Multiple AD realms with portal
- Overview
- Make backups
- Configure LDAP
- Create RealmInt
- Set supported and unsupported attributes
- Configure external LDAP
- Create RealmExt
- Configure realms in WAS console
- Change admin users and set default realm
- Optional: Set LDAP repository to be default repository
- Optional: Set the default parents per entity type and realm.
- Overview
This document contains step by step instructions for configuring portal with multiple federated ldaps and multiple realms.
We will create two realms...
RealmExt Customers and Vendors RealmInt Employees We will use ConfigEngine commands, but all tasks can also be performed using the WAS admin console.
- Make backups
- On on portal machine...
df -k
cd /opt/ext/wp_profile/bin
./stopServer.sh WebSphere_Portal -username wasadminfile -password wasadminfile
./stopNode.sh WebSphere_Portal -username wasadminfile -password wasadminfile
cd /opt
tar cvf WASEXT.tar WASEXT; gzip WASEXT.tar- On Dmgr machine...
df -k
cd /opt/ext/AppServer/bin
./stopManager.sh -username wasadminfile -password wasadminfile
cd /opt
tar cvf WASEXT.tar WASEXT; gzip WASEXT.tar- Have DBA make backup of DBs.
- Configure LDAP
The pattern for configuring multiple LDAP realms is to...
- Set properties for an LDAP in wkplc.properties
- Run ConfigEngine command to update portal with these new properties.
- Repeat for next LDAP
To set LDAP1 and LDAP2, we need to do each in turn. We cannot set wkplc.properties to have info for both LDAP1 and LDAP2 at the same time.
- Use Apache Directory Studio to verify the bindDN and bindPassword are valid.
- Edit wkplc.properties.
For RealmExt set...
federated.ldap.id=RealmInt
federated.ldap.host=ldap-cdc.mycompany.com
federated.ldap.port=389
federated.ldap.bindDN=cn=wpbindext,ou=ExtUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com
federated.ldap.bindPassword=ExtP++++
federated.ldap.ldapServerType=AD2000
federated.ldap.baseDN=dc=mycompany,dc=com
federated.ldap.et.group.searchFilter=(objectcategory=group)
federated.ldap.et.group.objectClasses=group
federated.ldap.et.group.objectClassesForCreate=group
federated.ldap.et.group.searchBases=dc=mycompany,dc=com
federated.ldap.et.personaccount.searchFilter=
federated.ldap.et.personaccount.objectClasses=user
federated.ldap.et.personaccount.objectClassesForCreate=user
federated.ldap.et.personaccount.searchBases=dc=mycompany,dc=com
federated.ldap.gm.groupMemberName=member
federated.ldap.gm.objectClass=group
federated.ldap.gm.scope=nested
federated.ldap.gm.dummyMember=For BIZ set...
federated.ldap.id=RealmInt
federated.ldap.host=ldap-cdc.mycompany.com
federated.ldap.port=389
federated.ldap.bindDN=cn=wpbindbiz,ou=BizUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com
federated.ldap.bindPassword=BizW++++
federated.ldap.ldapServerType=AD2000
federated.ldap.baseDN=dc=mycompany,dc=com
federated.ldap.et.group.searchFilter=(objectcategory=group)
federated.ldap.et.group.objectClasses=group
federated.ldap.et.group.objectClassesForCreate=group
federated.ldap.et.group.searchBases=dc=mycompany,dc=com
federated.ldap.et.personaccount.searchFilter=
federated.ldap.et.personaccount.objectClasses=user
federated.ldap.et.personaccount.objectClassesForCreate=user
federated.ldap.et.personaccount.searchBases=dc=mycompany,dc=com
federated.ldap.gm.groupMemberName=member
federated.ldap.gm.objectClass=group
federated.ldap.gm.scope=nested
federated.ldap.gm.dummyMember=For MYCO set...
