Configure Active Directory for realm support

 

+
Search Tips   |   Advanced Search

 

  1. LDAP user registry
  2. Install Active Directory
  3. Set up Active Directory
  4. Disable WAS global security
  5. Configure Active Directory for realm support (Current task)
  6. Additional LDAP configuration
  7. Verify LDAP

 

Contents

  1. Active Directory 2000 and PreferredLanguage
  2. Procedure
  3. IBM WAS properties
  4. Portal configuration properties
  5. Database properties in wpconfig_dbdomain.properties
  6. WebSphere Portal Security LTPA and SSO configuration
  7. LDAP Properties Configuration
  8. Advanced LDAP Configuration
  9. IWWCM Properties
  10. WebSphere Portal Security LTPA and SSO Configuration
  11. Verifying configuration
  12. Security is enabled
  13. Switching the login LDAP attribute

 

Active Directory 2000 and PreferredLanguage

IBM WebSphere Portal Servers typically store attributes of authenticated users in a LDAP repository. One of the attributes, "preferredLanguage", is used to store the language in which pages should be rendered. While most LDAPs allow this attribute to be a part of a user's record (mapped to an attribute within the inetOrgPerson objectclass), "preferredLanguage" is not in the default schema of Microsoft Active Directory 2000. Active Directory 2003, in contrast, includes "preferredLanguage" in its default schema and no further administration action is required to configure Portal for successful use.

Portal administrators have three options for dealing with this restriction of Active Directory (AD) 2000. The administrator can:

 

Option 1: Neither Change the Default Schema nor Use the LookAside Database

In the first case, where the administrator chooses to do nothing, Portal (actually the Member Manager of Portal, known as WMM) will ignore requests from portlets to set or query the "preferredLanguage" attribute. As the attribute is not available, all pages will render in the default language, typically US English.

However, if one chooses this option, one should modify "PumaService.properties" which is located in the "{Portal Root}/shared/app/config/services" subdirectory. In that file, add "preferredLanguage" to user.sync.remove.attributes like this:

user.sync.remove.attributes=preferredLanguage

This change instructs PUMA to not try and update preferredLanguage in the LDAP as it does not exist.

 

Option 2: Change the AD 2000 Default Schema

The preferredLanguage attribute must be added to the Active Directory scheme to create and modify portal users. Perform the following steps to add the preferredLanguage Attribute to Active Directory.

  1. If you are using Windows 2000 and have not installed the Windows 2000 Support Tool, install the Support Tool from the directory...

    \SUPPORT\TOOLS

    ...on the Windows 2000 Setup CD.

  2. Register Active Directory Schema (schmmgmt.dll) by running the following command at a command line:

    regsvr32 schmmgmt.dll

  3. Add the Active Directory Schema Snap-in using the following steps:

    1. Load the Security Administration Tools console as below:

      • For Windows 2003:

        From the Windows Start menu, select Run. In the Run dialog box, type...

        mmc /a

        ...and click OK.

      • For Window 2000:

        From the Windows Start Menu, select...

        Programs | Windows 2000 Support Tools | Security Administration Tools | Console | Add/Remove Snap-in | Standalone tab | Add | Active Directory Schema | Add

    2. Configure the Active Directory Schema Snap-in using the following steps:

      • For Windows 2003:

        Perform this step only to transfer the operation master of this schema to another controller

        1. From the Security Administration Tools console, right-click on Active Directory Schema and select Operations Master.

        2. Choose the new master and click Change.

      • For Window 2000:

        1. From the Security Administration Tools console, right-click on Active Directory Schema and select Operations Master.

        2. Select The Schema can be modified on this Domain Controller, and click OK to save this change.

  4. Perform this step only if you are using Windows 2000. Create the preferredLanguage attribute:

    The steps that apply to the preferredLanguage attribute are only for Windows 2000. Active Directory 2003 includes preferredLanguage in its default schema and no changes are required for successful use.

