Add an LDAP user registry on AIX

 

+

Search Tips   |   Advanced Search

 

Add an LDAP user registry to the default federated repository to store user account information for authorization.

Perform the following steps, on the primary node only to add an LDAP user registry to the default federated repository:

1. Ensure that the server1 and WebSphere_Portal servers are started

2. Edit WP_PROFILE/ConfigEngine/properties/wkplc.properties

3. Enter a value for the following required parameters in the wkplc.properties file under the VMM Federated LDAP Properties heading:
   • federated.ldap.id
   • federated.ldap.host
   • federated.ldap.port
   • federated.ldap.bindDN
   • federated.ldap.bindPassword
   • federated.ldap.ldapServerType
   • federated.ldap.baseDN

4. Enter a value for the following required entity types parameters in the wkplc.properties file under the LDAP entity types heading: for specific information about the required parameters and for advanced parameters.
   • federated.ldap.et.group.searchFilter
   • federated.ldap.et.group.objectClasses
   • federated.ldap.et.group.objectClassesForCreate
   • federated.ldap.et.group.searchBases
   • federated.ldap.et.personaccount.searchFilter
   • federated.ldap.et.personaccount.objectClasses
   • federated.ldap.et.personaccount.objectClassesForCreate
   • federated.ldap.et.personaccount.searchBases

5. Enter a value for the following required
   group member parameters in the wkplc.properties file under the Group member attribute heading:
   • federated.ldap.gm.groupMemberName
   • federated.ldap.gm.objectClass
   • federated.ldap.gm.scope
   • federated.ldap.gm.dummyMember

6. Save changes to the wkplc.properties

7. To validate your LDAP server settings.

   ./ConfigEngine.sh validate-federated-ldap -DWasPassword=wpsadmin

8. To add an LDAP user registry to the default federated repository.

   cd WP_PROFILE/ConfigEngine
   ./ConfigEngine.sh wp-create-ldap -DWasPassword=wpsadmin

   Users who are not in an LDAP do not have awareness and cannot see if other users are online. This can happen if you install WebSphere Portal and then enable a Federated LDAP or Federated database user repository that does not contain that user. Also, users who sign up using the Self Care portlet do not have awareness.

9. To propagate the security changes:

   Option	Description
   Stand-alone environment	cd WP_PROFILE/bin ./stopServer.sh server1 -username adminid -password passwd ./stopServer.sh WebSphere_Portal -username adminid -password passwd ./startServer.sh server1 ./startServer.sh WebSphere_Portal
   Clustered environment	cd dmgr_profile_root\bin ./stopManager.sh cd WP_PROFILE/bin ./stopNode.sh -username adminid -password passwd ./stopServer.sh server1 -username adminid -password passwd ./stopServer.sh WebSphere_Portal -username adminid -password passwd cd dmgr_profile_root\bin ./startManager.sh cd WP_PROFILE/bin ./startNode.sh ./startServer.sh server1 ./startServer.sh WebSphere_Portal

10. Optional

    To create additional base entries within the LDAP user registry; repeat these steps for each base entry that you want to create for multiple realm support:

    1. Edit WP_PROFILE/ConfigEngine/properties/wkplc.properties

    2. Enter a value for the following required parameters in the wkplc.properties file under the VMM repository base entry configuration heading to create additional base entries within the LDAP user registry to use when creating realms:
       • id
       • baseDN
       • nameInRepository

    3. Save changes to the wkplc.properties

    4. Run...

       ./ConfigEngine.sh wp-create-base-entry -DWasPassword=wpsadmin

       ... from the...

       WP_PROFILE/ConfigEngine

       ...directory, to create a base entry in a repository.

    5. Stop and restart the deployment manager, the node agent(s), server1, and the WebSphere_Portal servers.

11. Optional

    To list the names and types of configured repositories.

    cd WP_PROFILE/ConfigEngine
    ./ConfigEngine.sh wp-query-repository -DWasPassword=wpsadmin

12. To check that all defined attributes are available in the configured LDAP user registry.
    cd WP_PROFILE/ConfigEngine
    ./ConfigEngine.sh wp-validate-federated-ldap-attribute-config -DWasPassword=wpsadmin

    When you finish configuring your LDAP user registry, see "Managing attributes" for information about adding and mapping attributes to ensure proper communication between WebSphere Portal and the LDAP server.

