Management domain location example

To specify a nondefault location for the management domain, we can use any location within the LDAP DIT. For example, if the LDAP server is configured with a suffix of c=us, and the administrator specifies the location DN as ou=austin,o=ibm,c=us, this object might be created using a file containing the following LDIF:

dn: c=us
objectClass: top
objectClass: country
c: US

dn: o=ibm,c=us
objectClass: top
objectClass: organization
o: IBM

dn: ou=austin,o=ibm,c=us
objectClass: top
objectClass: organizationalunit
ou: Austin 

The object might then be created using the idsldapadd command-line utility:

idsldapadd -h <ldap_hostname> -p <ldap_port> -D <ldap_admin_DN> -w <ldap_admin_pwd> -v -f example_DIT

...where:

• ldap_hostname is the host name of the LDAP server.
• ldap_port is the port of the LDAP server.
• ldap_admin_DN is the Distinguished Name of the LDAP server administrator.
• ldap_admin_pwd is the password of the LDAP server administrator.
• example_DIT is the name of the file containing LDIF.

Modify this example for the specific LDAP namespace appropriate for your organization.

After the LDAP object is created, we can specify it as the management domain location DN during policy server configuration. If the following conditions exist, a WebSEAL instance cannot change user passwords because of the absence of ACL settings required to search domain locations:

• We configured the policy server in a nondefault location that is a location other than secAuthority=Default.
• We create Security Verify Access subdomains under the new location.
• We configured a WebSEAL instance in any of the new subdomains.

If we configure the policy server in a nondefault location and find these other conditions exist, see the Troubleshooting topics in the IBM Knowledge Center for information about setting the correct ACL.

Parent topic: Security Verify Access management domains