Portal, Express Beta Version 6.1 Operating systems: i5/OS, Linux,Windows

Adding an LDAP user registry on Windows

Add an LDAP user registry to the default federated repository to store user account information for authorization.

1. Use a text editor to open the wkplc.properties file, located in the wp_profile\ConfigEngine\properties directory.
2. Required: Enter only the following required parameters in the wkplc.properties file under the Federated LDAP repository heading:

   1. For federated.ldap.id, type the unique ID for the LDAP user registry.
   2. For federated.ldap.host, type the hostname of the primary LDAP server.
   3. For federated.ldap.port, type the port number for the LDAP server.
   4. For federated.ldap.bindDN, type the user ID that binds WebSphere Application Server to the LDAP server to retrieve user attributes for authentication. Leave blank to make the LDAP server read-only and to allow anonymous access to the LDAP server. Note: Type the value in lower case, regardless of the case used in the distinguished name.
   5. For federated.ldap.bindPassword, type the password for the LDAP bind user ID. If federated.ldap.bindDN is blank, this parameter must also be blank.
   6. For federated.ldap.ldapServerType, type the appropriate value for your LDAP server. Note: If your LDAP server version is not listed, enter the value for the highest listed version of your server.
   7. For federated.ldap.baseDN, type the distinguished name of the base entry.
3. Required: Enter only the following required entity type parameters in the wkplc.properties file under the Federated LDAP repository heading:

   1. For federated.ldap.et.entityTypeName, type the name of the entity type.
   2. For federated.ldap.et.searchFilter, type the search filter that you want to use to search the entity type.
   3. For federated.ldap.et.objectClasses, type the object class(es) for the entity type.
   4. Optional: For federated.ldap.et.objectClassesForCreate, type the object class to use when an entity type is created. If the value of this parameter is the same as the federated.ldap.et.objectClasses parameter, you do not need to specify this parameter.
   5. For federated.ldap.et.searchBases, type the search base(s) to use while searching the entity type.
4. Required: Enter only the following required group member parameters in the wkplc.properties file under the Federated LDAP repository heading:

   1. For federated.ldap.gm.groupMemberName, type the name of the LDAP attribute that is used as the group member attribute; for example, member or uniqueMember.
   2. For federated.ldap.gm.objectClass, type the group object class that contains the member attribute; for example, groupOfNames or groupOfUnqiueNames. Note: If you do not define this parameter, the member attribute applies to all group object classes.
   3. For federated.ldap.gm.scope, type direct to define the scope of the member attribute contains only direct members or nested to define the scope of the member attribute contains both direct members and nested members.
   4. For federated.ldap.gm.dummyMember, type the name of an existing group member or leave blank to create a dummy group member.
5. Required: Enter only the following required default parent parameters in the wkplc.properties file under the Federated LDAP repository heading:

   1. For federated.ldap.personAccountParent, type the default parent for the PersonAccount entity type.
   2. For federated.ldap.groupParent, type the default parent for the Group entity type.
   3. For federated.ldap.orgContainerParent, type the default parent for the orgContainer entity type.
6. Required: Enter only the following required relative distinguished name parameters in the wkplc.properties file under the Federated LDAP repository heading:

   1. For federated.ldap.personAccountRdnProperties, type the relative distinguished name (RDN) for the PersonAccount entity type.
   2. For federated.ldap.groupRdnProperties, type the RDN for the Group entity type.
   3. For federated.ldap.orgContainerRdnProperties, type the RDN for the orgContainer entity type.
7. Optional: Enter only the following optional parameters in the wkplc.properties file under the Federated LDAP repository heading:

   1. For federated.ldap.adapterClassName, type the adapter class name.
   2. For federated.ldap.supportSorting, type true to support sorting or false to not support sorting.
   3. For federated.ldap.supportTransaction, type true to support transactions or false to not support transactions.
   4. For federated.ldap.isExtIdUnique, type true if the external ID is unique or false if the external ID is not unique.
   5. For federated.ldap.supportExternalName, type true if the external names are supported or false if external names are not supported.
   6. For federated.ldap.supportPaging, type true if paging is supported or false if paging is not supported.
   7. For federated.ldap.authentication, type the authentication method for your user registry.
   8. For federated.ldap.referral, indicate how to handle LDAP referrals; the default value is ignore.
   9. For federated.ldap.derefAliases, indicate how to dereference aliases; the default value is always.
   10. For federated.ldap.connectionPool, type a value for the connection pool; the default value is false.
   11. For federated.ldap.connectTimeout, type a numeric value to specify the number of seconds after which the connection will timeout.
   12. For federated.ldap.translateRDN, type true to translate the RDN or false to not translate the RDN.
   13. For federated.ldap.default, type true to set the default values for the remaining parameters or false to enter the remaining parameters manually.
8. Optional: Enter the following parameters to enable search features for your LDAP server:

   1. For federated.ldap.searchPageSize, type a numeric value to specify the search page size.
   2. For federated.ldap.searchCountLimit, type a numeric value to specify the count limit.
   3. For federated.ldap.searchTimeLimit, type a numeric value to specify the number of seconds after which the search will timeout.
9. Optional: Enter the following parameters to enable Secure Socket Layers (SSL):

