Configure Active Directory Application Mode for realm support

Portal Express, Version 6.0
Operating systems: i5/OS, Linux, Windows

Configure Active Directory Application Mode for realm support

Choose this option to configure the WebSphere Application Server to access the LDAP server through the database user registry. In this configuration, one or more user registries and, therefore one or more "realms", can be created. A "realm" is a concept that denotes a specific body of users accessing a specific configuration. Refer to Multiple virtual portals for information about creating separate, customizable portals for different groups of users within an organization.
Follow these steps to edit the wpconfig.properties file and run the appropriate configuration tasks so that IBM^® WebSphere^® Portal Express can work with the LDAP server.Note the following:

These instructions apply to either a single server installation or a cluster environment. When setting up a cluster to use an LDAP server, it is only necessary to perform these steps on the primary node in the cluster. For detailed instructions on creating the cluster, refer to Clustering and WebSphere Portal Express.
A configuration template might exist to support these instructions. Refer to the portal_server_root/config/helpers directory for available configuration templates. Use the configuration template to update the wpconfig.properties file, as described in Configuration program, according to the property descriptions and recommended values provided below. If you do not want to use a configuration template, simply follow the instructions below as written.
These steps allow you to configure your LDAP server to use virtual portal and realm support. See Multiple virtual portals for information about virtual portals.

Password considerations: For security reasons, you should not store passwords in the wpconfig.properties file. IBM recommends that you edit the wpconfig.properties prior to running a configuration task, inserting the passwords needed for that task. Then, after the task has run, you should delete all passwords from the wpconfig.properties file. For more information, see Deleting passwords from configuration scripts.
Alternatively, you can specify the password on the command line using the following syntax:
	WPSconfig.{sh|bat} task_name -Dpassword_property_key=password_value
As with other properties, each password property must have the -D prefix and be set equal to (=) a value. If you have multiple properties in a single command, use a space character between each -Dproperty=value setting.
Ensure that the LDAP software is installed and any setup has been performed.
Locate the wpconfig.properties and wpconfig_dbdomain.properties files in the following directory and create a back up copy before changing any values:

Linux:
portal_server_root/config/
Windows:
portal_server_root\config\
i5/OS:
portal_server_root_user/config/

Use a text editor to open the wpconfig.properties and wpconfig_dbdomain.properties files and enter the values appropriate for your environment. Note the following:

Do not change any settings other than those specified in these steps. For instructions on working with these files, see Configuration properties reference for a complete properties reference, including default values.
Use / instead of \ for all platforms.
Some values, shown in italics below, might need to be modified to your specific environment.

Section of the wpconfig.properties file: IBM WebSphere Application Server properties

Property Value
WasUserid The user ID for WebSphere Application Server security authentication. For an LDAP configuration this should be the fully qualified distinguished name (DN) of a current administrative user for the WebSphere Application Server. For a configuration using Member Manager User Registry database the short version of the distinguished name must be used.
Make sure to type the value in lower case, regardless of the case used in the distinguished name (DN). If a value is specified for WasUserid, a value must also be specified for WasPassword. If WasUserid is left blank, WasPassword must also be left blank.
For LDAP configuration this value should not contain spaces.
Type: Alphanumeric text string

Example: When using LDAP security:

Tivoli Directory Server: uid=wpsbind,cn=users,dc=example,dc=com
Lotus Domino: cn=wpsbind,o=example.com
Active Directory: cn=wpsbind,cn=users,dc=example,dc=com
Active Directory Application Mode: cn=wpsbind,cn=users,dc=example,dc=com
Sun Java System Directory Server: uid=wpsbind,ou=people,o=example.com
Novell eDirectory: uid=wpsbind,ou=people,o=example.com
Example: When using Custom User Registry (CUR):

CUR: wpsbind

Default: ReplaceWithYourWASUserID

WasPassword The password for WebSphere Application Server security authentication.

If a value is specified for WasPassword, a value must also be specified for WasUserid. If WasPassword is left blank, WasUserid must also be left blank.
Type: Alphanumeric text string

Recommended: Set this value according to a environment.

Default: ReplaceWithYourWASUserPwd

Section of the wpconfig.properties file: WebSphere Portal Express configuration properties
WpsContentAdministrators, WpsDocReviewer, and PortalAdminGroupId should be different groups.

Property Value
PortalAdminId The user ID for the WebSphere Portal Express administrator, which should be the fully qualified distinguished name (DN).

Notes:

For LDAP configuration this value should not contain spaces.
Make sure to type the value in lower case, regardless of the case used in the distinguished name (DN).

Type: Alphanumeric text string, conforming to the LDAP distinguished name format

Examples for LDAP:

Tivoli Directory Server: uid=portaladminid,cn=users,dc=example,dc=com
Lotus Domino: cn=portaladminid,o=example.com
Active Directory and Active Directory Application Mode: cn=portaladminid,cn=users,dc=example,dc=com
Sun Java System Directory Server: uid=portaladminid,ou=people,o=example.com
Novell eDirectory: uid=portaladminid,ou=people,o=example.com
Custom User Registry example: uid=portaladminid
Windows and Linux default: none
i5/OS default: uid=portaladminid,o=default organization

PortalAdminPwd The password for the WebSphere Portal Express administrator, as defined in the PortalAdminId property.

Type: Alphanumeric text string
Example: yourportaladminpwd

Default: none

PortalAdminGroupId The group ID for the group to which the WebSphere Portal Express administrator belongs.

Make sure to type the value in lower case, regardless of the case used in the distinguished name (DN).
Type: Alphanumeric text string, conforming to the LDAP distinguished name format

Examples for LDAP:

Tivoli Directory Server: cn=wpsadmins,cn=groups,dc=example,dc=com
Lotus Domino: cn=wpsadmins
Active Directory: cn=wpsadmins,cn=groups,dc=example,dc=com
Active Directory Application Mode: cn=wpsadmins,cn=groups,dc=example,dc=com
Sun Java System Directory Server: cn=wpsadmins,ou=groups,o=example.com
Novell eDirectory: cn=wpsadmins,ou=groups,o=example.com
Custom User Registry example: cn=wpsadmins,o=default organization

Default: cn=wpsadmins,o=default organization

WpsContentAdministrators The group ID for the WebSphere Content Administrator group.

