Portal, Express Beta Version 6.1 Operating systems: i5/OS, Linux,Windows

Configuring a stand-alone LDAP user registry on Windows

Configure IBM^® WebSphere^® Portal Express to use a stand-alone LDAP user registry to store all user account information for authorization.

1. Use a text editor to open the wkplc.properties file, located in the wp_profile\ConfigEngine\properties directory.
2. Required: Enter only the following required parameters in the wkplc.properties file under the Standalone LDAP heading:

   1. For standalone.ldap.id, type the unique ID for the LDAP user registry.
   2. For standalone.ldap.host, type the hostname of the LDAP server.
   3. For standalone.ldap.port, type the port number for the LDAP server.
   4. For standalone.ldap.bindDN, type the user ID that binds WebSphere Application Server to the LDAP server to retrieve user attributes for authentication. Leave blank to make the LDAP server read-only and to allow anonymous access to the LDAP server. Note: Type the value in lower case, regardless of the case used in the distinguished name.
   5. For standalone.ldap.bindPassword, type the password for the LDAP bind user ID. If standalone.ldap.bindDN is blank, this parameter must also be blank.
   6. For standalone.ldap.ldapServerType, type the appropriate value for your LDAP server. Note: If your LDAP server version is not listed, enter the value for the highest listed version of your server.
   7. For standalone.ldap.groupMemberIdMap, type the group member ID to map the LDAP server.
   8. For standalone.ldap.groupIdMap, type the group ID to map the LDAP server.
   9. For standalone.ldap.userIdMap, type the user ID to map the LDAP server.
   10. For standalone.ldap.groupFilter, type the group filter for the LDAP server.
   11. For standalone.ldap.userFilter, type the user filter for the LDAP server.
   12. For standalone.ldap.serverId, type the LDAP server ID.
   13. For standalone.ldap.serverPassword, type the password for the LDAP server ID.
   14. For standalone.ldap.realm, type the realm to use for the LDAP server.
3. Required: Enter only the following required entity type parameters in the wkplc.properties file under the Standalone LDAP heading:

   1. For standalone.ldap.et.entityTypeName, type the name of the entity type.
   2. For standalone.ldap.et.searchFilter, type the search filter that you want to use to search the entity type.
   3. For standalone.ldap.et.objectClasses, type the object class(es) for the entity type.
   4. Optional: For standalone.ldap.et.objectClassesForCreate, type the object class to use when an entity type is created. If the value of this parameter is the same as the standalone.ldap.et.objectClasses parameter, you do not need to specify this parameter.
   5. For standalone.ldap.et.searchBases, type the search base(s) to use while searching the entity type.
4. Required: Enter only the following required group member parameters in the wkplc.properties file under the Standalone LDAP heading:

   1. For standalone.ldap.gm.groupMemberName, type the name of the LDAP attribute that is used as the group member attribute; for example, member or uniqueMember.
   2. For standalone.ldap.gm.objectClass, type the group object class that contains the member attribute; for example, groupOfNames or groupOfUnqiueNames. Note: If you do not define this parameter, the member attribute applies to all group object classes.
   3. For standalone.ldap.gm.scope, type direct to define the scope of the member attribute contains only direct members or nested to define the scope of the member attribute contains both direct members and nested members.
   4. For standalone.ldap.gm.dummyMember, type the name of an existing group member or leave blank to create a dummy group member.
5. Required: Enter only the following required default parent parameters in the wkplc.properties file under the Standalone LDAP heading:

   1. For standalone.ldap.personAccountParent, type the default parent for the PersonAccount entity type.
   2. For standalone.ldap.groupParent, type the default parent for the Group entity type.
   3. For standalone.ldap.orgContainerParent, type the default parent for the orgContainer entity type.
6. Required: Enter only the following required relative distinguished name parameters in the wkplc.properties file under the Standalone LDAP heading:

   1. For standalone.ldap.personAccountRdnProperties, type the relative distinguished name (RDN) for the PersonAccount entity type.
   2. For standalone.ldap.groupRdnProperties, type the RDN for the Group entity type.
   3. For standalone.ldap.orgContainerRdnProperties, type the RDN for the orgContainer entity type.
7. Optional: Enter only the following optional parameters in the wkplc.properties file under the Standalone LDAP heading:

   1. For standalone.ldap.ignoreCase, type true to enable case insensitivity or false to disable case insensitivity.
   2. For standalone.ldap.reuseConnection, type true to reuse connections or false to not reuse connections.
   3. For standalone.ldap.searchTimeout, type a numeric value to specify the number of seconds after which the search will timeout.
8. Optional: Enter the following parameters to enable Secure Socket Layers (SSL):

   1. For standalone.ldap.sslEnabled, type true to enable SSL communication with the LDAP server.
   2. For standalone.ldap.sslConfig, enter a value for the SSL configurations.
   3. For standalone.ldap.certificateMapMode, type EXACT_DN to map X.509 certificates into an LDAP directory by exact distinguished name or certificatefilter to map X.509 certificates by a certificate filter. Note: If you type certificatefilter, enter a value in standalone.ldap.certificateFilter.
   4. For standalone.ldap.certificateFilter if standalone.ldap.certificateMapMode=certificatefilter, enter the LDAP filter that maps attributes in the client certificate to entries in the LDAP directory.
9. Save your changes to the wkplc.properties file.
10. Run the ConfigEngine.bat validate-standalone-ldap task to validate your LDAP server settings.
11. Run the ConfigEngine.bat wp-modify-ldap-security task, located in the wp_profile\ConfigEngine directory to set the stand-alone LDAP user registry.
12. Perform the following steps to stop and restart the server1 and WebSphere_Portal servers:

    1. Open a command prompt and change to the wp_profile_root\bin directory.
    2. Enter the stopServer.bat server1 -user admin_userid -password admin_password command to stop the WebSphere Application Server.
    3. Enter the stopServer.bat WebSphere_Portal -user admin_userid -password admin_password command to stop the WebSphere Portal Express server.
    4. Enter the startServer.bat server1 command.
    5. Enter the startServer.bat WebSphere_Portal command.
13. Run the ConfigEngine.bat wp-validate-standalone-ldap-attribute-config task, located in the wp_profile\ConfigEngine directory to check that all defined attributes are available in the configured LDAP user registry. After running the wp-validate-standalone-ldap-attribute-config task, go to the config trace file to review the following output for PersonAccount and Group entity type:

    Possible problems for <entityType>: To be configured as unsupported

    This list contains all attributes that are defined in WebSphere Portal Express but not available in the LDAP.

    To be configured as required

    This list contains all attributes that are defined as "MUST" in the LDAP server but not as required in WebSphere Portal Express.

    Inconsistent syntax

    This list contains all attributes that might cause problems because their data type in WebSphere Portal Express and within the LDAP server do not match.

    Correct any problems within the wkplc.properties file and then run the ConfigEngine.bat wp-update-standalone-ldap-attribute-config task to correct the LDAP user registry and then stop and restart the server1 and WebSphere_Portal server.
14. Enter the following parameters in the wkplc.properties file under the VMM repository base entry configuration heading:

    1. For standalone.ldap.id, type the repository ID.
    2. For standalone.ldap.attributes.nonSupported, type a comma separated list of attribute names that will be added to the list of non-supported attributes. These can be all the attributes listed under "To be configured as unsupported" in the config trace file.
    3. Perform the following steps if you want to configure attribute mapping (WebSphere Portal Express attribute A mapped to LDAP attribute B):

       1. For standalone.ldap.attributes.mapping.ldapName, type the name of the LDAP attribute to map to, for example LDAP attribute B.
       2. For standalone.ldap.attributes.mapping.portalName, type the name of the WebSphere Portal Express attribute to map from, for example WebSphere Portal Express attribute A.
       3. For standalone.ldap.attributes.mapping.entityTypes, type a comma separated list of entity types that apply to the attribute mapping.
    4. Save your changes to the wkplc.properties file.
15. Run the ConfigEngine.bat wp-update-standalone-ldap-attribute-config task, located in the wp_profile\ConfigEngine directory to update the LDAP user registry configuration.
16. Perform the following steps to stop and restart the server1 and WebSphere_Portal servers:

    1. Open a command prompt and change to the wp_profile_root\bin directory.
    2. Enter the stopServer.bat server1 -user admin_userid -password admin_password command to stop the WebSphere Application Server.
    3. Enter the stopServer.bat WebSphere_Portal -user admin_userid -password admin_password command to stop the WebSphere Portal Express server.
    4. Enter the startServer.bat server1 command.
    5. Enter the startServer.bat WebSphere_Portal command.