    1. From the Security Administration Tools console, expand...

      Active Directory Schema | Attributes Attributes (right-click) | Create Attribute

    2. Click Continue to access the new attribute properties.

    3. Enter the following values in Create New Attribute:

      Field name Value
      Common Name preferredLanguage
      LDAP Display Name preferredLanguage
      Unique X500 Object ID 2.16.840.1.113730.3.1.39
      Syntax Unicode String

    4. Click OK to create the preferredLanguage attribute.

  5. Perform this step only if you are using Windows 2000. Follow these steps to add the preferredLanguage attribute to the user object class:

    1. From the Security Administration Tools console, expand Active Directory Schema>Classes.

    2. Double-click on user to open the user properties.

    3. Select the Attributes tab.

    4. In the Optional section, click Add to add a new schema object.

    5. Select preferredLanguage from the list of objects and click OK to add this object.

  6. Perform this step only if you are using Windows 2000. Follow these steps to enable the preferredLanguage mapping to the Member Manager XML file:

    1. Use a text editor to open portal_server_root\PortalServer\config\templates\wmm\wmmLDAPAttributes_ACTIVE_DIRECTORY.xml.

    2. Find the following attribute map tag: 

      <attributeMap    wmmAttributeName="preferredLanguage"
                 pluginAttributeName="preferredLanguage"
                 applicableMemberTypes="Person"
                 dataType="String"
                 valueLength="128"
                 multiValued="false" />

    3. Remove the comment tags on the lines above and below the map tag block. Comment tags are <!-- and -->.

    4. Save and close the text file before configuring WebSphere Portal.

 

Use the WebSphere Portal Lookaside database

Using the Lookaside database is the recommended method to modify the preferredLanguage attribute for Active Directory 2000.

  1. Start with a WebSphere Portal configuration where security is not enabled.

  2. Edit the security_active_directory.properties file to include the correct set of properties for the environment, also set the LookAside property to true. Setting this property to true will configure WebSphere Portal to use a set of tables, referred to as the lookaside database, to store additional attributes from the user profile that are not mapped to the LDAP database.

  3. Follow the directions at the top of the security_active_directory.properties file to transfer these properties to the wpconfig.properties file and then run the enable-security-wmmur-ldap task.

  4. Stop and restart the WebSphere Portal server.

    We can now test that WebSphere Portal is configured to use the WebSphere Portal lookaside tables for preferredLanguage by logging into WebSphere Portal and selecting Edit My Profile. Change the preferred language using the drop-down selection and then click OK to save the changes.

 

Configure WebSphere Portal for realm support

Configuring Portal to use AD with realm supports basically entails editing the wpconfig.properties file and then running the appropriate configuration tasks.

These instructions apply to either a single server installation or a cluster environment. When setting up a cluster to use an LDAP server, it is only necessary to perform these steps on the primary node in the cluster.

A configuration template might exist to support these instructions. Refer to directory...

portal_server_root/config/helpers

... for available configuration templates.

Use the configuration template to update the wpconfig.properties file, as described in Configuration program, according to the property descriptions and recommended values provided below. If you do not want to use a configuration template, simply follow the instructions below as written.

These steps allow one to configure the LDAP server to use virtual portal and realm support.

 

Procedure

  1. Ensure that the LDAP software is installed and any setup required by WebSphere Portal has been performed.

  2. Security is automatically enabled after installation. Before configuring the LDAP, disable security.

  3. Locate the wpconfig.properties and wpconfig_dbdomain.properties files in the following directory and create a back up copy before changing any values:

  4. Edit the wpconfig.properties file and enter the values appropriate for the environment. Note the following:

    • Do not change any settings other than those specified in these steps. For instructions on working with these files, see Configuration properties reference for a complete properties reference, including default values.

    • Use / instead of \ for all platforms.

    • Some values, shown in italics below, might need to be modified to your specific environment.

     

    IBM WAS properties

    Property Value
    WasUserid Fully qualified distinguished name (DN) of a current administrative user for the WAS.

    This value should not contain spaces.

    Type the value in lower case, regardless of the case used in the distinguished name (DN).

    If a value is specified for WasUserid, a value must also be specified for WasPassword. If WasUserid is left blank, WasPassword must also be left blank.