Type: Alphanumeric text string

Example values:

DEV (No security): WpsContentAdministrators=cn=wpsContentAdministrators,o=default organization
Member Manager User Repository database: WpsContentAdministrators=cn=wpsContentAdministrators,o=default organization

LDAP example values:

Tivoli Directory Server: cn=wpsContentAdministrators,cn=groups,dc=example,dc=com
Lotus Domino: cn=wpsContentAdministrators
Active Directory: cn=wpsContentAdministrators,cn=groups,dc=example,dc=com
Active Directory Application Mode: cn=wpsContentAdministrators,cn=groups,dc=example,dc=com
Sun Java System Directory Server: cn=wpsContentAdministrators,ou=groups,o=example.com
Novell eDirectory: cn=wpsContentAdministrators,ou=groups,o=example.com

Default: cn=wpsContentAdministrators,o=default organization

WpsContentAdministratorsShort The WebSphere Content Administrators group ID.

Type: Alphanumeric text string

Default: wpsContentAdministrators

WpsDocReviewer The group ID for the WebSphere Document Reviewer group

Type: Alphanumeric text string

Example values:

DEV (No security): WpsDocReviewer=cn=wpsDocReviewer,o=default organization
Database user registry: WpsDocReviewer=cn=wpsDocReviewer,o=default organization

LDAP example values:

Tivoli Directory Server: cn=wpsDocReviewer,cn=groups,dc=example,dc=com
Lotus Domino: cn=wpsDocReviewer
Active Directory: cn=wpsDocReviewer,cn=groups,dc=example,dc=com
Active Directory Application Mode: cn=wpsDocReviewer,cn=groups,dc=example,dc=com
Sun Java System Directory Server: cn=wpsDocReviewer,ou=groups,o=example.com
Novell eDirectory: cn=wpsDocReviewer,ou=groups,o=example.com

Default: cn=wpsDocReviewer,o=default organization

WpsDocReviewerShort The WebSphere Document Reviewer group ID.

Type: Alphanumeric text string

Default: wpsDocReviewer

Section of the wpconfig.properties file: WebSphere Portal Express Security LTPA and SSO configuration

Property Value
LTPAPassword The password for the LTPA bind.

Type: Alphanumeric text string

Default: none

LTPATimeout The number of minutes after which an LTPA token will expire.

Type: Numeric text string

Default: 120

SSODomainName The domain name for all allowable single signon host domains.

Enter the part of the domain that is common to all servers that participate in single signon. For example, if WebSphere Portal Express has the domain portal.us.ibm.com and another server has the domain another_server.ibm.com, enter ibm.com.
To specify multiple domains, use a semicolon ; to separate each domain name. For example, your_co.com;ibm.com.

Single signon (SSO) is achieved using a cookie that is sent to the browser during authentication. When connecting to other servers in the TCP/IP domain specified in the cookie, the browser sends the cookie. If no domain is set in the cookie, the browser will only send the cookie to the issuing server. See the WebSphere Application Server documentation for further details about this setting.

Type: Fully-qualified domain name

Default: none

Section of the wpconfig.properties file: LDAP Properties Configuration

Property Value
LookAside You can either install with LDAP only or with LDAP using a Lookaside database. The purpose of a Lookaside database is to store attributes which cannot be stored in your LDAP server; this combination of LDAP plus a Lookaside database is needed to support the Database user registry.
To enable a Lookaside database, set this property to true. If you intend to use a Lookaside database, set this value before configuring security, as it cannot be configured after security is enabled.
Set Lookaside to true if you are using IBM Workplace Web Content Management™.
Using a Lookaside database can slow down performance.
Type:

true - LDAP + Lookaside database
false - LDAP only

Default: false

WmmDefaultRealm The default realm of the Member Manager user registry (UR) configuration. Set this property before enabling security with enable-security-wmmur-ldap or enable-security-wmmur-db.

Type: Alphanumeric text string

Default: portal

LDAPHostName The host information for the LDAP server that WebSphere Portal Express will use.

Type: Fully qualified host name of the LDAP server

Default: yourldapserver.com

LDAPPort The server port of the LDAP directory.

Type: Alphanumeric text string
Example: 389 for non-SSL or 636 for SSL

Default: 389

Configuration tasks only work against a non-SSL port. After configuring security, you will need to manually configure security over SSL and change this value to the SSL value.
LDAPAdminUId The user ID for the administrator of the LDAP directory. Member Manager uses this ID to bind to the LDAP to retrieve users attributes, create new users and groups in the LDAP and update user attributes. This ID is not required to be the LDAP admin DN, but rather an ID with sufficient authority for the use cases just cited. If this property is omitted, the LDAP is accessed anonymously and read-only.

Make sure to type the value in lower case, regardless of the case used in the distinguished name (DN).
Type: Alphanumeric text string, conforming to the LDAP distinguished name format. For example, cn=userid.

Default: cn=root

LDAPAdminPwd The password for the LDAP directory administrator, as defined in the LDAPAdminUId property. If the LDAPAdminUId is blank, this property must be blank as well.

Type: Alphanumeric text string

Default: none

LDAPServerType The type of LDAP Server to be used.

Example values:

Tivoli Directory Server: IBM_DIRECTORY_SERVER
Lotus Domino: DOMINO502
Active Directory: ACTIVE_DIRECTORY
Active Directory Application Mode: ACTIVE_DIRECTORY
Sun Java System Directory Server: IPLANET
Novell eDirectory: NDS

Default: IBM_DIRECTORY_SERVER

LDAPBindID The user ID for LDAP Bind authentication. This user ID is used by WebSphere Application Server to bind to the LDAP to retrieve user attributes required for authentication. If this property is omitted, the LDAP is access anonymously and is then read-only.

