Configure a stand-alone LDAP user registry on Windows

Configure WebSphere Portal to use a standalone LDAP user registry to store all user account information for authorization.

In single server environments, you do not have to start or stop the WebSphere_Portal and server1 servers to complete the following steps. In clustered environments, stop all application servers on system, including WebSphere_Portal, then start the nodeagent and dmgr servers before you begin any of the following steps.

If you need to rerun the wp-modify-ldap.security task to change the LDAP repositories or because the task failed, choose a new name for the realm using the parameter...

...or you can set ignoreDuplicateIDs=true in wklpc.properties, before rerunning the task.

Configure a standalone LDAP user registry:

To ensure the correct properties are entered, you can use the helper file...

In the instructions below, when the step refers to wkplc.properties, you will use wp_security_xxx.properties helper file.

  1. Prior to configuring security, use the IBM WAS backupConfig task to create and store a backup of the portal configuration; see backupConfig command for information.

  2. Edit WP_PROFILE/ConfigEngine/properties/wkplc.properties

  3. Required: Enter a value under the Stand-alone security heading:

        standalone.ldap.id
        standalone.ldap.host
        standalone.ldap.port
        standalone.ldap.bindDN
        standalone.ldap.bindPassword
        standalone.ldap.ldapServerType
        standalone.ldap.userIdMap
        standalone.ldap.groupIdMap
        standalone.ldap.groupMemberIdMap
        standalone.ldap.userFilter
        standalone.ldap.groupFilter
        standalone.ldap.serverId
        standalone.ldap.serverPassword
        standalone.ldap.realm
        standalone.ldap.primaryAdminId
        standalone.ldap.primaryAdminPassword
        standalone.ldap.primaryPortalAdminId
        standalone.ldap.primaryPortalAdminPassword
        standalone.ldap.primaryPortalAdminGroup
        standalone.ldap.baseDN

  4. Required: Enter a value under the LDAP entity types heading:

        standalone.ldap.et.group.objectClasses
        standalone.ldap.et.group.objectClassesForCreate
        standalone.ldap.et.group.searchBases
        standalone.ldap.et.personaccount.objectClasses
        standalone.ldap.et.personaccount.objectClassesForCreate
        standalone.ldap.et.personaccount.searchBases

  5. Required: Enter a value under the Group member attributes heading:

        standalone.ldap.gm.groupMemberName
        standalone.ldap.gm.objectClass
        standalone.ldap.gm.scope
        standalone.ldap.gm.dummyMember

  6. Required: Enter a value for the following required relative distinguished name (RDN®) parameters in wkplc.properties under the Default parent, RDN attribute heading:

        standalone.ldap.personAccountParent
        standalone.ldap.groupParent
        standalone.ldap.personAccountRdnProperties
        standalone.ldap.groupRdnProperties

  7. Save changes to wkplc.properties.

  8. Run the ConfigEngine.bat validate-standalone-ldap -DWasPassword=footo validate LDAP server settings.

    If you have not deleted the default file repository, WasPassword is the value entered during installation and not a value found in LDAP user registry. During the validation task, you may receive the following prompt: Add signer to the trust store now?. Press y then Enter.

  9. Run the ConfigEngine.bat wp-modify-ldap.security -DWasPassword=foo from the WP_PROFILE/ConfigEngine, to set the stand-alone LDAP user registry.

  10. Stop and restart the appropriate servers to propagate the changes.

  11. Run the ConfigEngine.bat wp-validate-standalone-ldap-attribute-config -DWasPassword=foo from the WP_PROFILE/ConfigEngine, to check that all defined attributes are available in the configured LDAP user registry.

      Important: See "Adapting the attribute configuration" for information about adding and mapping attributes to ensure proper communication between WebSphere Portal and the LDAP server.

  12. Run the Member Fixer task to update the member names used by WCM with the corresponding members in the LDAP directory.

    This step ensures that access to the Web content libraries for the Intranet and Internet Site Templates for the contentAuthors group is correctly mapped to the appropriate group in the LDAP directory.

      This step is only needed if you intend to use the Intranet and Internet Site Templates that were optionally installed using configure-express.

      1. Edit...

          WP_PROFILE/PortalServer/wcm/shared/app/config/wcmservices/MemberFixerModule.properties

      2. Add the following lines to the file:

          uid=xyzadmin,o=defaultWIMFileBasedRealm -> portal_admin_DN
          cn=contentauthors,o=defaultWIMFileBasedRealm -> content_authors_group_DN

          • Ensure the portal administrator you specify for portal_admin_DN is a member of the group you specify for content_authors_group_DN, otherwise the portal administrator cannot access the Web content libraries for the Intranet and Internet Site Templates.

          • If you plan to run the express-memberfixer task in an environment with multiple realms, if it exists, remove group...

              cn=contentauthors,o=defaultWIMFileBasedRealm

            If this group exists in an environment with multiple realms, the Member Fixer task does not have any effect.

      3. Save changes and close the file.

      4. Run the ConfigEngine.bat express-memberfixer -DmemberfixerRealm=realm_name -DPortalAdminPwd=foo -DWasPassword=foo located in the WP_PROFILE/ConfigEngine.

          Choose the appropriate value to enter for realm_name depending on the type of LDAP user registry you configured:

          Type of LDAP Value
          Standalone LDAP The value specified for realm_name should match the value for standalone.ldap.realm in wkplc.properties.
          Federated LDAP The value specified for realm_name should match the value for federated.realm in wkplc.properties. If the value for federated.realm is empty, use defaultWIMFileBasedRealm as the default value.

  13. Optional. Assign access to the Web content libraries.

    1. Log in as a portal administrator.

    2. Navigate to Administration -> Portal Content -> Web Content Libraries.

    3. Click the Set permissions icon for the Web library.

    4. Click the Edit Role icon for Editor.

    5. Add the group you specified for content_authors_group_DN as an Editor for the Intranet and Internet libraries.

    6. Click Apply then Done.

  14. If you have created any additional WCM libraries, run the Web content member fixer task to update the member names used by the libraries.


Use the web content member fixer task


Related tasks


Adapt the attribute configuration

 


+

Search Tips   |   Advanced Search