    Value type: Alphanumeric text string

    Example: cn=wpsbind,cn=users,dc=example,dc=com

    Default: ReplaceWithYourWASUserID

    WasPassword The password for WAS security authentication.

    If a value is specified for WasPassword, a value must also be specified for WasUserid. If WasPassword is left blank, WasUserid must also be left blank.

    Value type: Alphanumeric text string

    Recommended: Set this value according to your own environment.

     

    Portal configuration properties

    WpsContentAdministrators, WpsDocReviewer, and PortalAdminGroupId should be different groups.

    Property Value
    PortalAdminId The user ID for the WebSphere Portal administrator, which should be the fully qualified distinguished name (DN).

    For LDAP configuration this value should not contain spaces.

    Type the value in lower case, regardless of the case used in the distinguished name (DN).

    Value type: Alphanumeric text string, conforming to the LDAP distinguished name format

    Example: cn=portaladminid,cn=users,dc=example,dc=com

    i5/OS Default value...

    uid=portaladminid,o=default organization
    PortalAdminPwd The password for the WebSphere Portal administrator, as defined in the PortalAdminId property.

    Value type: Alphanumeric text string

    Example: yourportaladminpwd

    Default: none

    PortalAdminGroupId The group ID for the group to which the WebSphere Portal administrator belongs.

    Type the value in lower case, regardless of the case used in the distinguished name (DN).

    Value type: Alphanumeric text string, conforming to the LDAP distinguished name format

    Example:

    cn=wpsadmins,cn=groups,dc=example,dc=com
    wpsContentAdministrators The group ID for the WebSphere Content Administrator group.

    Value type: Alphanumeric text string

    AD example:

    cn=wpsContentAdministrators,cn=groups,dc=example,dc=com
    WpsContentAdministratorsShort The WebSphere Content Administrators group ID.

    Value type: Alphanumeric text string

    Default: wpsContentAdministrators

    wpsDocReviewer The group ID for the WebSphere Document Reviewer group

    Value type: Alphanumeric text string

    AD example value:

    cn=wpsDocReviewer,cn=groups,dc=example,dc=com
    WpsDocReviewerShort The WebSphere Document Reviewer group ID.

    Value type: Alphanumeric text string

     

    Database properties in wpconfig_dbdomain.properties

    The following two properties are located in the wpconfig_dbdomain.properties file and are required when using a Lookaside database and/or federation.

    Property Value
    wmm.DbUser The user ID for the database administrator.

    For SQL Server and non-wmm databases only, unless you are the system administrator, the values for dbdomain.DbUser and dbdomain.DbSchema must be the same.

    For Oracle and SQL Server servers, this value must be set to FEEDBACK, which corresponds to the user FEEDBACK in the database. If the user you are using is an administrative user that has authority over the FEEDBACK schema, the administrative user should be entered for the dbdomain.DbUser property.

    Value type: Alphanumeric text string

    Recommended: wpsdbusr (for databases other than DB2 )

    wmm.DbPassword The password for the database administrator.

    A value must be set for this property; it cannot be empty.

    Value type: Alphanumeric text string

    Default value for all domains: ReplaceWithYourDbAdminPwd

     

    WebSphere Portal Security LTPA and SSO configuration

    Property Value
    LTPAPassword The password for the LTPA bind.

    Value type: Alphanumeric text string

    Default: none

    LTPATimeout Number of minutes after which an LTPA token will expire.

    Value type: Numeric text string

    Default: 120

    SSODomainName Domain name for all allowable single signon host domains.

    • Enter the part of the domain that is common to all servers that participate in single signon. For example, if WebSphere Portal has the domain portal.us.ibm.com and another server has the domain another_server.ibm.com, enter ibm.com.

    • To specify multiple domains, use a semicolon ; to separate each domain name. For example, your_co.com;ibm.com.

    Single signon (SSO) is achieved using a cookie that is sent to the browser during authentication. When connecting to other servers in the TCP/IP domain specified in the cookie, the browser sends the cookie. If no domain is set in the cookie, the browser will only send the cookie to the issuing server. See the WAS documentation for further details about this setting.

