Mapping attributes on Windows in a clustered environment

After you install and configure LDAP user registry and after you query the defined attributes, you can map the attributes so they match the configured LDAP servers and business needs.

To map attributes between WebSphere Portal and LDAP server; if you have multiple LDAP servers, perform these steps for each LDAP server:

  1. Edit WP_PROFILE/ConfigEngine/properties/wkplc.properties

  2. Enter a value for one of the following sets of parameters in wkplc.properties to identify LDAP server:

      Make sure you use the same values you used to configure LDAP server.

      Repository Parameters
      Standalone

        standalone.ldap.id
        standalone.ldap.host
        standalone.ldap.port
        standalone.ldap.sslEnabled
        standalone.ldap.bindDN
        standalone.ldap.bindPassword
        standalone.ldap.baseDN
      Federated

        federated.ldap.id
        federated.ldap.host
        federated.ldap.port
        federated.ldap.sslEnabled
        federated.ldap.bindDN
        federated.ldap.bindPassword
        federated.ldap.baseDN

  3. Check that all defined attributes are available in the configured LDAP user registry:

    Task to check that all defined attributes are available in the configured LDAP user registry.

    Repository Task
    Standalone ConfigEngine.bat wp-validate-standalone-ldap-attribute-config -DWasPassword=foo task, from the WP_PROFILE/ConfigEngine.
    Federated ConfigEngine.bat wp-validate-federated-ldap-attribute-config -DWasPassword=foo task, from the WP_PROFILE/ConfigEngine.

  4. Open the ConfigTrace.log file, located in the WP_PROFILE/ConfigEngine/log directory, to review the following output for the PersonAccount and Group entity type:

      The following attributes are defined in WebSphere Portal but not in the LDAP server

        This list contains all attributes defined in WebSphere Portal but not available in the LDAP. Flag attributes that you do not plan to use in WebSphere Portal as unsupported. Map the attributes that you plan to use to the attributes that exist in the LDAP; also map the uid, cn, firstName, sn, preferredLanguage, and ibm-primaryEmail attributes if they are contained in the list.

      The following attributes are flagged as required in the LDAP server but not in WebSphere Portal

        This list contains all attributes defined as "MUST" in the LDAP server but not as required in WebSphere Portal. You should flag these attributes as required within WebSphere Portal; see the step below about flagging an attribute as either unsupported or required.

      The following attributes have a different type in WebSphere Portal and in the LDAP server

        This list contains all attributes that WebSphere Portal might ignore because the data type within WebSphere Portal and within the LDAP server do not match.

  5. Edit WP_PROFILE/ConfigEngine/properties/wkplc.properties

  6. Enter a value for one of the following sets of parameters in wkplc.properties to correct any issues found in the config trace file:

    Parameters to define in wkplc.properties to correct any issues found in the config trace file.

    Repository Parameters
    Standalone

      standalone.ldap.id
      standalone.ldap.attributes.nonSupported
      standalone.ldap.attributes.nonSupported.delete
      standalone.ldap.attributes.mapping.ldapName
      standalone.ldap.attributes.mapping.portalName
      standalone.ldap.attributes.mapping.entityTypes
    For example, the following values will flag certificate and members as unsupported attributes and will map ibm-primaryEmail to mail and ibm-jobTitle to title for both the PersonAccount and Group entityTypes:

      standalone.ldap.attributes.nonSupported=certificate, members
      standalone.ldap.attributes.nonSupported.delete=
       
      standalone.ldap.attributes.mapping.ldapName=mail, title
      standalone.ldap.attributes.mapping.portalName=ibm-primaryEmail, ibm-jobTitle
      standalone.ldap.attributes.mapping.entityTypes=PersonAccount, Group

    Federated

      federated.ldap.attributes.nonSupported
      federated.ldap.attributes.nonSupported.delete
      federated.ldap.attributes.mapping.ldapName
      federated.ldap.attributes.mapping.portalName
      federated.ldap.attributes.mapping.entityTypes
    For example, the following values will flag certificate and members as unsupported attributes and will map ibm-primaryEmail to mail and ibm-jobTitle to title for both the PersonAccount and Group entityTypes:

      federated.ldap.attributes.nonSupported=certificate, members
      federated.ldap.attributes.nonSupported.delete=
       
      federated.ldap.attributes.mapping.ldapName=mail, title
      federated.ldap.attributes.mapping.portalName=ibm-primaryEmail, ibm-jobTitle
      federated.ldap.attributes.mapping.entityTypes=PersonAccount, Group

  7. Save changes to wkplc.properties.

  8. Update the LDAP user registry configuration with the list of unsupported attributes and the proper mapping between WebSphere Portal and the LDAP user registry:

    Task to update the LDAP user registry configuration with the list of unsupported attributes and the proper mapping between Portal and the LDAP user registry.

    Repository Task
    Standalone ConfigEngine.bat wp-update-standalone-ldap-attribute-config -DWasPassword=foo task, from the WP_PROFILE/ConfigEngine
    Federated ConfigEngine.bat wp-update-federated-ldap-attribute-config -DWasPassword=foo task, from the WP_PROFILE/ConfigEngine

  9. Stop and restart the appropriate servers to propagate the changes.

  10. Optional. Flag an attribute as either unsupported or required for the entire WebSphere Portal environment instead of just for the specified LDAP:

    1. Enter a value for the following required parameters in wkplc.properties:

          user.attributes.required
          user.attributes.nonsupported

    2. Save changes to wkplc.properties.

    3. Run the ConfigEngine.bat wp-update-attribute-config -DWasPassword=foo task, from the WP_PROFILE/ConfigEngine.

    4. Stop and restart all necessary servers to propagate changes.

If you created clustered environment then performed the steps in this task, now run the update-jcr-admin task on the secondary node. See Enable LDAP security after cluster creation for instructions.


Parent

Adapt the attribute configuration


Previous

Add attributes on Windows in a clustered environment


Next topic

Remove attributes


Related tasks


Start and stop servers, dmgrs, and node agents
Enable LDAP security after cluster creation

 


+

Search Tips   |   Advanced Search