Make sure to type the value in lower case, regardless of the case used in the distinguished name (DN).

Example values:

Tivoli Directory Server: uid=wpsbind,cn=users,dc=example,dc=com
Lotus Domino: cn=wpsbind,o=example.com
Active Directory: cn=wpsbind,cn=users,dc=example,dc=com
Active Directory Application Mode: cn=wpsbind,cn=users,dc=example,dc=com
Sun Java System Directory Server: uid=wpsbind,ou=people,o=example.com
Novell eDirectory: uid=wpsbind,ou=people,o=example.com

Default: uid=wpsbind,cn=users,dc=example,dc=com

LDAPBindPassword The password for LDAP Bind authentication. If the LDAPBindID is blank, this property must be blank as well.

Type: Alphanumeric text string

Default: none

Section of the wpconfig.properties file: Advanced LDAP Configuration

Property Value
LDAPSuffix The LDAP Suffix. Choose a value appropriate for your LDAP server. This is the distinguished name (DN) of the node in the LDAP containing all user and group information for the configuration. As such, it is the lowest container in the LDAP tree still containing all users that will log into WebSphere Portal Express and all groups.

If WebSphere Application Server configuration tasks (for example, enable-security-ldap) are used to activate WebSphere Application Server Security, this value will be used as the single Base Distinguished Name for the Application Server LDAP configuration. This value will be qualified with the LDAPUserSuffix and LDAPGroupSuffix values in order to configure Member Manager.
Make sure to set the value of the suffix to the exact case of the suffix as set in the LDAP directory. For example, if a users' DN in LDAP is returned as uid=tuser,CN=Users,DC=example,DC=com, set this value to DC=example,DC=com. Using dc=example,dc=com will cause awareness problems. For more information on this see technical note 1174297.

Example values:

Tivoli Directory Server: dc=example,dc=com
Lotus Domino: this value is null
Active Directory: dc=example,dc=com
Active Directory Application Mode: dc=example,dc=com
Sun Java System Directory Server: o=example.com
Novell eDirectory: o=example.com

Default: dc=example,dc=com

LdapUserPrefix The RDN prefix attribute name for user entries. Choose a value appropriate for your LDAP server.

Example values:

Tivoli Directory Server: uid
Lotus Domino: cn
Active Directory: cn
Active Directory Application Mode: cn
Sun Java System Directory Server: uid
Novell eDirectory: uid

Default: uid

LDAPUserSuffix The DN suffix attribute name for user entries. Choose a value appropriate for your LDAP server. With LDAPSuffix appended to this value, it is the DN of the common root node in the LDAP containing all user information for the configuration. As such, it is the lowest container in the LDAP tree still containing all users that will log into WebSphere Portal Express including the administrative users (for example, wpsadmin and wpsbind)

Make sure to type the value in lower case, regardless of the case used in the distinguished name (DN).

Example values:

Tivoli Directory Server: cn=users
Lotus Domino: o=example.com
Active Directory: cn=users
Active Directory Application Mode: cn=users
Sun Java System Directory Server: ou=people
Novell eDirectory: ou=people

Default: cn=users

LdapGroupPrefix The RDN prefix attribute name for group entries.
Type: cn

Default: cn

LDAPGroupSuffix The DN suffix attribute name for group entries. Choose a value appropriate for your LDAP server. With LDAPSuffix appended to this value, it is the DN of the common root node in the LDAP containing all group information for the configuration. As such, it is the lowest container in the LDAP tree still containing all group entries for WebSphere Portal Express including the administrative group (., wpsadmins).
Make sure to type the value in lower case, regardless of the case used in the distinguished name (DN).

Example values:

Tivoli Directory Server: cn=groups
Lotus Domino: this value is null
Active Directory: cn=groups
Active Directory Application Mode: cn=groups
Sun Java System Directory Server: ou=groups
Novell eDirectory: ou=groups

Default: cn=groups

LDAPUserObjectClass The LDAP object class of the users in your LDAP directory that will log into WebSphere Portal Express.Example values:

Tivoli Directory Server: inetOrgPerson
Lotus Domino: dominoPerson
Active Directory: user
Active Directory Application Mode: user
Sun Java System Directory Server: inetOrgPerson
Novell eDirectory: inetOrgPerson

Default: inetOrgPerson

LDAPGroupObjectClass The LDAP object class of all the groups in your LDAP directory that WebSphere Portal Express will access.Example values:

Tivoli Directory Server: groupOfUniqueNames
Lotus Domino: dominoGroup
Active Directory: group
Active Directory Application Mode: group
Sun Java System Directory Server: groupOfUniqueNames
Novell eDirectory: groupOfNames
Shared UserRegistry with WebSeal/IBM Tivoli^® Access Manager for e-business Version 5.1: accessGroup
Shared UserRegistry with WebSeal/IBM Tivoli Access Manager for e-business Version 6: groupOfNames

Default: groupOfUniqueNames

LDAPGroupMember The attribute name in the LDAP group object of the "membership" attribute. Choose a value appropriate for your LDAP server.Example values:

Tivoli Directory Server: uniqueMember
Lotus Domino: member
Active Directory: member
Active Directory Application Mode: member
Sun Java System Directory Server: uniqueMember
Novell eDirectory: uniqueMember
Shared UserRegistry with WebSeal/Tivoli Access Manager: member

Default: uniqueMember

LDAPUserFilter The filter used by WebSphere Application Server for finding users in the LDAP.

Example values:

Tivoli Directory Server: (&(uid=%v)(objectclass=inetOrgPerson))
Lotus Domino: (&(|(cn=%v)(uid=%v))(|(objectclass=dominoPerson)(objectclass=inetOrgPerson)))
Active Directory: (&(|(cn=%v)(samAccountName=%v))(objectclass=user))
Active Directory Application Mode: { (&(cn=%v)(objectclass=user)) }
Sun Java System Directory Server: (&(uid=%v)(objectclass=inetOrgPerson))
Novell eDirectory: (&(uid=%v)(objectclass=inetOrgPerson))

Default: (&(uid=%v)(objectclass=inetOrgPerson))

LDAPGroupFilter The filter used by WebSphere Application Server for finding groups in the LDAP.

