Home

 

Set up federated repositories

 

+

Search Tips   |   Advanced Search

 

You can configure the user for IBM Lotus Connections to be populated with users from more than one LDAP (multiple realms).

  1. Gather LDAP information

  2. Log on to WAS admin console

  3. Disable security. Optional???

    You might have to do a syncNode.bat later from node if you get messages about permissions.

  4. Create an admin user ID. Go to...

      Security | Secure Administration, applications and infrastructure | Available realm definitions | Federated Repositories | Configure

    ..and enter an admin user ID, for example, wasadmin, in the field...

      Primary administrative user name

    The administrative user ID must be unique, and must not exist in the LDAP repository to be federated.

    From the Server user identity area, select...

      Automatically generated server identity

    You can leave the other default settings, such as Realm name, unchanged.

  5. Click Apply and then type the password for the administrative user in the Password and Confirm password fields.

  6. Add a repository identifier. Go to...

      Security | Secure Administration, applications and infrastructure | Add Base entry to Realm | Repository reference page | Add Repository

    ..and set...

    myFavoriteRepository

  7. Specify the LDAP that you are using in the Directory type...

    Directory type option LDAP supported by Lotus Connections
    Sun ONE Sun Java System Directory Server 5, 6
    IBM Lotus Domino 6.5 IBM Lotus Domino 7.0.2, 8.0.2, and 8.5
    Microsoft Windows Server 2003 Active Directory Microsoft Active Directory 2003 SP2
    Microsoft Active Directory Application Mode Microsoft Active Directory Application Mode
    IBM Tivoli Directory Server Version 6 IBM Tivoli Directory Server 6.0.0.3, 6.1
    Novell Directory Services eDirectory 8.8

  8. Type the host name of the primary LDAP server in the Primary host name field.

  9. If the LDAP does not allow attributes to be searched anonymously, provide values for...

    • Bind distinguished name
    • Bind password

    For example, for Domino, specify a user name and password with administrative level access.

  10. Specify login attributes in the Login properties field.

    Separate multiple attributes with a semicolon. For example:

    uid;mail

    If you are installing Profiles and using TDS, Domino, or Sun One, specify either mail, which represents the user's e-mail address, or uid, which represents the user's ID, as the value for this property.

    If you are installing Profiles and using Active Directory, and you use an e-mail address as the login, specify mail as the value for this property. If you use the samAccountName attribute as the login, specify uid as the value for this property.

  11. Click Apply, and then click Save to save this setting.

  12. On the Repository reference page, the following fields represent the LDAP attribute type and value pairs for the base element in the realm and the LDAP repository, For example:

      o=acme

    These can be the same value when a single LDAP repository is configured for the realm or can be different in a multiple LDAP repository configuration.)

      Distinguished name of a base entry that uniquely identifies this set of entries in the realm

      Identifies entries in the realm. For example...

        cn=john doe, o=acme

      Distinguished name of a base entry in this repository

      Identifies entries in the LDAP For example...

        cn=john doe, o=acme

      This value defines the location in the LDAP information tree from which the LDAP search begins. The entries beneath it in the tree can also be accessed by the LDAP search.

      If you have defined flat groups in the Domino directory, do not enter a value in this field. Flat groups are group names such as SalesGroup, as opposed to...

        cn=SalesGroup,ou=Groups

      If you configure a search base in this Step, you will not be able to access the groups.

  13. Click Apply and Save to save this setting, and then click OK to return the Federated Repositories page.

  14. To modify the object classes mapping...

      Repository Identifier | your_repository | Additional Properties | LDAP entity types | Group entity type

    If necessary, you can also edit Search bases and Search filters.

    Accept default object classes value for Group, unless you are using Domino, which requires: dominoGroup.

  15. Click the PersonAccount entity type and modify the default object classes mapping.

    Accept default object classes value for PersonAccount, unless you are using Domino, which requires: dominoPerson.

  16. In the navigation links at the top of the page, click the name of the repository that you have just modified to return to the Repository page.

  17. If applications rely on group membership from LDAP, create a group attribute definition. Go to....

    ..and enter group membership values in the fields...

    • Name of member attribute
    • Object class

    If you have already accepted the default groupOfNames value for Group, then you can also accept the default value for Member. If you changed objectclass for Group to dominoGroup, add dominoGroup to the definition of Member.

    Example of group membership attribute for using Activities...

    • The Member attribute type is used by groupOfNames
    • The uniqueMember attribute type is used by groupOfUniqueNames

  18. Repeat steps each additional LDAP.

  19. Set the new repository as the current repository:

      Secure Administration, applications and infrastructure | Available realm definitions | Federated Repositories | Set as current

  20. Enable login security on WAS by selecting the Administrative Security and Application Security check boxes.

    Clear the Java 2 security check box.

    The administrative user name and password are now required because you have just set up security on WAS.

  21. Log out of the WAS Console and restart the appservers. For dmgr console, restart that console.

  22. When the appservers are running again, log on to the console using your primary administrative user name and password.

  23. To test add LDAP users to WAS with administrative roles.

  24. If you are using SSL for LDAP, add a signer certificate to your trust store. Go to...

    ..and set...

      Host Name DNS name of the LDAP
      Port Secure LDAP port. Typically 636
      Alias Alias name, such as LDAPSSLCertificate,

  25. Optional: Verify that users in the LDAP have been successfully added to the repository:

    1. From the WAS Console, select...

        Users and Groups | Manage Users

    2. In the Search for field, enter a user name that you know to be in the LDAP and click Search.

      If the search succeeds, you have partial verification that the repository is configured correctly. However, this check cannot check for the groups that a user belongs to.

 

Results

You have configured WAS to use a federated repository.

 

Related tasks

Create databases
Pre-installation tasks
Prepare to configure the LDAP directory
Install IBM WebSphere Application Server