    Value type: Fully-qualified domain name

     

    LDAP Properties Configuration

    Property Value
    LookAside We can either install with LDAP only or with LDAP using a Lookaside database. The purpose of a Lookaside database is to store attributes which cannot be stored in the LDAP server; this combination of LDAP plus a Lookaside database is needed to support the Database user registry.

    To enable a Lookaside database, set this property to true. If you intend to use a Lookaside database, set this value before configuring security, as it cannot be configured after security is enabled.

    Set Lookaside to true if you are using IWWCM , the Common Mail portlet, or the Common Calendar portlet.

    Using a Lookaside database can slow down performance.

    Value type:

    • true - LDAP + Lookaside database

    • false - LDAP only

    WmmDefaultRealm The default realm of the Member Manager user registry (UR) configuration. Set this property before enabling security with enable-security-wmmur-ldap or enable-security-wmmur-db.

    Value type: Alphanumeric text string

    Default: portal

    LDAPHostName The host information for the LDAP server that WebSphere Portal will use.

    Value type: Fully qualified host name of the LDAP server

    Default: yourldapserver.com

    LDAPPort The server port of the LDAP directory.

    Value type: Alphanumeric text string

    Example: 389 for non-SSL or 636 for SSL

    Default: 389

    LDAPAdminUId The user ID for the administrator of the LDAP directory. Member Manager uses this ID to bind to the LDAP to...

    • retrieve users attributes
    • create new users groups in the LDAP
    • update user attributes

    This ID is not required to be the LDAP admin DN, but rather an ID with sufficient authority for the use cases just cited.

    If this property is omitted, the LDAP is accessed anonymously and read-only.

    Type the value in lower case, regardless of the case used in the distinguished name (DN).

    Value type: Alphanumeric text string, conforming to the LDAP distinguished name format. For example...

    cn=userid

    Default: cn=root

    LDAPAdminPwd The password for the LDAP directory administrator, as defined in the LDAPAdminUId property. If the LDAPAdminUId is blank, this property must be blank as well.

    Value type: Alphanumeric text string

    Default: none

    LDAPServerType The type of LDAP Server to be used. Active Directory: ACTIVE_DIRECTORY

    Default: IBM _DIRECTORY_SERVER

     

    Advanced LDAP Configuration

    Property Value
    LDAPSuffix The LDAP Suffix. Choose a value appropriate for the LDAP server. This is the distinguished name (DN) of the node in the LDAP containing all user and group information for the Portal being configured. As such, it is the lowest container in the LDAP tree still containing all users that will log into the Portal and all Portal groups.

    If WAS configuration tasks (for exampleL, enable-security-ldap) are used to activate WAS Security, this value will be used as the single Base Distinguished Name for the Application Server LDAP configuration. This value will be qualified with the LDAPUserSuffix and LDAPGroupSuffix values in order to configure Member Manager.

    Set the value of the suffix to the exact case of the suffix as set in the LDAP directory. For example, if a users' DN in LDAP is returned as...

    uid=tuser,CN=Users,DC=example,DC=com

    ...set this value to...

    DC=example,DC=com

    Using dc=example,dc=com will cause problems with awareness in portal. For more information on this please see technical note 1174297.

    Active Directory: dc=example,dc=com

    Default: dc=example,dc=com

    LdapUserPrefix The RDN prefix attribute name for user entries. Choose a value appropriate for the LDAP server.

    cn

    Default: uid

    LDAPUserSuffix The DN suffix attribute name for user entries. Choose a value appropriate for the LDAP server. With LDAPSuffix appended to this value, it is the DN of the common root node in the LDAP containing all user information for the Portal being configured. As such, it is the lowest container in the LDAP tree still containing all users that will log into the Portal including the Portal admin users (for example, wpsadmin and wpsbind)

    Type the value in lower case, regardless of the case used in the distinguished name (DN).

    Active Directory: cn=users

    Default: cn=users

    LdapGroupPrefix The RDN prefix attribute name for group entries.