Example values:

Tivoli Directory Server: (&(cn=%v)(objectclass=groupOfUniqueNames))
Lotus Domino: (&(cn=%v)(|(objectclass=dominoGroup)(objectclass=groupOfNames) (objectclass=groupOfUniqueNames)))
Active Directory: (&(cn=%v)(objectclass=group))
Active Directory Application Mode: (&(cn=%v)(objectclass=group))
Sun Java System Directory Server: (&(cn=%v)(objectclass=groupOfUniqueNames))
Novell eDirectory: (&(cn=%v)(objectclass=groupOfNames))

Default: (&(cn=%v)(objectclass=groupOfUniqueNames))

Section of the wpconfig.properties file:

IBM Workplace Web Content Management Properties

Property Value
WcmAdminGroupId The group ID for the Web Content Management Administrators group. This should be the fully qualified distinguished name (DN) of a current administrative user for the WebSphere Application Server. For LDAP configuration this value should not contain spaces.

Type: Alphanumeric text string

Example values:

DEV (No security): WcmAdminGroupId=cn=wcmadmins,o=default organization
Database user registry: WcmAdminGroupId=cn=wcmadmins,o=default organization

LDAP example values:

Tivoli Directory Server: cn=wcmadmins,cn=groups,dc=example,dc=com
Lotus Domino: cn=wcmadmins
Active Directory: cn=wcmadmins,cn=groups,dc=example,dc=com
Active Directory Application Mode: cn=wcmadmins,cn=groups,dc=example,dc=com
Sun Java System Directory Server: cn=wcmadmins,ou=groups,o=example.com
Novell eDirectory: cn=wcmadmins,ou=groups,o=example.com

Default: cn=wcmadmins,o=default organization

WcmAdminGroupIdShort The Web Content Management Administrators group ID.

Type: Alphanumeric text string

Default: wcmadmins

Section of the wpconfig_dbdomain.properties file: Database properties in wpconfig_dbdomain.properties
The following two properties are required when using a Lookaside database and/or federation.

Property Value
wmm.DbUser
The user ID for the database administrator.

Notes:

For SQL Server and non-wmm databases only, unless you are the system administrator, the values for dbdomain.DbUser and dbdomain.DbSchema must be the same.
For Oracle and SQL Server, if the user you are using is an administrative user that has authority over the FEEDBACK schema, the administrative user should be entered for the dbdomain.DbUser property.
For Oracle only: For non-feedback domains, DbSchema and DbUser MUST be the same. For Feeback domains, the default schema name is FEEDBACK. If the value is set to something besides FEEDBACK, you also have to set the schemaName property in <wps_home>/shared/app/config/services/FeedbackService.properties to the new schema.

Type: Alphanumeric text string

Default for all domains: wpdb2ins ReplacewithyourDBAdminUser
Recommended:

Release: releaseusr
Community: communityusr
Customization: customizationusr
JCR: icmadmin
WMM: wmmdbusr
Feedback: feedback
LikeMinds: lmdbusr

wmm.DbPassword
The password for the database administrator.

A value must be set for this property; it cannot be empty.
Type: Alphanumeric text string

Default for all domains: ReplaceWithYourDbAdminPwd

Save the file.
Stop the WebSphere Portal Express server:
If this is a clustered environment, ensure the deployment manager and all node agents are active.

Open a command prompt and change to the following directory:

Linux:
was_profile_root/bin
Windows:
was_profile_root\bin
i5/OS:
app_server_root/bin

Enter the following command:

Linux:
./stopServer.sh WebSphere_Portal -user admin_userid -password admin_password
Windows:
stopServer.bat WebSphere_Portal -user admin_userid -password admin_password
i5/OS:
stopServer.sh WebSphere_Portal -profileName profile_root -user admin_userid -password admin_password
where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

Change to the following directory:

Linux:
portal_server_root/config/
Windows:
portal_server_root\config\
i5/OS:
portal_server_root_user/config/
Enter the following command to run the appropriate configuration task for your specific operating system:
Linux:
./WPSconfig.sh validate-wmmur-ldap -DWasPassword=password -DPortalAdminPwd=password -DLTPAPassword=password -DLDAPAdminPwd=password -DLDAPBindPassword=password
Windows:
WPSconfig.bat validate-wmmur-ldap -DWasPassword=password -DPortalAdminPwd=password -DLTPAPassword=password -DLDAPAdminPwd=password -DLDAPBindPassword=password
i5/OS:
WPSconfig.sh  -profileName profile_root validate-wmmur-ldap -DWasPassword=password -DPortalAdminPwd=password -DLTPAPassword=password -DLDAPAdminPwd=password -DLDAPBindPassword=password
where profile_root is the name given to the WebSphere Application Server profile in use.
Perform this step only if you are in a clustered environment and use the LookAside feature: If you enabled security using the LDAP user registry with realm support, the Member Manager Datasource definitions will automatically be created on the Deployment Manager cell. All nodes need to define a WebSphereEnvironment Variable for the JdbcClassPath.
The nodes which have WebSphere Portal Express installed will already have this WebSphereEnvironment Variable defined. Refer to the Creating a WebSphereEnvironment Variable section in the WebSphere Application Server information center for information on how to manually create the WebSphereEnvironment Variable definitions. When defining the WebSphereEnvironment Variable, please ensure that the name matches the DBTYPE_JDBC_DRIVER_CLASSPATH.
Remove the following parts from the wmmLDAPAttributes_AD.xml file in the following directory:

Windows and Linux:
portal_server_root/wmm/wmmLDAPAttributes_AD.xml
i5/OS:
portal_server_root_user/wmm/wmmLDAPAttributes_AD.xml
<attributeMap wmmAttributeName="samAccountName"
		pluginAttributeName="samAccountName"
		applicableMemberTypes="Group"
		requiredMemberTypes="Group"
		dataType="String"
		valueLength="32"
		multiValued="false"
		defaultAttribute="cn"/>
AND
<attributeMap wmmAttributeName="userAccountControl"
		pluginAttributeName="userAccountControl"
		applicableMemberType="Person"
		dataType="String"
		valueLength="32"
		multiValued="false"
		defaultValue="66048"
		readOnly="true"/>
Change the following parts in wmmLDAPAttributes_AD.xml in the following directory:

Windows and Linux:
portal_server_root/wmm/wmmLDAPAttributes_AD.xml
i5/OS:
portal_server_root_user/wmm/wmmLDAPAttributes_AD.xml
	<attributeMap wmmAttributeName="uid"
		pluginAttributeName="samAccountName"
		applicableMemberTypes="Person"
		requiredMemberTypes="Person"
		dataType="String"
		valueLength="32"
		multiValued="false"/>
To
	<attributeMap wmmAttributeName="uid"
		pluginAttributeName="<aValidLdapAttribute>"
		applicableMemberTypes="Person"
		requiredMemberTypes="Person"
		dataType="String"
		valueLength="32"
		multiValued="false"/>
"<aValidLdapAttribute>" is a sample attribute. This step maps one of your LDAP attributes to the Member Manager attribute "uid". If your LDAP schema provides "samAccountName", you do not have to update wmmLDAPAttributes_AD.xml. Otherwise, choose one of your LDAP attributes to replace "samAccountName". For example, choose "uid". Ensure that the attribute you choose is not already assigned within the wmmLDAPAttributes_AD.xml file.
Enter the appropriate command to run the configuration task for your specific operating system:
If this is a cluster environment, stop all cluster members before enabling security using the enable-security-wmmur-ldap task.
Linux:
./WPSconfig.sh enable-security-wmmur-ldap -DWasPassword=password -DPortalAdminPwd=password -Dwmm.DbPassword=password -DLTPAPassword=password -DLDAPAdminPwd=password -DLDAPBindPassword=password
Windows:
WPSconfig.bat enable-security-wmmur-ldap -DWasPassword=password -DPortalAdminPwd=password -Dwmm.DbPassword=password -DLTPAPassword=password -DLDAPAdminPwd=password -DLDAPBindPassword=password
i5/OS:
WPSconfig.sh  -profileName profile_root enable-security-wmmur-ldap -DWasPassword=password -DPortalAdminPwd=password -Dwmm.DbPassword=password -DLTPAPassword=password -DLDAPAdminPwd=password -DLDAPBindPassword=password
where profile_root is the name given to the WebSphere Application Server profile in use.
Check the output for any error messages before proceeding with any additional tasks. If the configuration task fails, verify the values in the wpconfig.properties and wpconfig_dbdomain.properties files. Before running the task again, be sure to stop the WebSphere Portal Express server. To stop the server follow these steps:
If this is a clustered environment, ensure the deployment manager and all node agents are active.

Open a command prompt and change to the following directory:

Linux:
was_profile_root/bin
Windows:
was_profile_root\bin
i5/OS:
app_server_root/bin

Enter the following command:

Linux:
./stopServer.sh WebSphere_Portal -user admin_userid -password admin_password
Windows:
stopServer.bat WebSphere_Portal -user admin_userid -password admin_password
i5/OS:
stopServer.sh WebSphere_Portal -profileName profile_root -user admin_userid -password admin_password
where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

Set the userRegistryRealm property in the WebSphere Application Server Administrative Console:
This step is required only if the site includes, and will include additional, Domino Directory servers in Single Signon (SSO).

In the WebSphere Application Server Administrative Console, select Security>Global Security>User Registry>Custom>Custom Properties.
See Starting and logging off the administrative console for information on how to log on to the WebSphere Application Server Administrative Console.
Add the userRegistryRealm key with the value yourname, where this is the name of the security realm used within the WebSphere Application Server cell to uniquely identify the user based on their origin source. For example, the LDAP implementation of WebSphere Application Server uses the LDAP server name and the used port as the origin source, such as ldap.nameofyourcompany.com:389.
Save your changes.

If you are not using LDAP over SSL, follow these steps to allow password changes without SSL:

Open an Active Directory Application Mode tools command prompt.
Type dsmgmt at the command prompt.
Type ds behavior at the dsmgmt prompt.
Type connections at the ds behavior prompt.
Type connect to server computername:portnumber at the connections prompt, where computername:portnumber represents the Active Directory Application Mode instance to which you want to connect.
Type q at the connections prompt.
Type allow passwd op on unsecured connection at the ds behavior prompt.
To exit, type q twice.

Enter the following commands to restart server1 and WebSphere_Portal server. If you are running with security enabled on WebSphere Application Server, specify a user ID and password for security authentication when entering the commands.
If this is a clustered environment, stop and start all node agents and the deployment manager.

Open a command prompt and change to the following directory:

Linux:
was_profile_root/bin
Windows:
was_profile_root\bin
i5/OS:
app_server_root/bin

Enter the following command:

Linux:
./stopServer.sh server1 -user admin_userid -password admin_password
Windows:
stopServer.bat server1 -user admin_userid -password admin_password
i5/OS:
stopServer.sh server1 -profileName profile_root -user admin_userid -password admin_password
where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

server1 is the name of your WebSphere Application Server administrative server.
Enter the following command:

Linux:
./startServer.sh server1
Windows:
startServer.bat server1
i5/OS:
startServer.sh server1 -profileName profile_root
where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

server1 is the name of your WebSphere Application Server administrative server.
Enter the following command:

Linux:
./startServer.sh WebSphere_Portal
Windows:
startServer.bat WebSphere_Portal
i5/OS:
startServer.sh WebSphere_Portal -profileName profile_root
where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

Perform this step only if you installed WebSphere Portal Express into a pre-existing SSO environment. Because you will not be given the option to import your existing token file...

