Create required LDAP users and groups

Before we can configure IBM WebSphere Portal to work with the LDAP server, the LDAP user registry must have some minimal user and group information already populated. This section describes the procedures necessary to set up the LDAP server to work with WebSphere Portal.

 

Required users and groups

A minimum of one group and one user is required for WebSphere Portal. Depending on what software you already have deployed and configured, you may need additional user accounts. These can either be existing user accounts that you want to use in WebSphere Portal, or we can create new user accounts to use.

The required group is wpsadmins or an equivalent (the group that is specified with the PortalAdminGroupId attribute in the wpconfig.properties file. This is the first administrator group for WebSphere Portal. Members of this group have administrative authority within WebSphere Portal. It is expected that the first administrator account, WebSphere Portal administrative user, be a member of the wpsadmins group in the directory, but WebSphere Portal does not actually enforce that.

If content management functions are configured, IBM recommends to also create the following groups in the LDAP:

wpsContentAdministrators wpsDocReviewer 
These groups should be created in the LDAP with the same authority as granted to the wpsadmins group.

The following describes the required user accounts:

Use the same user ID for more than one purpose.

  • WebSphere Portal administrative user. This is the first administrator account for WebSphere Portal. This account is also a member of the wpsadmins group.

  • You must specify a Security Server ID account name and password for IBM WAS security. This account is configured into WebSphere Application Server. It becomes the ID that is used to administer WebSphere Application Server. If this account is different from the following LDAP access accounts, then this account needs no special privileges in the LDAP user registry.

  • An LDAP access account for WebSphere Application Server. This identity is used by WebSphere Application Server to access the LDAP user registry. If you keep the default values for the Bind Distinguished Name of WebSphere Application Server in the wpconfig.properties file, wpsbind will be used as the Bind Distinguished Name. The required privileges for this account in the user registry are as follows:

    • Write: To allow users or portal administrators to create and modify directory attributes through self-registration and self-care screens or the Manage Users and Groups portlet, the Bind DN (LDAPBindID) user must have permission to write and search the LDAP user registry that WebSphere Portal uses or the subtree of that directory rooted at the LDAP suffix.

    • Read: If you will not use any WebSphere Portal facilities to write to the user registry, but the user registry security policies do not allow anonymous searches of the directory, the Bind DN (LDAPBindID) user must have permission to read and search the LDAP user registry that WebSphere Portal uses or the subtree of that directory rooted at the LDAP suffix.

  • An LDAP access account that Member Manager uses to access the LDAP directory.

    This ID is not required when using LDAP with realm support. This does not have to be the root administrative ID for the directory, simply an ID that has sufficient privileges to the directory to allow the operations that WebSphere Portal will perform.

    If WebSphere Portal only reads from the directory and does not make updates, an ID with read privileges to the directory is sufficient. If WebSphere Portal updates the directory (creates users or makes user profile updates to the directory) then an ID with write privileges is required.

 

Portal administrator users

We can select an existing LDAP user to act as the portal administrator.

If you want to create a new user to administer the portal, you should create the user before continuing. To create a new user as the portal administrator, use your directory administration tools. Refer to the section appropriate to the directory server you are using for documentation on creating a new portal administrative user.

LDAP Relative Distinguished Name (RDN) prefixes, such as cn=, uid=, or ou=, should be entered in lowercase. Uppercase or mixed case can cause problems with subsequent case-sensitive queries of the database user registry and WebSphere Portal databases.

 

Parent Topic

Active Directory Application Mode

 

Previous topic

Installing Active Directory Application Mode

 

Next topic

Setting up Active Directory Application Mode