Configure a stand-alone LDAP user registry on i5/OS
Configure WebSphere Portal to use a standalone LDAP user registry to store all user account information for authorization.
In a single server environment the WebSphere_Portal and server1 servers can be either stopped or started.
In a clustered environment stop all appservers on the system including WebSphere_Portal and server1 and then start the nodeagent and deployment manager servers before starting the following task.
If rerunning the wp-modify-ldap-security task to change the LDAP repositories or because the task failed, choose a new name for the realm using the standalone.ldap.realm parameter or set ignoreDuplicateIDs=true in wklpc.properties..
Configure a standalone LDAP user registry
To help ensure correct properties are entered, use the helper file...
profile_root/ConfigEngine/config/helpers/wp_security_xxx.properties
- Edit...
profile_root/ConfigEngine/properties/wkplc.properties
- Set the following parameters in wkplc.properties under the VMM Stand-alone LDAP configuration heading:
- standalone.ldap.id
- standalone.ldap.host
- standalone.ldap.port
- standalone.ldap.bindDN
- standalone.ldap.bindPassword
- standalone.ldap.ldapServerType
- standalone.ldap.userIdMap
- standalone.ldap.groupIdMap
- standalone.ldap.groupMemberIdMap
- standalone.ldap.userFilter
- standalone.ldap.groupFilter
- standalone.ldap.serverId
- standalone.ldap.serverPassword
- standalone.ldap.realm
- standalone.ldap.primaryAdminId
- standalone.ldap.primaryAdminPassword
- standalone.ldap.primaryPortalAdminId
- standalone.ldap.primaryPortalAdminPassword
- standalone.ldap.primaryPortalAdminGroup
- standalone.ldap.baseDN
- Set a value for the following required entity types parameters in wkplc.properties under the LDAP entity types heading:
- standalone.ldap.et.group.objectClasses
- standalone.ldap.et.group.objectClassesForCreate
- standalone.ldap.et.group.searchBases
- standalone.ldap.et.personaccount.objectClasses
- standalone.ldap.et.personaccount.objectClassesForCreate
- standalone.ldap.et.personaccount.searchBases
- Set a value for the following required group member parameters in wkplc.properties under the Group member attributes heading:
- standalone.ldap.gm.groupMemberName
- standalone.ldap.gm.objectClass
- standalone.ldap.gm.scope
- standalone.ldap.gm.dummyMember
- Set a value for the following required relative distinguished name (RDN) parameters in wkplc.properties under the Default parent, RDN attribute heading:
- standalone.ldap.personAccountParent
- standalone.ldap.groupParent
- standalone.ldap.personAccountRdnProperties
- standalone.ldap.groupRdnProperties
- Save changes to wkplc.properties.
- If WCM is installed with the Intranet and Internet Site Templates, set the following parameters in wkplc_comp.properties under the Web Content Management attribute heading...
- WcmContentAuthorsGroupId
- WcmContentAuthorsGroupCN
- Run...
ConfigEngine.sh validate-standalone-ldap -DWasPassword=password
...to validate your LDAP server settings.
Note that if you have not deleted the default file repository, WasPassword is the value entered during installation and not a value found in your LDAP user registry.
- Run...
ConfigEngine.sh wp-modify-ldap-security -DWasPassword=password task, from profile_root/ConfigEngine, to set the standalone LDAP user registry.
- Propagate the security changes:
Option Description Standalone
- stopServer server1 -username admin_userid -password admin_password
...from...
profile_root/bin
- stopServer WebSphere_Portal -username admin_userid -password admin_password
...from...
profile_root/bin
- startServer server1
...from...
profile_root/bin
- startServer WebSphere_Portal
...from...
profile_root/bin
Cluster
- stopManager-username admin_userid -password admin_password, from the DMGR_PROFILE/bin
- stopNode -username admin_userid -password admin_password from the profile_root/bin directory
- stopServer WebSphere_Portal -username admin_userid -password admin_password
...from...
profile_root/bin
- startManager, from the DMGR_PROFILE/bin
- startNode
...from...
profile_root/bin
- startServer WebSphere_Portal
...from...
profile_root/bin
- Run...
ConfigEngine.sh wp-validate-standalone-ldap-attribute-config -DWasPassword=password task, from...
profile_root/ConfigEngine
...to check that all defined attributes are available in the configured LDAP user registry.
After configuring LDAP, you can adapt the attribute configuration
- To ensure Intranet and Internet Site Templates libraries are correctly mapped, run Member Fixer to update member names used by WCM with corresponding members in the LDAP.
Required if you ran configure-express when installing portal.
- Edit...
profile_root/PortalServer/wcm/shared/app/config/wcmservices/MemberFixerModule.properties
- Add the following lines to the file:
uid=xyzadmin,o=defaultWIMFileBasedRealm -> portal_admin_DN
cn=contentauthors,o=defaultWIMFileBasedRealm -> content_authors_group_DNReplace portal_admin_DN with the distinguished name of the portal administrator and content_authors_group_DN with the distinguished name of the content authors group used during LDAP configuration.
- Save changes and close the file.
- Run...
ConfigEngine.sh action-express-memberfixer -DmemberfixerRealm=realm_name -DPortalAdminPwd=password -DWasPassword=password task, located in profile_root/ConfigEngine.
Where realm_name...
LDAP Type Value Standalone Matches the value of standalone.ldap.realm in wkplc.properties. Federated Matches the value of federated.realm in wkplc.properties. If the value for federated.realm is empty, use defaultWIMFileBasedRealm.
If you have created any additional WCM libraries, run the Web content member fixer task to update the member names used by the libraries.
Parent topic:
Configure a stand-alone LDAP user registry on i5/OS
Related tasks
Adapting the attribute configuration
Use the member fixer tool with IBM Lotus Web Content Management