This document contains step by step instructions for configuring Portal V6.1 with multiple Active Directory federated ldaps and multiple realms.
The examples in this document assume the MyFoo portal is being configured.
- Log on to portal machine and make backup archive
-
df -k
cd /opt/WAS/MyFoo/wp_profile/bin
./stopServer.sh WebSphere_Portal -username wasadminfile -password wasadminfile
./stopNode.sh WebSphere_Portal -username wasadminfile -password wasadminfile
cd /opt/WAS
tar cvf MyFoo.tar MyFoo; gzip MyFoo.tar - Log on to Dmgr machine and make backup archive
-
df -k
cd /opt/WAS/MyFoo/AppServer/bin
./stopManager.sh -username wasadminfile -password wasadminfile
cd /opt/WAS
tar cvf MyFoo.tar MyFoo; gzip MyFoo.tar - Have DBA make backup of DBs.
- Use Apache Directory Studio to verify your bindDN and bindPassword are valid.
- Edit wkplc.properties.
For MyFoo set...
-
federated.ldap.id=CorpDir
federated.ldap.host=ldap-cdc.mycompany.com
federated.ldap.port=389
federated.ldap.bindDN=cn=wpbindfoo,ou=FooUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com
federated.ldap.bindPassword=FooP++++
federated.ldap.ldapServerType=AD2000
federated.ldap.baseDN=dc=mycompany,dc=com
federated.ldap.et.group.searchFilter=(objectcategory=group)
federated.ldap.et.group.objectClasses=group
federated.ldap.et.group.objectClassesForCreate=group
federated.ldap.et.group.searchBases=dc=mycompany,dc=com
federated.ldap.et.personaccount.searchFilter=
federated.ldap.et.personaccount.objectClasses=user
federated.ldap.et.personaccount.objectClassesForCreate=user
federated.ldap.et.personaccount.searchBases=dc=mycompany,dc=com
federated.ldap.gm.groupMemberName=member
federated.ldap.gm.objectClass=group
federated.ldap.gm.scope=nested
federated.ldap.gm.dummyMember=For EBIZ set...
-
federated.ldap.id=CorpDir
federated.ldap.host=ldap-cdc.mycompany.com
federated.ldap.port=389
federated.ldap.bindDN=cn=wpbindebiz,ou=MyBizUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com
federated.ldap.bindPassword=MyBizW++++
federated.ldap.ldapServerType=AD2000
federated.ldap.baseDN=dc=mycompany,dc=com
federated.ldap.et.group.searchFilter=(objectcategory=group)
federated.ldap.et.group.objectClasses=group
federated.ldap.et.group.objectClassesForCreate=group
federated.ldap.et.group.searchBases=dc=mycompany,dc=com
federated.ldap.et.personaccount.searchFilter=
federated.ldap.et.personaccount.objectClasses=user
federated.ldap.et.personaccount.objectClassesForCreate=user
federated.ldap.et.personaccount.searchBases=dc=mycompany,dc=com
federated.ldap.gm.groupMemberName=member
federated.ldap.gm.objectClass=group
federated.ldap.gm.scope=nested
federated.ldap.gm.dummyMember=For CORP set...
-
federated.ldap.id=CorpDir
federated.ldap.host=ldap-cdc.mycompany.com
federated.ldap.port=389
federated.ldap.bindDN=cn=wpbindcorp,ou=CorpUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com
federated.ldap.bindPassword=P0rtalCorP
federated.ldap.ldapServerType=AD2000
federated.ldap.baseDN=dc=mycompany,dc=com
federated.ldap.et.group.searchFilter=(objectcategory=group)
federated.ldap.et.group.objectClasses=group
federated.ldap.et.group.objectClassesForCreate=group
federated.ldap.et.group.searchBases=dc=mycompany,dc=com
federated.ldap.et.personaccount.searchFilter=
federated.ldap.et.personaccount.objectClasses=user
federated.ldap.et.personaccount.objectClassesForCreate=user
federated.ldap.et.personaccount.searchBases=dc=mycompany,dc=com
federated.ldap.gm.groupMemberName=member
federated.ldap.gm.objectClass=group
federated.ldap.gm.scope=nested
federated.ldap.gm.dummyMember= - Validate settings...