To import your SSO Token:

In the WebSphere Application Server Administrative Console, select Security > Global Security > Authentication > Authentication mechanisms > LTPA.
Enter the LTPA token password in the Password field.
Enter the password again in the Confirm password field.
In the Key File Name field, enter the LTPA token file.
Click Import Keys.
Click Save.

To set your SSO Domain:

In the WebSphere Application Server Administrative Console, select Security > Global Security > Authentication > Authentication mechanisms > LTPA.
Click Single Signon in Additional Properties.
Enter the domain name in the Domain Name field.
Click OK.
Perform this step only if common name (CN) is the Relative Distinguished Name (RDN) attribute of your distinguished name (DN) and you want to allow users or administrators to modify directory attributes through self-care screens or the user management portlet. Set the user.sync.remove.attributes=cn,CN property value in Puma service, as described in Setting configuration properties:
WebSphere Portal Express can be configured to create the CN for a user account created through WebSphere Portal Express interfaces (self-registration or the user management portlet create new user functions). The default configuration of WebSphere Portal Express generates this attribute based on the surname (sn) and givenname attribute. The configuration is also located in WP PumaService in the WebSphere Application Server Administrative Console. Modify the Puma service, by following steps described in Setting configuration properties
The following entry defines the user common name pattern and can be used to customize common name. In the pattern, you can define which attribute is used. Therefore the maximum amount of attributes has to be provided by puma.commonname.parts. See the following example for more details:
For example:	firstname+" "+lastname       			puma.commonname = {0} {1}
      			puma.commonname.parts = 2
      			puma.commonname.0 = givenName       			puma.commonname.1 = sn
This function is not available if the CN attribute is the RDN attribute.
Verify that your configuration works. Access WebSphere Portal Express using http://hostname.example.com:10038/wps/portal, where hostname.example.com is the fully qualified host name of the machine where WebSphere Portal is running and 10038 is the default transport port that is created by WebSphere Application Server. and verify that you can log in.
Configuring WebSphere Portal Express to work with an LDAP directory automatically enables WebSphere Application Server Global Security. Once security is enabled, type the fully qualified host name when accessing WebSphere Portal Express and the WebSphere Application Server Administrative Console.
Run the Member Fixer tool to update the member names used by Web Content Management with the corresponding members in the LDAP directory. This step ensures that access to the Web content libraries for the Intranet and Internet Site Templates for the contentAuthors group is correctly mapped to the appropriate group in the LDAP directory.
Edit the portal_server_root/config/templates/express/MemberFixer.properties file.
Update the contentAuthors_new property with the group name you used for the content authors group during LDAP configuration.
Save your changes and close the file.
Open a command prompt and change to the following directory.

Linux:
portal_server_root/config/
Windows:
portal_server_root\config\
i5/OS:
portal_server_root_user/config/
Enter the appropriate command to run the configuration task for your specific operating system:
Linux:
./WPSconfig.sh action-memberfixer-altDN-mismatchedId -DPortalAdminPwd=password
Windows:
WPSconfig action-memberfixer-altDN-mismatchedId -DPortalAdminPwd=password
i5/OS:
WPSconfig.sh  -profileName profile_root action-memberfixer-altDN-mismatchedId -DPortalAdminPwd=password
where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.
Security is enabledOnce you have enabled security with your LDAP directory, you will need to provide the user ID and password required for security authentication on WebSphere Application Server when you perform certain administrative tasks with WebSphere Application Server. For example, to stop the WebSphere Portal Express application server, you would issue the following command:

Enter the following command:

Linux:
./stopServer.sh WebSphere_Portal -user admin_userid -password admin_password
Windows:
stopServer.bat WebSphere_Portal -user admin_userid -password admin_password
i5/OS:
stopServer.sh WebSphere_Portal -profileName profile_root -user admin_userid -password admin_password
where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

Switch the login LDAP attribute:
Follow these steps to switch the login LDAP attribute from the default (uid) to another LDAP attribute (such as emailAddress):

Open the WebSphere Application Server Administrative Console.
Go to Security > Global Security > User Registry > Custom > Custom Properties.
If wmmUserSecurityNameAttr already exists, select it. Otherwise click New.
If not already set, set Name as wmmUserSecurityNameAttr and Value to the attribute you would like, such as emailAddress.
Attribute names are found in portal_server_root/wmm/wmmLDAPServerAttributes.xml, where portal_server_root is the WebSphere Portal Express installation directory.
Save your changes.
Open the file portal_server_root/wmm/wmm.xml.
Set userSecurityNameAttribute to the attribute you would like to be used as login the attribute (using the example in Step 4, the setting would look like: userSecurityNameAttribute="emailAddress".)
Save the file and restart PortalServer.

