Configure a stand-alone LDAP user registry on AIX

Overview

In single server environments, you do not have to start or stop the WebSphere_Portal and server1 servers to complete the following steps. In clustered environments, stop all application servers on system, including WebSphere_Portal, then start the nodeagent and dmgr servers before you begin any of the following steps.

If you need to rerun the wp-modify-ldap-security task to change the LDAP repositories or because the task failed, before running the task choose a new name for the realm using the parameter...

standalone.ldap.realm

.or set...

ignoreDuplicateIDs=true

In the instructions below, when the step refers to wkplc.properties, you will use wp_security_xxx.properties helper file.

WP_PROFILE/ConfigEngine/config/helpers.wp_security_xxx.properties

For example...

./ConfigEngine.sh validate-standalone-ldap -DparentProperties=WP_PROFILE/ConfigEngine/config/helpers/wp_security_sunone.properties -DSaveParentProperties=true

Configure a standalone LDAP user registry

1. Back up the configuration

2. Edit WP_PROFILE/ConfigEngine/properties/wkplc.properties

3. Enter values...

   standalone.ldap.id
   standalone.ldap.host
   standalone.ldap.port
   standalone.ldap.bindDN
   standalone.ldap.bindPassword
   standalone.ldap.ldapServerType
   standalone.ldap.userIdMap
   standalone.ldap.groupIdMap
   standalone.ldap.groupMemberIdMap
   standalone.ldap.userFilter
   standalone.ldap.groupFilter
   standalone.ldap.serverId
   standalone.ldap.serverPassword
   standalone.ldap.realm
   standalone.ldap.primaryAdminId
   standalone.ldap.primaryAdminPassword
   standalone.ldap.primaryPortalAdminId
   standalone.ldap.primaryPortalAdminPassword
   standalone.ldap.primaryPortalAdminGroup
   standalone.ldap.baseDN

4. Enter values for entity types parameters...
   standalone.ldap.et.group.objectClasses
   standalone.ldap.et.group.objectClassesForCreate
   standalone.ldap.et.group.searchBases
   standalone.ldap.et.personaccount.objectClasses
   standalone.ldap.et.personaccount.objectClassesForCreate
   standalone.ldap.et.personaccount.searchBases

5. Enter a values for group member parameters...

   standalone.ldap.gm.groupMemberName
   standalone.ldap.gm.objectClass
   standalone.ldap.gm.scope
   standalone.ldap.gm.dummyMember

6. Enter values for relative distinguished name parameters...
   standalone.ldap.personAccountParent
   standalone.ldap.groupParent
   standalone.ldap.personAccountRdnProperties
   standalone.ldap.groupRdnProperties

7. Save changes to wkplc.properties

8. Validate LDAP server settings...

   /ConfigEngine.sh validate-standalone-ldap -DWasPassword=foo

   If you have not deleted the default file repository, WasPassword is the value entered during installation and not a value found in LDAP user registry.

   During the validation task, you may receive the following prompt:

   Add signer to the trust store now?

   Press y then Enter.

9. Set the stand-alone LDAP user registry...

   cd WP_PROFILE/ConfigEngine

   
   ./ConfigEngine.sh wp-modify-ldap-security -DWasPassword=foo

10. Stop and restart the appropriate servers to propagate the changes.

11. Optional. Check that all defined attributes are available in the configured LDAP user registry.

    cd WP_PROFILE/ConfigEngine

    
    ./ConfigEngine.sh wp-validate-standalone-ldap-attribute-config -DWasPassword=foo

12. Run the Member Fixer task to update the member names used by WCM with the corresponding members in the LDAP directory.

    This step ensures that access to the Web content libraries for the Intranet and Internet Site Templates for the contentAuthors group is correctly mapped to the appropriate group in the LDAP directory.

    This step is only needed if you have installed the product with WCM and intend to use the Intranet and Internet Site Templates that were optionally installed using configure-express.

    1. Edit...
       WP_PROFILE/PortalServer/wcm/shared/app/config/wcmservices/MemberFixerModule.properties

       .and add the following lines to the file...

       uid=xyzadmin,o=defaultWIMFileBasedRealm -> portal_admin_DN
       cn=contentauthors,o=defaultWIMFileBasedRealm -> content_authors_group_DN

       • Ensure the portal administrator you specify for portal_admin_DN is a member of the group you specify for content_authors_group_DN, otherwise the portal administrator cannot access the Web content libraries for the Intranet and Internet Site Templates.

       • If you plan to run the express-memberfixer task in an environment with multiple realms, if it exists, remove the group...
         cn=contentauthors,o=defaultWIMFileBasedRealm

         If this group exists in an environment with multiple realms, the Member Fixer task does not have any effect.

    2. Save changes, then run...

       cd WP_PROFILE/ConfigEngine

       
       ./ConfigEngine.sh express-memberfixer -DmemberfixerRealm=realm_name -DPortalAdminPwd=foo -DWasPassword=foo

       Choose the appropriate value to enter for realm_name depending on the type of LDAP user registry you configured:

       LDAP	Value
       Standalone	Should match the value for standalone.ldap.realm in wkplc.properties.
       Federated	Should match the value for federated.realm in wkplc.properties. If the value for federated.realm is empty, use defaultWIMFileBasedRealm as the default value.

13. Optional. Assign access to the Web content libraries.

    1. Log in as a portal administrator.

    2. Navigate to...
       Administration | Portal Content | Web Content Libraries

    3. Click the set permissions icon for the Web library

    4. Click the Edit Role icon for Editor.

    5. Add the group you specified for content_authors_group_DN as an Editor for the Intranet and Internet libraries.

    6. Click Apply then Done.

14. If you have created any additional WCM libraries, run the Web content member fixer task to update the member names used by the libraries.

Related tasks

Adapt the attribute configuration
Use the web content member fixer task

+

Search Tips   |   Advanced Search