IBM i cluster: Configure a stand-alone LDAP user registry without SSL
In a clustered environment, start the dmgr and nodeagent and verify they are able to synchronize.
If you need to rerun wp-modify-ldap-security to change the LDAP repositories or because the task failed, choose a new name for the realm using the standalone.ldap.realm parameter or set ignoreDuplicateIDs=true in wklpc.properties, before rerunning the task.
Configure a standalone LDAP user registry
We can use WP_PROFILE/ConfigEngine/config/helpers/wp_security_xxx.properties to ensure correct properties.
- Run backupConfig.sh
- Edit wkplc.properties
- Set parameters under the Standalone security heading:
standalone.ldap.id
standalone.ldap.host
standalone.ldap.port
standalone.ldap.bindDN
standalone.ldap.bindPassword- standalone.ldap.ldapServerType
- standalone.ldap.userIdMap
- standalone.ldap.groupMemberIdMap
- standalone.ldap.userFilter
- standalone.ldap.groupFilter
- standalone.ldap.serverId
- standalone.ldap.serverPassword
- standalone.ldap.realm
- standalone.ldap.primaryAdminId
- standalone.ldap.primaryAdminPassword
- standalone.ldap.primaryPortalAdminId
- standalone.ldap.primaryPortalAdminPassword
- standalone.ldap.primaryPortalAdminGroup
standalone.ldap.baseDN
- Set entity types parameters...
- Set group member parameters in wkplc.properties under the Group member attributes heading:
- standalone.ldap.gm.groupMemberName
- standalone.ldap.gm.objectClass
- standalone.ldap.gm.scope
- standalone.ldap.gm.dummyMember
- Set relative distinguished name (RDN ) parameters in wkplc.properties under the Default parent, RDN attribute heading:
- standalone.ldap.personAccountParent
- standalone.ldap.groupParent
- standalone.ldap.personAccountRdnProperties
- standalone.ldap.groupRdnProperties
- Save changes to wkplc.properties.
- Run the ConfigEngine.sh validate-standalone-ldap -DWasPassword=foo task to validate the LDAP server settings.
In an environment configured with an LDAP with SSL, during the validation task, you will be prompted to add a signer to the truststore.
For example...
Add signer to the truststore now?
If you do, press y then Enter.
- Run the ConfigEngine.sh wp-modify-ldap-security -DWasPassword=foo task, from WP_PROFILE/ConfigEngine, to set the standalone LDAP user registry.
- Stop and restart servers, dmgrs, and node agents.
- Run the ConfigEngine.sh wp-validate-standalone-ldap-attribute-config -DWasPassword=foo task, from WP_PROFILE/ConfigEngine, to check that all defined attributes are available in the configured LDAP user registry.
See Adapting the attribute configuration
- Update the member names used by WCM with the corresponding members in the LDAP directory.
- Edit...
WP_PROFILE/PortalServer/wcm/shared/app/config/wcmservices/MemberFixerModule.properties
- Add the following lines to the file:
uid=wpsadmin,o=defaultWIMFileBasedRealm -> portal_admin_DN
cn=contentauthors,o=defaultWIMFileBasedRealm -> content_authors_group_DNThe MemberFixerModule.properties file already contains lines for xyzadmin. We can ignore this line.
- Save the changes and close the file.
- Run the ConfigEngine.sh run-wcm-admin-task-member-fixer -DallLibraries=true -Dfix=true -DaltDn=update -DmismatchedId=update -DinvalidDn=update -DnoRealmDn=true -DPortalAdminPwd=wpsadmin task, located in the WP_PROFILE/ConfigEngine.
If the portal admin ID is not unique to your environment, either provide the fully qualified ID as the value for the PortalAdminID parameter in wkplc.properties or specify the fully qualified ID as part of the command.
For example, if the portal admin ID is wpsadmin and the LDAP directory contains wpsadmin as the ID for a different user, this task does not run successfully. Specify a fully qualified portal admin ID such as
uid=wpsadmin,cn=users,ou=test,o=retail,o=ibm
LDAP Value Standalone realm_name should match the value for standalone.ldap.realm in wkplc.properties. Federated realm_name should match the value for federated.realm in wkplc.properties. If value is empty, use defaultWIMFileBasedRealm.
- Update the SearchAdminUser alias to match the WebSphere Portal administrator information.
- Optional: Assign access to the Web content libraries.
- Log in as a portal administrator and navigate to...
Administration | Portal Content | Web Content Libraries | web_library | Set permissions
- Click the Edit Role icon for Editor.
- Add the group specified for content_authors_group_DN as an Editor for the Intranet and Internet libraries.
- Click Apply then Done.
- If you have created any additional WCM libraries, run the Web content member fixer task to update the member names used by the libraries.
If you created a cluster, including additional nodes, and then completed the steps in this task, run update-jcr-admin on the secondary nodes.
Parent: Choose the stand-alone LDAP user registry on IBM i in a clustered environment
Related:
Start and stop servers, dmgrs, and node agents
Enable LDAP security after cluster creation
Replace the search administrator user ID
Related:How to fix Portal Access Control settings after user/group external identifiers have changed