Add users to the LDAP user registry

Use the Lightweight Directory Access Protocol (LDAP) user registry with any of the authentication mechanisms supported by WebSphere Application Server. Therefore, it is necessary to add into the LDAP directory the users that you want to authorize to WebSphere resources.

Use a variety of ways to add users, but the easiest is to create an LDAP Data Interchange Format (LDIF) file. The file contains the set of users to be added into the directory. The file is used by LDAP utilities, such as ldapModify. These utilities can be run from OS/400 or from a workstation. If you run these LDAP utilities from the OS/400, your LDIF must reside in the iSeries integrated file system.

Note: This information is specific to the iSeries Directory Services product.

Perform the following steps:

  1. Create an LDIF file. Use the iSeries Edit File (EDTF) utility, or you can use your workstation text editor to create the file and save it in the iSeries integrated file system either through a mapped (mounted) drive or by using file transfer protocol (FTP).

    For WebSphere Application Server and iSeries LDAP directory services, create entries in the directory that correspond to the ePerson schema definition.

    A simple ePerson LDIF entry resembles the following example:

      dn: cn=John Doe, ou=Rochester, o=IBM, c=US
      objectclass: person
      objectclass: inetOrgPerson
      objectclass: top
      objectclass: organizationalPerson
      objectclass: ePerson
      cn: John Doe
      sn: Doe
      uid: jdoe
      userpassword: secretpass

    This LDIF entry defines an ePerson for user John Doe. John's user identification (uid) has been set to jdoe and his password to secretpass. This entry resides within the Rochester organizational unit, in the IBM organization in the United States. Each of the containing entries (ou, o and c) were previously defined before this ePerson entry was defined. You may define a series of LDIF entries in the same file to define LTPA users for WebSphere Application Server.

    If you do not specify a value for the userpassword attribute, the OS/400 LDAP server attempts to authenticate LTPA users with the local OS/400 user profile that is identified by the the uid attribute value. This action may be desirable if users have OS/400 user profiles and do not want to manage passwords in both the OS/400 user registry and the LDAP directory.

    When you create an ePerson entry, make sure that the cn and uid attributes each have a unique value. That is, not create two entries that have the same value for the cn and uid attributes.

    Note: If you have a large user registry, login performance may be severely impacted if the Group Member ID Map property is left at its default value, which is both groupOfNames:member and groupOfUniqueNames:uniqueMember.

    To address this performance problem, specify one of these object classes--not both. You must then exclusively use the selected object class to implement groups in the user registry.

  2. Import the LDIF file entries into your directory on the iSeries server. Use then LDAP ldapadd utility in Qshell Interpreter (QSH) or from a workstation.

    For more information on importing LDIF entries, see the Directory Services documentation in the iSeries Information Center: