+

Search Tips   |   Advanced Search

Windows cluster: Configure a stand-alone LDAP user registry without SSL


In a clustered environment, start the dmgr and nodeagent and verify they are able to synchronize.

If you need to rerun wp-modify-ldap-security to change the LDAP repositories or because the task failed, choose a new name for the realm using the standalone.ldap.realm parameter or set ignoreDuplicateIDs=true in wklpc.properties, before rerunning the task.


Configure a standalone LDAP user registry

We can use WP_PROFILE/ConfigEngine/config/helpers/wp_security_xxx.properties to ensure correct properties.

  1. Run backupConfig.sh

  2. Edit wkplc.properties, located in...

      WP_PROFILE/ConfigEngine/properties


  3. Set parameters under the Standalone security heading:

  4. Set entity types parameters...

  5. Set group member parameters in wkplc.properties under the Group member attributes heading:

  6. Set relative distinguished name (RDN ) parameters in wkplc.properties under the Default parent, RDN attribute heading:

  7. Save changes to wkplc.properties.

  8. Run the ConfigEngine.bat validate-standalone-ldap -DWasPassword=foo task to validate the LDAP server settings.

    In an environment configured with an LDAP with SSL, during the validation task, you will be prompted to add a signer to the truststore.

    For example...

      Add signer to the truststore now?

    If you do, press y then Enter.

  9. Run the ConfigEngine.bat wp-modify-ldap-security -DWasPassword=foo task, from the WP_PROFILE\ConfigEngine, to set the stand-alone LDAP user registry.

  10. Stop and restart servers, dmgrs, and node agents.

  11. Run the ConfigEngine.bat wp-validate-standalone-ldap-attribute-config -DWasPassword=foo task, from the WP_PROFILE\ConfigEngine, to check that all defined attributes are available in the configured LDAP user registry.

    See Adapting the attribute configuration

  12. Update the member names used by WCM with the corresponding members in the LDAP directory.

    1. Edit the WP_PROFILE\PortalServer\wcm\shared\app\config\wcmservices\MemberFixerModule.properties file.

    2. Add the following lines to the file:
      uid=wpsadmin,o=defaultWIMFileBasedRealm -> portal_admin_DN 
      cn=contentauthors,o=defaultWIMFileBasedRealm -> content_authors_group_DN

      The MemberFixerModule.properties file already contains lines for xyzadmin. We can ignore this line.

    3. Save the changes and close the file.

    4. Run the ConfigEngine.bat run-wcm-admin-task-member-fixer -DallLibraries=true -Dfix=true -DaltDn=update -DmismatchedId=update -DinvalidDn=update -DnoRealmDn=true -DPortalAdminPwd=wpsadmin task, located in the WP_PROFILE\ConfigEngine.

      If the portal admin ID is not unique to your environment, either provide the fully qualified ID as the value for the PortalAdminID parameter in wkplc.properties or specify the fully qualified ID as part of the command.

      For example, if the portal admin ID is wpsadmin and the LDAP directory contains wpsadmin as the ID for a different user, this task does not run successfully. Specify a fully qualified portal admin ID such as

        uid=wpsadmin,cn=users,ou=test,o=retail,o=ibm

      LDAP Value
      Standalone realm_name should match the value for standalone.ldap.realm in wkplc.properties.
      Federated realm_name should match the value for federated.realm in wkplc.properties. If value is empty, use defaultWIMFileBasedRealm.

  13. Update the SearchAdminUser alias to match the WebSphere Portal administrator information.

  14. Optional: Assign access to the Web content libraries.

    1. Log in as a portal administrator and navigate to...

        Administration | Portal Content | Web Content Libraries | web_library | Set permissions

    2. Click the Edit Role icon for Editor.

    3. Add the group specified for content_authors_group_DN as an Editor for the Intranet and Internet libraries.

    4. Click Apply then Done.

  15. If you have created any additional WCM libraries, run the Web content member fixer task to update the member names used by the libraries.

If you created a cluster, including additional nodes, and then completed the steps in this task, run update-jcr-admin on the secondary nodes.


Parent: Choose the stand-alone LDAP user registry on Windows in a clustered environment
Related:
Start and stop servers, dmgrs, and node agents
Enable LDAP security after cluster creation
Replace the search administrator user ID
Related:

How to fix Portal Access Control settings after user/group external identifiers have changed