-
cd /opt/WAS/MyFoo/wp_profile/ConfigEngine
./ConfigEngine.sh validate-federated-ldap -DWasPassword=wasadminfile - Integrate Corp LDAP
-
cd /opt/WAS/MyFoo/wp_profile/ConfigEngine
./ConfigEngine.sh wp-create-ldap -DWasPassword=wasadminfile - Propagate changes
- At this point, WAS and portal are still using file-based realm for auth. If you run into a situation where your local admin ID is the same as an ID in the LDAP, enter fully qualified local name to log on..
For example...
-
User ID: uid=wasadmin,o=defaultWIMFileBasedRealm
Password: wasadmin
- Start server1 and WebSphere_Portal
- Edit wkplc.properties and set...
-
id=CorpDir
baseDN=ou=CorpUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com
nameInRepository=ou=CorpUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com - Run...
-
./ConfigEngine.sh wp-create-base-entry -DWasPassword=wasadminfile
- Edit wkplc.properties
- Set...
-
realmName=CorpDir
addBaseEntry=dc=mycompany,dc=com
securityUse=active
delimiter=/ - Save changes
- Run the following task to add a new realm to the Virtual Member Manager configuration:
./ConfigEngine.sh wp-create-realm -DWasPassword=wasadminfile
- After the realm is created, if you need more than one base entry run...
-
ConfigEngine.sh wp-add-realm-baseentry
- Restart the server1 and WebSphere_Portal servers.
- Launch portal page in web browser and login realm user id/pwd. Should be able to login to portal successfully.
- If you go to...
-
Administration | Manage Virtual Portals | New
...you should see the CorpDir realm as an option
If an attribute is defined in WebSphere Portal but not in the LDAP server, we can do one of the following...
- Flag the attribute as unsupported for the LDAP server
- Introduce an attribute mapping that maps the WebSphere Portal attribute to an attribute defined in the LDAP schema
- Check that all defined attributes are available in the configured LDAP user registry...
-
./ConfigEngine.sh wp-validate-federated-ldap-attribute-config -DWasPassword=wasadminfile
...and check for missing attributes in...
-
/opt/WAS/MyFoo/ConfigEngine/log/ConfigTrace.log
- Create available attributes report. Run...
-
./ConfigEngine.sh wp-query-attribute-config -DWasPassword=wasadminfile
...to create...
-
/opt/WAS/MyFoo/ConfigEngine/log/availableAttributes.html
- Open availableAttributes.html file and review the output for the PersonAccount and Group entity types.
- Edit...
-
/opt/WAS/MyFoo/ConfigEngine/properties/wkplc.properties
...and set...
federated.ldap.attributes.nonSupported=businessAddress, businessCategory, carLicense, countryName, departmentNumber, description, employeeNumber, homeAddress, jpegPhoto, labeledURI, localityName, pager, roomNumber, businessCategory, description
federated.ldap.attributes.nonSupported.delete=
federated.ldap.attributes.mapping.ldapName=stateOrProvinceName
federated.ldap.attributes.mapping.portalName=st
federated.ldap.attributes.mapping.entityTypes=PersonAccount, Group - Save changes to wkplc.properties
- Update the LDAP user registry configuration...
-
./ConfigEngine.sh wp-update-federated-ldap-attribute-config -DWasPassword=wasadminfile
- Propagate changes
- Stop all servers and make backups.
On testc-prtdm-01 backup is...
-
/opt/WAS/MyFoo_post_corp.tar.gz
On testc-prtap-0a backup is...
-
/var/tmp/WAS/MyFoo_post_corp.tar.gz
There was no space left in either /opt or /tmp/backup
- Start all servers
- Use Apache Directory Studio to verify your bindDN and bindPassword are valid.