    Value type: cn

    Default: cn

    LDAPGroupSuffix The DN suffix attribute name for group entries. Choose a value appropriate for the LDAP server. With LDAPSuffix appended to this value, it is the DN of the common root node in the LDAP containing all group information for the Portal being configured. As such, it is the lowest container in the LDAP tree still containing all group entries for the Portal including the Portal admin group (., wpsadmins).

    Type the value in lower case, regardless of the case used in the distinguished name (DN).

    Active Directory: cn=groups

    Default: cn=groups

    LDAPUserObjectClass The LDAP object class of the Portal users in your LDAP directory that will log into the Portal being configured.

    Active Directory: user

    Default: inetOrgPerson

    LDAPGroupObjectClass The LDAP object class of all the groups in your LDAP directory that the Portal will access.

    Active Directory: group

    Default: groupOfUniqueNames

    LDAPGroupMember The attribute name in the LDAP group object of the "membership" attribute. Choose a value appropriate for the LDAP server.

    Active Directory: member

    Default: uniqueMember

    LDAPUserFilter The filter used by WAS for finding users in the LDAP.

    Active Directory: (&(|(cn=%v)(samAccountName=%v))(objectclass=user))

    Default: (&(uid=%v)(objectclass=inetOrgPerson))

    LDAPGroupFilter The filter used by WAS for finding groups in the LDAP.

    Active Directory: (&(cn=%v)(objectclass=group))

    Default: (&(cn=%v)(objectclass=groupOfUniqueNames))

     

    IWWCM Properties

    Property Value
    WcmAdminGroupId The group ID for the Web Content Management Administrators group. The fully qualified distinguished name (DN) of a current administrative user for the WAS. For LDAP configuration this value should not contain spaces.

    Value type: Alphanumeric text string

    Example values:

    DEV (No security): WcmAdminGroupId=cn=wcmadmins,o=default organization
    Database user registry: WcmAdminGroupId=cn=wcmadmins,o=default organization

    AD example value: cn=wcmadmins,cn=groups,dc=example,dc=com

    Default: cn=wcmadmins,o=default organization

    WcmAdminGroupIdShort The Web Content Management Administrators group ID.

    Value type: Alphanumeric text string

  5. Optional: If you installed WAS as part of the WebSphere Portal installation and you plan to use WAS single signon, ensure that the following property in the wpconfig.properties file has the recommended value and not the default value. WebSphere Portal uses Form-based login for authentication, which requires SSO to be enabled; otherwise, you will be no longer able to login to WebSphere Portal.

    If you installed WebSphere Portal onto a pre-existing profile of WAS, skip this step. Any pre-existing settings for WAS SSO are automatically detected and preserved when you run the appropriate task to configure security.

     

    WebSphere Portal Security LTPA and SSO Configuration

    Property Value
    SSORequiresSSL The property that specifies that Single Sign-On function is enabled only when requests are over HTTPS Secure Socket Layer (SSL) connections.

    Value type: true, false

    Default: false

  6. Save the file.

  7. Stop the WebSphere Portal server:

    If this is a clustered environment, ensure the deployment manager and all node agents are active.

    cd was_profile_root/bin

    ./stopServer.sh WebSphere_Portal -user admin_userid -password admin_password

    cd portal_server_root/config

    ./WPSconfig.sh validate-wmmur-ldap -DWasPassword=password -DPortalAdminPwd=password -DLTPAPassword=password -DLDAPAdminPwd=password

  8. Perform this step only if you are in a clustered environment and use the LookAside feature: If you enabled security using the LDAP user registry with realm support, the Member Manager Datasource definitions will automatically be created on the Deployment Manager cell. All nodes need to define a WebSphereEnvironment Variable for the JdbcClassPath.

    The nodes which have WebSphere Portal installed will already have this WebSphereEnvironment Variable defined. Refer to the Creating a WebSphereEnvironment Variable section in the WAS information center for information on how to manually create the WebSphereEnvironment Variable definitions. When defining the WebSphereEnvironment Variable, please ensure that the name matches the DBTYPE_JDBC_DRIVER_CLASSPATH.

