Portal Express, Version 6.0
Operating systems: i5/OS, Linux, Windows

---

 

Create required LDAP users and groups

Before you can configure IBM^® WebSphere^® Portal Express to work with the LDAP server, the LDAP user registry must have some minimal user and group information already populated. This section describes the procedures necessary to set up the LDAP server to work with WebSphere Portal Express.

 

Required users and groups

A minimum of one group and one user is required for WebSphere Portal Express. Depending on what software you already have deployed and configured, you may need additional user accounts. These can either be existing user accounts that you want to use in WebSphere Portal Express, or you can create new user accounts to use.

The required group is wpsadmins or an equivalent (the group that is specified with the PortalAdminGroupId attribute in the wpconfig.properties file. This is the first administrator group for WebSphere Portal Express. Members of this group have administrative authority within WebSphere Portal Express. It is expected that the first administrator account, WebSphere Portal Express administrative user, be a member of the wpsadmins group in the directory, but WebSphere Portal Express does not actually enforce that.

If content management functions are configured, it is recommended to also create the following groups in the LDAP:

wpsContentAdministrators wpsDocReviewer

These groups should be created in the LDAP with the same authority as granted to the wpsadmins group. The following describes the required user accounts:

You can use the same user ID for more than one purpose.

• WebSphere Portal Express administrative user. This is the first administrator account for WebSphere Portal Express. This account is also a member of the wpsadmins group.

• You must specify a Security Server ID account name and password for IBM WebSphere Application Server security. This account is configured into WebSphere Application Server. It becomes the ID that is used to administer WebSphere Application Server. If this account is different from the following LDAP access accounts, then this account needs no special privileges in the LDAP user registry.

• An LDAP access account for WebSphere Application Server. This identity is used by WebSphere Application Server to access the LDAP user registry. If you keep the default values for the Bind Distinguished Name of WebSphere Application Server in the wpconfig.properties file, wpsbind will be used as the Bind Distinguished Name. The required privileges for this account in the user registry are as follows:

  • Write: If you want to allow users or portal administrators to create and modify directory attributes through self-registration and self-care screens or the Manage Users and Groups portlet, the Bind DN (LDAPBindID) user must have permission to write and search the LDAP user registry that WebSphere Portal Express uses or the subtree of that directory rooted at the LDAP suffix.

  • Read: If you will not use any WebSphere Portal Express facilities to write to the user registry, but your user registry security policies do not allow anonymous searches of the directory, the Bind DN (LDAPBindID) user must have permission to read and search the LDAP user registry that WebSphere Portal Express uses or the subtree of that directory rooted at the LDAP suffix.

• An LDAP access account that Member Manager uses to access the LDAP directory.

  This ID is not required when using LDAP with realm support. This does not have to be the root administrative ID for the directory, simply an ID that has sufficient privileges to the directory to allow the operations that WebSphere Portal Express will perform.

  If WebSphere Portal Express only reads from the directory and does not make updates, an ID with read privileges to the directory is sufficient. If WebSphere Portal Express updates the directory (creates users or makes user profile updates to the directory) then an ID with write privileges is required.

 

Portal administrator users

You can select an existing LDAP user to act as the portal administrator.

If you want to create a new user to administer the portal, you should create the user before continuing. To create a new user as the portal administrator, use your directory administration tools. Refer to the section appropriate to the directory server you are using for documentation on creating a new portal administrative user.

LDAP Relative Distinguished Name (RDN) prefixes, such as cn=, uid=, or ou=, should be entered in lowercase. Uppercase or mixed case can cause problems with subsequent case-sensitive queries of the database user registry and WebSphere Portal Express databases.

 

Parent topic:

Sun Java System Directory Server

 

Previous topic

Installing Sun Java System Directory Server

 

Next topic

Setting up Sun Java System Directory Server

---