-
federated.ldap.host=testc-ldsap-01.mycompany.com
federated.ldap.port=7389
federated.ldap.bindDN=cn=myportalsvc,ou=service accounts,ou=operations,dc=myexternal,dc=ad
federated.ldap.bindPassword=Passw++++ - Set the following values in wkplc.properties...
federated.ldap.id=ExtDir
federated.ldap.host=testc-ldsap-01.mycompany.com
federated.ldap.port=7389
federated.ldap.bindDN=cn=myportalsvc,ou=service accounts,ou=operations,dc=myexternal,dc=ad
federated.ldap.bindPassword=Passw++++
federated.ldap.ldapServerType=ADAM
federated.ldap.baseDN=dc=myexternal,dc=ad
federated.ldap.et.group.searchFilter=
federated.ldap.et.group.objectClasses=group
federated.ldap.et.group.objectClassesForCreate=group
federated.ldap.et.group.searchBases=dc=myexternal,dc=ad
federated.ldap.et.personaccount.searchFilter=
federated.ldap.et.personaccount.objectClasses=user
federated.ldap.et.personaccount.objectClassesForCreate=user
federated.ldap.et.personaccount.searchBases=dc=myexternal,dc=ad
federated.ldap.gm.groupMemberName=member
federated.ldap.gm.objectClass=group
federated.ldap.gm.scope=nested
federated.ldap.gm.dummyMember= - Validate LDAP server settings...
-
cd /opt/WAS/MyFoo/ConfigEngine
./ConfigEngine.sh validate-federated-ldap -DWasPassword=wasadminfile - Add a federated ldap...
-
./ConfigEngine.sh wp-create-ldap -DWasPassword=wasadminfile
- On the deployment manager and nodes, add:
<config:attributes name="userPrincipalName" propertyName="uid"> <config:entityTypes>PersonAccount</config:entityTypes> </config:attributes>...to...
-
/opt/WAS/MyFoo/AppServer/profiles/Dmgr01/config/cells/WPDmgrCell/wim/config/wimconfig.xml
Search for ExtDir, then after the <config:attributeConfiguration> add the lines above, so that they are right above the defaultAttribute=cn definition.
- Propagate changes
- List the names and types of configured repositories...
-
./ConfigEngine.sh wp-query-repository -DWasPassword=wasadminfile
Output may be written to...
-
/opt/WAS/MyFoo/ConfigEngine/logs/ConfigTrace.log
- Edit...
-
/opt/WAS/MyFoo/ConfigEngine/properties/wkplc.properties
- Enter a value for the following required parameters..
- realmName=ExtDir
- addBaseEntry=dc=myexternal,dc=ad
- securityUse=active
- delimiter=/
- Save your changes to the wkplc.properties file.
- Add realm to the Virtual Member Manager configuration...
-
./ConfigEngine.sh wp-create-realm -DWasPassword=wasadminfile
- Propagate changes
- If you go to...
-
Administration | Manage Virtual Portals | New
...you should see the ExtDir realm as an option
- Log on to WAS console for your dmgr.
- Go to...
Security | Secure administration, applications, and infrastructure
- Under "User account repository" set "Federated repositories" as Current realm definition
- Click Configure and set...
Realm name CorpDir Primary administrative user name cn=waswpadminfoo,ou=FooUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com Server user identityAutomatically generated server identity
Ignore case for authorization
Repositories in the realm Base entry Repository identifier Repository type dc=mycompany,dc=com CorpDir LDAP:AD2000 dc=myexternal,dc=ad ExtDir LDAP:ADAM ou=FooUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com CorpDir LDAP:AD2000 
Go to...
Secure administration, applications, and infrastructure > CSIv2 outbound authentication
...and set CorpDir in Trusted Target Realms
- Ripple start Portal cluster.
At this point the default File Based Realm is the default realm. So the WAS and Portal admins are still wasadminfile / wasadminfile. To change the default realm from File Based Realm to the ExtDir realm created above...
