AIX cluster: Configure a stand-alone LDAP user registry without SSL in a clustered environment
Overview
Configure WebSphere Portal to use a standalone LDAP user registry to store all user account information for authorization.
In single server environments, you do not have to start or stop the WebSphere_Portal and server1 servers to complete the following steps. In clustered environments, stop all application servers on system, including WebSphere_Portal, then start the nodeagent and dmgr servers before you begin any of the following steps.
If you need to rerun the wp-modify-ldap.security task to change the LDAP repositories or because the task failed, choose a new name for the realm using the parameter...
standalone.ldap.realm parameter
...or you can set ignoreDuplicateIDs=true in wklpc.properties, before rerunning the task.To ensure the correct properties are entered, use the wp_security_xxx.properties helper file
WP_PROFILE/ConfigEngine/config/helpers
Configure a standalone LDAP user registry
- Run backupConfig
- Edit WP_PROFILE/ConfigEngine/properties/wkplc.properties
- Required: Enter a value under the Stand-alone security heading:
standalone.ldap.id
standalone.ldap.host
standalone.ldap.port
standalone.ldap.bindDN
standalone.ldap.bindPassword
standalone.ldap.ldapServerType
standalone.ldap.userIdMap
standalone.ldap.groupIdMap
standalone.ldap.groupMemberIdMap
standalone.ldap.userFilter
standalone.ldap.groupFilter
standalone.ldap.serverId
standalone.ldap.serverPassword
standalone.ldap.realm
standalone.ldap.primaryAdminId
standalone.ldap.primaryAdminPassword
standalone.ldap.primaryPortalAdminId
standalone.ldap.primaryPortalAdminPassword
standalone.ldap.primaryPortalAdminGroup
standalone.ldap.baseDN
- Required: Enter a value under the LDAP entity types heading:
standalone.ldap.et.group.objectClasses
standalone.ldap.et.group.objectClassesForCreate
standalone.ldap.et.group.searchBases
standalone.ldap.et.personaccount.objectClasses
standalone.ldap.et.personaccount.objectClassesForCreate
standalone.ldap.et.personaccount.searchBases
- Required: Enter a value under the Group member attributes heading:
standalone.ldap.gm.groupMemberName
standalone.ldap.gm.objectClass
standalone.ldap.gm.scope
standalone.ldap.gm.dummyMember
- Required: Enter a value for the following required relative distinguished name (RDN®) parameters in wkplc.properties under the Default parent, RDN attribute heading:
standalone.ldap.personAccountParent
standalone.ldap.groupParent
standalone.ldap.personAccountRdnProperties
standalone.ldap.groupRdnProperties
- Save changes to wkplc.properties.
- Run...
./ConfigEngine.sh validate-standalone-ldap -DWasPassword=foo
.to validate LDAP server settings.
Attention: If you have not deleted the default file repository, WasPassword is the value entered during installation and not a value found in LDAP user registry. During the validation task, you may receive the following prompt: Add signer to the trust store now?. Press y then Enter.
- Set the stand-alone LDAP user registry.
WP_PROFILE/ConfigEngine
./ConfigEngine.sh wp-modify-ldap.security -DWasPassword=foo
- Stop and restart the appropriate servers to propagate the changes.
- Check that all defined attributes are available in the configured LDAP user registry...
cd WP_PROFILE/ConfigEngine
./ConfigEngine.sh wp-validate-standalone-ldap-attribute-config -DWasPassword=fooSee "Adapting the attribute configuration" for information about adding and mapping attributes to ensure proper communication between WebSphere Portal and the LDAP server.
- Add the following lines to the file:
uid=xyzadmin,o=defaultWIMFileBasedRealm -> portal_admin_DN cn=contentauthors,o=defaultWIMFileBasedRealm -> content_authors_group_DN
- Ensure the portal administrator you specify for portal_admin_DN is a member of the group you specify for content_authors_group_DN, otherwise the portal administrator cannot access the Web content libraries for the Intranet and Internet Site Templates.
- If you plan to run the express-memberfixer task in an environment with multiple realms, if it exists, remove group...
cn=contentauthors,o=defaultWIMFileBasedRealm
If this group exists in an environment with multiple realms, the Member Fixer task does not have any effect.
- Save changes and close the file.
- Run...
WP_PROFILE/ConfigEngine
./ConfigEngine.sh express-memberfixer -DmemberfixerRealm=realm_name -DPortalAdminPwd=foo -DWasPassword=fooChoose the appropriate value to enter for realm_name depending on the type of LDAP user registry you configured:
Type Value Standalone realm_name should match the value for standalone.ldap.realm in wkplc.properties. Federated realm_name should match the value for federated.realm in wkplc.properties. If the value for federated.realm is empty, use defaultWIMFileBasedRealm as the default value.
- Optional. Assign access to the Web content libraries.
- Log in as a portal administrator.
- Navigate to Administration -> Portal Content -> Web Content Libraries.
- Click the Set permissions icon for the Web library.
- Click the Edit Role icon for Editor.
- Add the group you specified for content_authors_group_DN as an Editor for the Intranet and Internet libraries.
- Click Apply then Done.
- If you have created any additional WCM libraries, run the Web content member fixer task to update the member names used by the libraries.
- If you created clustered environment then performed the steps in this task, run update-jcr-admin on the secondary node.
Parent
Choose the stand-alone LDAP user registry on AIX in a clustered environment
Related tasks
Start and stop servers, dmgrs, and node agents
Enable LDAP security after cluster creation