   1. For federated.ldap.sslEnabled, type true to enable SSL communication with the LDAP server.
   2. For federated.ldap.sslConfig, enter a value for the SSL configurations.
   3. For federated.ldap.certificateMapMode, type EXACT_DN to map X.509 certificates into an LDAP directory by exact distinguished name or certificatefilter to map X.509 certificates by a certificate filter. Note: If you type certificatefilter, enter a value in federated.ldap.certificateFilter.
   4. For federated.ldap.certificateFilter if federated.ldap.certificateMapMode=certificatefilter, enter the LDAP filter that maps attributes in the client certificate to entries in the LDAP directory.
10. Save your changes to the wkplc.properties file.
11. Run the ConfigEngine.bat validate-federated-ldap task to validate your LDAP server settings.
12. Run the ConfigEngine.bat wp-create-ldap task, located in the wp_profile\ConfigEngine directory to add an LDAP user registry to the default federated repository.
13. Perform the following steps to stop and restart the server1 and WebSphere_Portal servers:

    1. Open a command prompt and change to the wp_profile_root\bin directory.
    2. Enter the stopServer.bat server1 -user admin_userid -password admin_password command to stop the WebSphere Application Server.
    3. Enter the stopServer.bat WebSphere_Portal -user admin_userid -password admin_password command to stop the WebSphere Portal Express server.
    4. Enter the startServer.bat server1 command.
    5. Enter the startServer.bat WebSphere_Portal command.
14. Use a text editor to open the wkplc.properties file, located in the wp_profile\ConfigEngine\properties directory.
15. Enter the following parameters in the wkplc.properties file under VMM repository base entry configuration to create additional base entries within the LDAP user registry to use when creating realms:

    1. For id, type the repository ID for the base entry.
    2. For baseDN, type the name of the base entry.
    3. For nameInRepository, type the distinguished name in the repository that uniquely identifies the base entry name.
16. Save your changes to the wkplc.properties file.
17. Run the ConfigEngine.bat wp-create-base-entry task, located in the wp_profile\ConfigEngine directory to create a base entry in a repository.
18. Perform the following steps to stop and restart the server1 and WebSphere_Portal servers:

    1. Open a command prompt and change to the wp_profile_root\bin directory.
    2. Enter the stopServer.bat server1 -user admin_userid -password admin_password command to stop the WebSphere Application Server.
    3. Enter the stopServer.bat WebSphere_Portal -user admin_userid -password admin_password command to stop the WebSphere Portal Express server.
    4. Enter the startServer.bat server1 command.
    5. Enter the startServer.bat WebSphere_Portal command.
19. Optional: Run the ConfigEngine.bat wp-query-repository task, located in the wp_profile\ConfigEngine directory to list the names and types of configured repositories.
20. Run the ConfigEngine.bat wp-validate-federated-ldap-attribute-config task, located in the wp_profile\ConfigEngine directory to check that all defined attributes are available in the configured LDAP user registry. After running the wp-validate-federated-ldap-attribute-config task, go to the config trace file to review the following output for PersonAccount and Group entity type:

    Possible problems for <entityType>: To be configured as unsupported

    This list contains all attributes that are defined in WebSphere Portal Express but not available in the LDAP.

    To be configured as required

    This list contains all attributes that are defined as "MUST" in the LDAP server but not as required in WebSphere Portal Express.

    Inconsistent syntax

    This list contains all attributes that might cause problems because their data type in WebSphere Portal Express and within the LDAP server do not match.

    Correct any problems within the wkplc.properties file and then run the ConfigEngine.bat wp-update-federated-ldap-attribute-config task to correct the LDAP user registry and then stop and restart the server1 and WebSphere_Portal server.
21. Enter the following parameters in the wkplc.properties file under the VMM repository base entry configuration heading:

    1. For federated.ldap.id, type the repository ID.
    2. For federated.ldap.attributes.nonSupported, type a comma separated list of attribute names that will be added to the list of non-supported attributes. These can be all the attributes listed under "To be configured as unsupported" in the config trace file.
    3. Perform the following steps if you want to configure attribute mapping (WebSphere Portal Express attribute A mapped to LDAP attribute B):

       1. For federated.ldap.attributes.mapping.ldapName, type the name of the LDAP attribute to map to, for example LDAP attribute B.
       2. For federated.ldap.attributes.mapping.portalName, type the name of the WebSphere Portal Express attribute to map from, for example WebSphere Portal Express attribute A.
       3. For federated.ldap.attributes.mapping.entityTypes, type a comma separated list of entity types that apply to the attribute mapping.
    4. Save your changes to the wkplc.properties file.
22. Run the ConfigEngine.bat wp-update-federated-ldap-attribute-config task, located in the wp_profile\ConfigEngine directory to update the LDAP user registry configuration.
23. Perform the following steps to stop and restart the server1 and WebSphere_Portal servers:

    1. Open a command prompt and change to the wp_profile_root\bin directory.
    2. Enter the stopServer.bat server1 -user admin_userid -password admin_password command to stop the WebSphere Application Server.
    3. Enter the stopServer.bat WebSphere_Portal -user admin_userid -password admin_password command to stop the WebSphere Portal Express server.
    4. Enter the startServer.bat server1 command.
    5. Enter the startServer.bat WebSphere_Portal command.