  9. Windows /UNIX:

    Perform this step only if you installed WebSphere Portal on a pre-existing WAS profile which did not have Global Security enabled.

    Enter the appropriate command to run the configuration task for the specific operating system:

    If this is a cluster environment, stop all cluster members before enabling security using the enable-security-wmmur-ldap task.

  10. Check the output for any error messages before proceeding with any additional tasks. If the configuration task fails, verify the values in the wpconfig.properties file. Before running the task again, be sure to stop the WebSphere Portal server. To stop the server follow these steps:

    If this is a clustered environment, ensure the deployment manager and all node agents are active.

    1. Open a command prompt and change to the following directory:

    2. Enter the following command:

      • UNIX:

        ./stopServer.sh WebSphere_Portal -user admin_userid -password admin_password

      • Windows:

        stopServer.bat WebSphere_Portal -user admin_userid -password admin_password

      • i5/OS...

        stopServer WebSphere_Portal -profileName profile_root -user admin_userid -password admin_password

  11. To comment out thepreferredLanguage attributeMap:

    Do not perform this step if the preferredLanguage attribute is defined in the LDAP server.

    1. Go to the following directory:

    2. Make a backup copy of wmmLDAPServerAttributes.xml. For example, copy and rename wmmLDAPServerAttributes.xml to wmmLDAPServerAttributes.xml.orig.

    3. Open the wmmLDAPServerAttributes.xml file.

    4. Search for the preferredLanguage attributeMap element.

    5. Add comment tags around the preferredLanguage attributeMap element.

    6. Save the file.

    If you do not comment out the preferredLanguage attributeMap element, you will have problems when you try to create a new user.

  12. If you are using Windows 2003 Active Directory, modify wmm.xml in the following directory:

    In the <ldapRepository...> stanza of the wmm.xml file, change the adapterClassName= value to:

    adapterClassName="com.ibm.ws.wmm.ldap.activedir.ActiveDirectory2003AdapterImpl"

  13. Set the userRegistryRealm property in the Administrative Console of WAS :

    This step is only required for z/OS and IBM Lotus Domino with single signon.

    1. In the Administrative Console of WAS, select...

      Security |Global Security |User Registry |Custom |Custom Properties

    2. Add the userRegistryRealm key with the value yourname, where this is the name of the security realm used within the WAS cell to uniquely identify the user based on their origin source. For example, the LDAP implementation of WAS uses the LDAP server name and the used port as the origin source, such as ldap.nameofyourcompany.com:389.

    3. Save the changes.

  14. If you are using LDAP over SSL, refer to Configuration WMM with Active Directory Server Using SSL and be sure the LDAP is properly configured.

  15. Enter the following commands to restart server1 and WebSphere_Portal server. If you are running with security enabled on WAS, specify a user ID and password for security authentication when entering the commands.

    If this is a clustered environment, stop and start all deployment manager servers and the deployment manager.

    1. Open a command prompt and change to the following directory:

    2. Enter the following command:

      • UNIX:

        ./stopServer.sh server1 -user admin_userid -password admin_password

      • Windows:

        stopServer.bat server1 -user admin_userid -password admin_password

      • i5/OS...

        stopServer -profileName profile_root -user admin_userid -password admin_password

    3. Enter the following command:

    4. Enter the following command:

      • UNIX:

        ./startServer.sh WebSphere_Portal

      • Windows:

        startServer.bat WebSphere_Portal

      • i5/OS...

        startServer WebSphere_Portal -profileName profile_root

  16. Perform this step only if you installed WebSphere Portal on a pre-existing profile of WAS, do one of the following:

    This step only applies to Windows and UNIX.

    • If you disabled Global Security before installing: Manually reactivate Global Security. From the WAS Administrative Console, select...

      Security | Global Security

      Make the appropriate selections and click OK. Restart WebSphere Portal.

    • If you installed WebSphere Portal without configuring it during installation: Use the procedure below to manually deploy portlets.

      Cluster note: If you are installing WebSphere Portal on a WAS node that is part of managed cell, this step is only required if you are installing on the primary node. It is not necessary to deploy portlets if you are installing on a secondary node.

      1. Ensure that WebSphere Portal is running.

      2. In a command prompt, change to the WebSphere Portal /config directory.

      3. Enter the appropriate command to run the configuration task for the specific operating system:

  17. Perform this step only if you installed WebSphere Portal into a pre-existing SSO environment. Because you will not be given the option to import the existing token file, perform the following steps:

    • To import the SSO Token:

      1. In the WAS Administrative Console, select...

        Security | Global Security | Authentication | Authentication mechanisms | LTPA

      2. Enter the LTPA token password in the Password field.

      3. Enter the password again in the Confirm password field.

      4. In the Key File Name field, enter the LTPA token file.

      5. Click Import Keys.

      6. Click Save.

    • To set the SSO Domain:

      1. In the WAS Administrative Console, select...

        Security | Global Security | Authentication | Authentication mechanisms | LTPA

      2. Click Single Signon in Additional Properties.

      3. Enter the domain name in the Domain Name field.

      4. Click OK.

  18. Perform this step only if common name (CN) is the Relative Distinguished Name (RDN) attribute of the distinguished name (DN) and you want to allow users or portal administrators to modify directory attributes through self-care screens or the user management portlet. Set the following property value in Puma service, as described in Setting configuration properties: 

    user.sync.remove.attributes=cn,CN

    WebSphere Portal can be configured to create the CN for a user account created through WebSphere Portal interfaces (self-registration or the user management portlet create new user functions). The default configuration of WebSphere Portal generates this attribute based on the surname (sn) and givenname attribute. The configuration is also located in WP PumaService in the WAS Administrative Console. Modify the Puma service, by following steps described in Setting configuration properties The following entry defines the user common name pattern and can be used to customize common name. In the pattern, we can define which attribute is used. Therefore the maximum amount of attributes has to be provided by puma.commonname.parts. See the following example for more details: 

        firstname+" "+lastname         puma.commonname = {0} {1}
        puma.commonname.parts = 2
        puma.commonname.0 = givenName
        puma.commonname.1 = sn

    This function is not available if the CN attribute is the RDN attribute.

  19. Use the information in Using multiple realms and user registries to configure portal to multiple realms.

 

Verifying configuration

Access WebSphere Portal using http://hostname.nameofyourcompany.com:port/wps/portal and verify that we can log in.

Configuring WebSphere Portal to work with an LDAP directory automatically enables WAS Global Security. Once security is enabled, type the fully qualified host name when accessing WebSphere Portal and the WAS Administrative Console.

 

Security is enabled

Once you have enabled security with the LDAP directory, provide the user ID and password required for security authentication on WAS when you perform certain administrative tasks with WAS. For example, to stop the WebSphere Portal application server, you would issue the following command:

  • Enter the following command:

    • UNIX:

      ./stopServer.sh WebSphere_Portal -user admin_userid -password admin_password

    • Windows:

      stopServer.bat WebSphere_Portal -user admin_userid -password admin_password

    • i5/OS:...

      stopServer WebSphere_Portal -profileName profile_root -user admin_userid -password admin_password

 

Switching the login LDAP attribute

To switch the login LDAP attribute from the default (uid) to another LDAP attribute (such as emailAddress):

  1. Open the WAS Administrative Console.

  2. Go to...

    Security | Global Security | User Registry | Custom | Custom Properties

  3. If wmmUserSecurityNameAttr already exists, select it. Otherwise click New.

  4. If not already set, set Name as wmmUserSecurityNameAttr and Value to the attribute you would like, such as emailAddress.

    Attribute names are found in portal_server_root/wmm/wmmLDAPServerAttributes.xml, where portal_server_root is the WebSphere Portal installation directory.

  5. Save the changes.

  6. Open the file portal_server_root/wmm/wmm.xml.

  7. Set userSecurityNameAttribute to the attribute you would like to be used as login the attribute (using the example in Step 4, the setting would look like: userSecurityNameAttribute="emailAddress".)

  8. Save the file and restart PortalServer.

 

Next steps

 

Parent topic:

Configuring LDAP for realm support