following criteria when creating the member:
- LDAP administrator:
- This is an LDAP administrator.
This user is recommended to be searchable under the WebSphere Commerce root organization. For more information, refer to Organization structure.
- This user must have add/remove/update/search privileges in the WebSphere Commerce root organization and all child organizations.
- The default administrator such as cn=root in IBM Directory Server or Sun Java System Directory Server is recommended.
Ensure that the root organization in WebSphere Commerce matches the root organization in LDAP, and also matches the VMM base DN in WebSphere Portal.
After you decide on the DN for root organization and default organization...
Procedure
- Create these organizations on the directory server. For more information, see:
- Configure IBM Directory Server for use with WebSphere Commerce
- Configure IBM Lotus Domino LDAP service for use with WebSphere Commerce
- Configure IBM i5/OS Directory Services for use with WebSphere Commerce
- Configure Microsoft Active Directory for use with WebSphere Commerce
- Configure Sun Java System Directory Server for use with WebSphere Commerce
- Optional: Set up LDAP over SSL.
- If the site administrator user ID (for example, wcsadmin) exists on the LDAP server but is not directly under the root organization in the LDAP server, and the WCS instance has not yet been configured to use LDAP, ensure that the user is deleted from the LDAP server. Alternatively, if the user already exists in LDAP but is directly under root organization, then it does not have to be deleted. However, once WebSphere Commerce is configured to use LDAP, authentication for this user will be done by checking against the password that is stored on the LDAP server for this user. If the user does not exist on the LDAP server, but only in WebSphere Commerce database, then it will automatically be synchronized to the LDAP server when the user first logs on to WebSphere Commerce.
Related concepts
Related tasks
Configure WebSphere Portal with WebSphere Commerce
Configure basic authentication for WebSphere Commerce
Configure simulated single sign-on for WebSphere Commerce