Parent topic:
Configuring Active Directory Application Mode

Property	Value
PortalAdminId	The user ID for the WebSphere Portal Express administrator, which should be the fully qualified distinguished name (DN). Notes: For LDAP configuration this value should not contain spaces. Make sure to type the value in lower case, regardless of the case used in the distinguished name (DN). Type: Alphanumeric text string, conforming to the LDAP distinguished name format Examples for LDAP: Tivoli Directory Server: uid=portaladminid,cn=users,dc=example,dc=com Lotus Domino: cn=portaladminid,o=example.com Active Directory and Active Directory Application Mode: cn=portaladminid,cn=users,dc=example,dc=com Sun Java System Directory Server: uid=portaladminid,ou=people,o=example.com Novell eDirectory: uid=portaladminid,ou=people,o=example.com Custom User Registry example: uid=portaladminid Windows and Linux default: none i5/OS default: uid=portaladminid,o=default organization
PortalAdminPwd	The password for the WebSphere Portal Express administrator, as defined in the PortalAdminId property. Type: Alphanumeric text string Example: yourportaladminpwd Default: none
PortalAdminGroupId	The group ID for the group to which the WebSphere Portal Express administrator belongs. Make sure to type the value in lower case, regardless of the case used in the distinguished name (DN). Type: Alphanumeric text string, conforming to the LDAP distinguished name format Examples for LDAP: Tivoli Directory Server: cn=wpsadmins,cn=groups,dc=example,dc=com Lotus Domino: cn=wpsadmins Active Directory: cn=wpsadmins,cn=groups,dc=example,dc=com Active Directory Application Mode: cn=wpsadmins,cn=groups,dc=example,dc=com Sun Java System Directory Server: cn=wpsadmins,ou=groups,o=example.com Novell eDirectory: cn=wpsadmins,ou=groups,o=example.com Custom User Registry example: cn=wpsadmins,o=default organization Default: cn=wpsadmins,o=default organization
WpsContentAdministrators	The group ID for the WebSphere Content Administrator group. Type: Alphanumeric text string Example values: DEV (No security): WpsContentAdministrators=cn=wpsContentAdministrators,o=default organization Member Manager User Repository database: WpsContentAdministrators=cn=wpsContentAdministrators,o=default organization LDAP example values: Tivoli Directory Server: cn=wpsContentAdministrators,cn=groups,dc=example,dc=com Lotus Domino: cn=wpsContentAdministrators Active Directory: cn=wpsContentAdministrators,cn=groups,dc=example,dc=com Active Directory Application Mode: cn=wpsContentAdministrators,cn=groups,dc=example,dc=com Sun Java System Directory Server: cn=wpsContentAdministrators,ou=groups,o=example.com Novell eDirectory: cn=wpsContentAdministrators,ou=groups,o=example.com Default: cn=wpsContentAdministrators,o=default organization
WpsContentAdministratorsShort	The WebSphere Content Administrators group ID. Type: Alphanumeric text string Default: wpsContentAdministrators
WpsDocReviewer	The group ID for the WebSphere Document Reviewer group Type: Alphanumeric text string Example values: DEV (No security): WpsDocReviewer=cn=wpsDocReviewer,o=default organization Database user registry: WpsDocReviewer=cn=wpsDocReviewer,o=default organization LDAP example values: Tivoli Directory Server: cn=wpsDocReviewer,cn=groups,dc=example,dc=com Lotus Domino: cn=wpsDocReviewer Active Directory: cn=wpsDocReviewer,cn=groups,dc=example,dc=com Active Directory Application Mode: cn=wpsDocReviewer,cn=groups,dc=example,dc=com Sun Java System Directory Server: cn=wpsDocReviewer,ou=groups,o=example.com Novell eDirectory: cn=wpsDocReviewer,ou=groups,o=example.com Default: cn=wpsDocReviewer,o=default organization
WpsDocReviewerShort	The WebSphere Document Reviewer group ID. Type: Alphanumeric text string Default: wpsDocReviewer

Property	Value
LookAside	You can either install with LDAP only or with LDAP using a Lookaside database. The purpose of a Lookaside database is to store attributes which cannot be stored in your LDAP server; this combination of LDAP plus a Lookaside database is needed to support the Database user registry. To enable a Lookaside database, set this property to true. If you intend to use a Lookaside database, set this value before configuring security, as it cannot be configured after security is enabled. Set Lookaside to true if you are using IBM Workplace Web Content Management™. Using a Lookaside database can slow down performance. Type: true - LDAP + Lookaside database false - LDAP only Default: false
WmmDefaultRealm	The default realm of the Member Manager user registry (UR) configuration. Set this property before enabling security with enable-security-wmmur-ldap or enable-security-wmmur-db. Type: Alphanumeric text string Default: portal
LDAPHostName	The host information for the LDAP server that WebSphere Portal Express will use. Type: Fully qualified host name of the LDAP server Default: yourldapserver.com
LDAPPort	The server port of the LDAP directory. Type: Alphanumeric text string Example: 389 for non-SSL or 636 for SSL Default: 389 Configuration tasks only work against a non-SSL port. After configuring security, you will need to manually configure security over SSL and change this value to the SSL value.
LDAPAdminUId	The user ID for the administrator of the LDAP directory. Member Manager uses this ID to bind to the LDAP to retrieve users attributes, create new users and groups in the LDAP and update user attributes. This ID is not required to be the LDAP admin DN, but rather an ID with sufficient authority for the use cases just cited. If this property is omitted, the LDAP is accessed anonymously and read-only. Make sure to type the value in lower case, regardless of the case used in the distinguished name (DN). Type: Alphanumeric text string, conforming to the LDAP distinguished name format. For example, cn=userid. Default: cn=root
LDAPAdminPwd	The password for the LDAP directory administrator, as defined in the LDAPAdminUId property. If the LDAPAdminUId is blank, this property must be blank as well. Type: Alphanumeric text string Default: none
LDAPServerType	The type of LDAP Server to be used. Example values: Tivoli Directory Server: IBM_DIRECTORY_SERVER Lotus Domino: DOMINO502 Active Directory: ACTIVE_DIRECTORY Active Directory Application Mode: ACTIVE_DIRECTORY Sun Java System Directory Server: IPLANET Novell eDirectory: NDS Default: IBM_DIRECTORY_SERVER
LDAPBindID	The user ID for LDAP Bind authentication. This user ID is used by WebSphere Application Server to bind to the LDAP to retrieve user attributes required for authentication. If this property is omitted, the LDAP is access anonymously and is then read-only. Make sure to type the value in lower case, regardless of the case used in the distinguished name (DN). Example values: Tivoli Directory Server: uid=wpsbind,cn=users,dc=example,dc=com Lotus Domino: cn=wpsbind,o=example.com Active Directory: cn=wpsbind,cn=users,dc=example,dc=com Active Directory Application Mode: cn=wpsbind,cn=users,dc=example,dc=com Sun Java System Directory Server: uid=wpsbind,ou=people,o=example.com Novell eDirectory: uid=wpsbind,ou=people,o=example.com Default: uid=wpsbind,cn=users,dc=example,dc=com
LDAPBindPassword	The password for LDAP Bind authentication. If the LDAPBindID is blank, this property must be blank as well. Type: Alphanumeric text string Default: none

Property	Value
LDAPSuffix	The LDAP Suffix. Choose a value appropriate for your LDAP server. This is the distinguished name (DN) of the node in the LDAP containing all user and group information for the configuration. As such, it is the lowest container in the LDAP tree still containing all users that will log into WebSphere Portal Express and all groups. If WebSphere Application Server configuration tasks (for example, enable-security-ldap) are used to activate WebSphere Application Server Security, this value will be used as the single Base Distinguished Name for the Application Server LDAP configuration. This value will be qualified with the LDAPUserSuffix and LDAPGroupSuffix values in order to configure Member Manager. Make sure to set the value of the suffix to the exact case of the suffix as set in the LDAP directory. For example, if a users' DN in LDAP is returned as uid=tuser,CN=Users,DC=example,DC=com, set this value to DC=example,DC=com. Using dc=example,dc=com will cause awareness problems. For more information on this see technical note 1174297. Example values: Tivoli Directory Server: dc=example,dc=com Lotus Domino: this value is null Active Directory: dc=example,dc=com Active Directory Application Mode: dc=example,dc=com Sun Java System Directory Server: o=example.com Novell eDirectory: o=example.com Default: dc=example,dc=com
LdapUserPrefix	The RDN prefix attribute name for user entries. Choose a value appropriate for your LDAP server. Example values: Tivoli Directory Server: uid Lotus Domino: cn Active Directory: cn Active Directory Application Mode: cn Sun Java System Directory Server: uid Novell eDirectory: uid Default: uid
LDAPUserSuffix	The DN suffix attribute name for user entries. Choose a value appropriate for your LDAP server. With LDAPSuffix appended to this value, it is the DN of the common root node in the LDAP containing all user information for the configuration. As such, it is the lowest container in the LDAP tree still containing all users that will log into WebSphere Portal Express including the administrative users (for example, wpsadmin and wpsbind) Make sure to type the value in lower case, regardless of the case used in the distinguished name (DN). Example values: Tivoli Directory Server: cn=users Lotus Domino: o=example.com Active Directory: cn=users Active Directory Application Mode: cn=users Sun Java System Directory Server: ou=people Novell eDirectory: ou=people Default: cn=users
LdapGroupPrefix	The RDN prefix attribute name for group entries. Type: cn Default: cn
LDAPGroupSuffix	The DN suffix attribute name for group entries. Choose a value appropriate for your LDAP server. With LDAPSuffix appended to this value, it is the DN of the common root node in the LDAP containing all group information for the configuration. As such, it is the lowest container in the LDAP tree still containing all group entries for WebSphere Portal Express including the administrative group (., wpsadmins). Make sure to type the value in lower case, regardless of the case used in the distinguished name (DN). Example values: Tivoli Directory Server: cn=groups Lotus Domino: this value is null Active Directory: cn=groups Active Directory Application Mode: cn=groups Sun Java System Directory Server: ou=groups Novell eDirectory: ou=groups Default: cn=groups
LDAPUserObjectClass	The LDAP object class of the users in your LDAP directory that will log into WebSphere Portal Express.Example values: Tivoli Directory Server: inetOrgPerson Lotus Domino: dominoPerson Active Directory: user Active Directory Application Mode: user Sun Java System Directory Server: inetOrgPerson Novell eDirectory: inetOrgPerson Default: inetOrgPerson
LDAPGroupObjectClass	The LDAP object class of all the groups in your LDAP directory that WebSphere Portal Express will access.Example values: Tivoli Directory Server: groupOfUniqueNames Lotus Domino: dominoGroup Active Directory: group Active Directory Application Mode: group Sun Java System Directory Server: groupOfUniqueNames Novell eDirectory: groupOfNames Shared UserRegistry with WebSeal/IBM Tivoli^® Access Manager for e-business Version 5.1: accessGroup Shared UserRegistry with WebSeal/IBM Tivoli Access Manager for e-business Version 6: groupOfNames Default: groupOfUniqueNames
LDAPGroupMember	The attribute name in the LDAP group object of the "membership" attribute. Choose a value appropriate for your LDAP server.Example values: Tivoli Directory Server: uniqueMember Lotus Domino: member Active Directory: member Active Directory Application Mode: member Sun Java System Directory Server: uniqueMember Novell eDirectory: uniqueMember Shared UserRegistry with WebSeal/Tivoli Access Manager: member Default: uniqueMember
LDAPUserFilter	The filter used by WebSphere Application Server for finding users in the LDAP. Example values: Tivoli Directory Server: (&(uid=%v)(objectclass=inetOrgPerson)) Lotus Domino: (&(\|(cn=%v)(uid=%v))(\|(objectclass=dominoPerson)(objectclass=inetOrgPerson))) Active Directory: (&(\|(cn=%v)(samAccountName=%v))(objectclass=user)) Active Directory Application Mode: { (&(cn=%v)(objectclass=user)) } Sun Java System Directory Server: (&(uid=%v)(objectclass=inetOrgPerson)) Novell eDirectory: (&(uid=%v)(objectclass=inetOrgPerson)) Default: (&(uid=%v)(objectclass=inetOrgPerson))
LDAPGroupFilter	The filter used by WebSphere Application Server for finding groups in the LDAP. Example values: Tivoli Directory Server: (&(cn=%v)(objectclass=groupOfUniqueNames)) Lotus Domino: (&(cn=%v)(\|(objectclass=dominoGroup)(objectclass=groupOfNames) (objectclass=groupOfUniqueNames))) Active Directory: (&(cn=%v)(objectclass=group)) Active Directory Application Mode: (&(cn=%v)(objectclass=group)) Sun Java System Directory Server: (&(cn=%v)(objectclass=groupOfUniqueNames)) Novell eDirectory: (&(cn=%v)(objectclass=groupOfNames)) Default: (&(cn=%v)(objectclass=groupOfUniqueNames))