13. To update the user registry where new users and groups are stored:

    1. Edit WP_PROFILE/ConfigEngine/properties/wkplc.properties

    2. Enter a value for the following required parameters in the wkplc.properties file under the VMM supported entity types configuration heading:
       • personAccountParent
       • groupParent
       • personAccountRdnProperties
       • groupRdnProperties

    3. Save changes to the wkplc.properties

    4. Run...

       ./ConfigEngine.sh wp-update-entitytypes -DWasPassword=wpsadmin

       ... from the...

       WP_PROFILE/ConfigEngine

       ...directory, to update the Group and PersonAccount entity types with the corresponding default parent and relative distinguished name (RDN).

    5. Stop and restart the deployment manager, the node agent(s), server1, and the WebSphere_Portal servers.

14. Optional

    To enable the full distinguished name login if the short names are not unique for the realm:

    1. Edit WP_PROFILE/ConfigEngine/properties/wkplc.properties

    2. Enter a value for realmName or leave blank to update the default realm.

    3. Save changes to the wkplc.properties

    4. Run...

       ./ConfigEngine.sh wp-modify-realm-enable-dn-login -DWasPassword=wpsadmin

       ... in WP_PROFILE/ConfigEngine directory, to enable the distinguished name login.

    5. Stop and restart the deployment manager, the node agent(s), server1, and the WebSphere_Portal servers.

15. Optional

    Run the Member Fixer tool to update the member names used by WCM with the corresponding members in the LDAP.

    This step ensures that access to the Web content libraries for the Intranet and Internet site templates for the contentAuthors group is correctly mapped to the appropriate group in the LDAP.

    This step is only needed if you have installed WebSphere Portal with WCM and intend to use the Intranet and Internet site templates.

    1. Edit...

       WP_PROFILE/PortalServer/wcm/shared/app/config/wcmservices/MemberFixerModule.properties

    2. Update the contentAuthors_new property with the group name you used for the content authors group during LDAP configuration.

    3. Update the administrator_new property with the administrator user name you used for the administrator user during LDAP configuration. Note that the old administrator user value should be...
       uid=xyzadmin,o=defaultWIMFileBasedRealm

       ...which is the default administrator user used when the Intranet and Internet site templates are created.

    4. Run...

       ./ConfigEngine.sh action-express-memberfixer -DmemberfixerRealm=realm -DPortalAdminPwd=wpsadmin

       ... in WP_PROFILE/ConfigEngine.

       realm indicates the realm where these users and groups are stored

       For example...

       -DmemberfixerRealm=defaultWIMFileBasedRealm.

16. Optional

    Remove the file system repository if you do not use it. The federated file system user repository that was the default security setting might not be required after federating the user repository. If the file system repository is no longer needed, removing it can help prevent conflicts created by duplicate user identities existing in multiple repositories. To remove the file system repository:

    1. From the Deployment Manager or WAS administrative console, select Security > Secure administration, applications, and infrastructure.

    2. In the User account repository section, make sure that Federated repositories is set in the Available
       realm definitions.

    3. Click Configure.

    4. In the list of Repositories in the realm select the repository with the identifier InternalFileRepository.

    5. Click Remove.

    6. Save changes.

    7. Synchronize all nodes if you have a clustered environment.

17. Optional

    Perform the following steps to replace the WAS and WebSphere Portal administrator user ID with users that exists in the LDAP user registry:

    1. Run...

       ./ConfigEngine.sh wp-change-was-admin-user -DnewAdminId=newadminid –DnewAdminPw=newpassword from the...

       WP_PROFILE/ConfigEngine

       ...directory, to replace the old WAS administrative user with the new user.

       This task verifies the user against a running server instance. If the server is stopped, add the -Dskip.ldap.validation=true parameter to the task to skip the validation.

    2. Verify that the task completed successfully. In a clustered environment, restart the deployment manager, the node agent(s), server1, and WebSphere_Portal servers. In a stand-alone environment, restart the server1 and WebSphere_Portal servers.

    3. Run...

       ./ConfigEngine.sh wp-change-portal-admin-user -DnewAdminId=newadminid –DnewAdminPw=newpassword -DnewAdminGroupId=newadmingroup task to replace the old WebSphere Portal administrative user with the new user.

       This task verifies the user against a running LDAP server instance when LDAP security is enabled. If the LDAP server is stopped, add the -Dskip.ldap.validation=true parameter to the task to skip the validation.

    4. Verify that the task completed successfully. In a clustered environment, restart the deployment manager, the node agent(s), server1, and WebSphere_Portal servers. In a stand-alone environment, restart the server1 and WebSphere_Portal servers.

 

Parent topic

Configure a federated LDAP user registry on AIX

---