The WAS and Portal admin users we want to use are waswpadminfoo and wpadminfoo respectively. They can be found via Apache Directory Studio by going to...
-
DIT | Root DSE | DC=mycompany.com,DC=com | OU=Operations | OU=Users | OU=Portal Users
- Update wkplc.properties file VMM Change admin users section.
For MyFoo users...
-
newAdminId=cn=waswpadminfoo,ou=FooUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com
newAdminPw=FooP++++For EBIZ users...
-
newAdminId=cn=waswpadminebiz,ou=MyBizUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com
newAdminPw=MyBizW++++For CORP users...
-
newAdminID=cn=waswpadmincorp,ou=CorpUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,DC=com
newAdminPw=P0rt++++ - Run...
-
./ConfigEngine.sh wp-change-was-admin-user -DWasPassword=wasadminfile
- Propagate changes
- Launch WAS Admin Console and try to login as new WAS Admin ID
- Edit wkplc.properties. For MyFoo...
-
newAdminId=cn=wpadminfoo,ou=FooUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com
newAdminPw=FooP++++
newAdminGroupId=cn=corp-wpadmins-dev-foo,ou=Portal Groups,ou=Groups,ou=Operations,dc=mycompany,dc=comFor MyFoo Test, use...
-
newAdminGroupId=cn=corp-wpadmins-test-foo,ou=Portal Groups,ou=Groups,ou=Operations,dc=mycompany,dc=com
For EBIZ...
-
newAdminId=cn=wpadminebiz,ou=MyBizUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com
newAdminPw=MyBizW++++
newAdminGroupId=CN=corp-wpadmins-dev-ebiz,OU=Portal Groups,OU=Groups,OU=Operations,DC=mycompany,DC=comFor CORP...
-
newAdminId=cn=wpadmincorp,ou=CorpUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,DC=com
newAdminPw=P0rt++++
newAdminGroupId=cn=corp-wpadmins-dev-corp,ou=Portal Groups,ou=Groups,ou=Operations,dc=mycompany,dc=comRun...
-
./ConfigEngine.sh wp-change-portal-admin-user -DWasPassword=password
- Propagate changes
- Launch Portal Page in Web browser. Login as New Portal Admin User id /pwd
- Now you should see Administration page (as this user is the portal admin user now).
- Logout and Login as Out of Box user id /pwd (original Portal admin id/pwd , from install) , you should not see Administration page , as this user is not Admin User anymore.
- Set the realm created above Default :
- Edit wkplc.properties and set...
-
realmName=CorpDir
defaultRealmName=CorpDir
- Save your changes to the wkplc.properties file.
- Run the following task:
-
./ConfigEngine.sh wp-default-realm -DWasPassword=password
- Propagate changes
- Edit wkplc.properties and set...
At this point the File based Repository (Out of box security configuration) is the default repository. Any New User or Group will be saved in the default repository. In order to create New user and group in LDAP repository instead of default file based repository perform the following step. Perform the following steps to update the user registry where new users and groups are stored:
- Edit...
-
/opt/WAS/MyFoo/ConfigEngine/properties/wkplc.properties
- Enter a value for the following required parameters in the wkplc.properties file under the VMM supported entity types configuration heading:
-
personAccountParent=
groupParent=cn=groups,dc=raleigh,dc=com
personAccountRdnProperties=uid
groupRdnProperties=cn - Save your changes to the wkplc.properties file.
- Update the Group and PersonAccount entity types with corresponding default parent and relative distinguished name.
-
./ConfigEngine.sh wp-update-entitytypes - DWasPassword=wasadminfile
- Propagate changes
- Set the following in in wkplc.properties...
- realmName=ExtDir
- realm.personAccountParent=dc=myexternal,dc=ad
- realm.groupParent=CN=groups,cn=groups,dc=myexternal,dc=com
- realm.orgContainerParent=dc=myexternal,dc=ad
- Run the task...
-
./ConfigEngine.sh wp-modify-realm-defaultparents -DWasPassword=wasadminfile
- Propagate changes