federated.ldap.id=RealmInt
federated.ldap.host=ldap-cdc.mycompany.com
federated.ldap.port=389
federated.ldap.bindDN=cn=wpbindmyco,ou=MyCoUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com
federated.ldap.bindPassword=MyPass
federated.ldap.ldapServerType=AD2000
federated.ldap.baseDN=dc=mycompany,dc=com
federated.ldap.et.group.searchFilter=(objectcategory=group)
federated.ldap.et.group.objectClasses=group
federated.ldap.et.group.objectClassesForCreate=group
federated.ldap.et.group.searchBases=dc=mycompany,dc=com
federated.ldap.et.personaccount.searchFilter=
federated.ldap.et.personaccount.objectClasses=user
federated.ldap.et.personaccount.objectClassesForCreate=user
federated.ldap.et.personaccount.searchBases=dc=mycompany,dc=com
federated.ldap.gm.groupMemberName=member
federated.ldap.gm.objectClass=group
federated.ldap.gm.scope=nested
federated.ldap.gm.dummyMember=- Validate settings...
cd /opt/ext/wp_profile/ConfigEngine
./ConfigEngine.sh validate-federated-ldap -DWasPassword=wasadminfile- Integrate MyCo LDAP
cd /opt/ext/wp_profile/ConfigEngine
./ConfigEngine.sh wp-create-ldap -DWasPassword=wasadminfile- Propagate changes
- At this point, WAS and portal are still using file-based realm for auth. If we run into a situation where your local admin ID is the same as an ID in the LDAP, enter fully qualified local name to log on..
For example...
User ID: uid=wasadmin,o=defaultWIMFileBasedRealm
Password: wasadmin- Log on to WAS console and verify settings
- Create RealmInt Realm
- Start server1 and WebSphere_Portal
- Edit wkplc.properties and set...
id=RealmInt
baseDN=ou=MyCoUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com
nameInRepository=ou=MyCoUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com- Run...
./ConfigEngine.sh wp-create-base-entry -DWasPassword=wasadminfile
- Edit wkplc.properties
- Set...
realmName=RealmInt
addBaseEntry=dc=mycompany,dc=com
securityUse=active
delimiter=/- Save changes
- Add a new realm to the VMM configuration:
./ConfigEngine.sh wp-create-realm -DWasPassword=wasadminfile
- After the realm is created, if we need more than one base entry run...
ConfigEngine.sh wp-add-realm-baseentry
- Restart the server1 and WebSphere_Portal servers.
- Launch portal page in web browser and login realm user id/pwd. Should be able to login to portal successfully.
- If we go to...
Administration | Manage Virtual Portals | New
...we should see the RealmInt realm as an option
- Set supported and unsupported attributes
If an attribute is defined in WebSphere Portal but not in the LDAP server, we can do one of the following...
- Flag the attribute as unsupported for the LDAP server
- Introduce an attribute mapping that maps the WebSphere Portal attribute to an attribute defined in the LDAP schema
- Check that all defined attributes are available in the configured LDAP user registry...
./ConfigEngine.sh wp-validate-federated-ldap-attribute-config -DWasPassword=wasadminfile
...and check for missing attributes in...
/opt/ext/ConfigEngine/log/ConfigTrace.log
- Create available attributes report. Run...
./ConfigEngine.sh wp-query-attribute-config -DWasPassword=wasadminfile
...to create...
/opt/ext/ConfigEngine/log/availableAttributes.html
- Edit availableAttributes.html and review the output for the PersonAccount and Group entity types.
- Edit...
/opt/ext/ConfigEngine/properties/wkplc.properties
...and set...
federated.ldap.attributes.nonSupported=businessAddress, businessCategory, carLicense, countryName, departmentNumber, description, employeeNumber, homeAddress, jpegPhoto, labeledURI, localityName, pager, roomNumber, businessCategory, description
federated.ldap.attributes.nonSupported.delete=
federated.ldap.attributes.mapping.ldapName=stateOrProvinceName
federated.ldap.attributes.mapping.portalName=st
federated.ldap.attributes.mapping.entityTypes=PersonAccount, Group- Save changes to wkplc.properties
- Update the LDAP user registry configuration...
./ConfigEngine.sh wp-update-federated-ldap-attribute-config -DWasPassword=wasadminfile
- Propagate changes
- Log on to WAS console and verify settings
- Configure External LDAP
- Start all servers
- Use Apache Directory Studio to verify your bindDN and bindPassword are valid.
federated.ldap.host=t-myco-ldsap-01.mycompany.com
federated.ldap.port=7389
federated.ldap.bindDN=cn=extportalsvc,ou=service accounts,ou=operations,dc=external,dc=ad
federated.ldap.bindPassword=Passw++++- Set the following values in wkplc.properties...
federated.ldap.id=RealmExt
federated.ldap.host=t-myco-ldsap-01.mycompany.com
federated.ldap.port=7389
federated.ldap.bindDN=cn=extportalsvc,ou=service accounts,ou=operations,dc=external,dc=ad
federated.ldap.bindPassword=Passw++++
federated.ldap.ldapServerType=ADAM
federated.ldap.baseDN=dc=external,dc=ad
federated.ldap.et.group.searchFilter=
federated.ldap.et.group.objectClasses=group
federated.ldap.et.group.objectClassesForCreate=group
federated.ldap.et.group.searchBases=dc=external,dc=ad
federated.ldap.et.personaccount.searchFilter=
federated.ldap.et.personaccount.objectClasses=user
federated.ldap.et.personaccount.objectClassesForCreate=user
federated.ldap.et.personaccount.searchBases=dc=external,dc=ad
federated.ldap.gm.groupMemberName=member
federated.ldap.gm.objectClass=group
federated.ldap.gm.scope=nested
federated.ldap.gm.dummyMember=The RealmExt ldap.id represents an LDAP composed of external users.
- Validate LDAP server settings...
cd /opt/ext/ConfigEngine
./ConfigEngine.sh validate-federated-ldap -DWasPassword=wasadminfile- Add a federated ldap...
./ConfigEngine.sh wp-create-ldap -DWasPassword=wasadminfile
- On the deployment manager and nodes, add:
<config:attributes name="userPrincipalName" propertyName="uid"> <config:entityTypes>PersonAccount</config:entityTypes> </config:attributes>...to...
/opt/ext/AppServer/profiles/Dmgr01/config/cells/WPDmgrCell/wim/config/wimconfig.xml
Search for RealmExt, then after the <config:attributeConfiguration> add the lines above, so that they are right above the defaultAttribute=cn definition.
- Propagate changes
- List the names and types of configured repositories...
./ConfigEngine.sh wp-query-repository -DWasPassword=wasadminfile
Output may be written to...
/opt/ext/ConfigEngine/logs/ConfigTrace.log
- Log on to WAS console and verify settings
- Create RealmExt realm
- Edit...
/opt/ext/ConfigEngine/properties/wkplc.properties
- Enter a value for the following required parameters..
- realmName=RealmExt
- addBaseEntry=dc=external,dc=ad
- securityUse=active
- delimiter=/
- Save changes to the wkplc.properties.
- Add realm to the VMM configuration...
./ConfigEngine.sh wp-create-realm -DWasPassword=wasadminfile
- Propagate changes
- If we go to...
Administration | Manage Virtual Portals | New
...we should see the RealmExt realm as an option
- Configure realms in WAS console
- Log on to WAS console for your dmgr.
- Go to...
Security | Secure administration, applications, and infrastructure
- Under "User account repository" set "Federated repositories" as Current realm definition
- Click Configure and set...
Realm name RealmInt Primary administrative user name cn=waswpadminext,ou=ExtUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com Server user identity
Automatically generated server identity
Ignore case for authorization
Repositories in the realm
Base entry Repository identifier Repository type dc=mycompany,dc=com RealmInt LDAP:AD2000 dc=external,dc=ad RealmExt LDAP:ADAM ou=ExtUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com RealmInt LDAP:AD2000 Go to...
Secure administration, applications, and infrastructure > CSIv2 outbound authentication
...and set RealmInt in Trusted Target Realms
- Ripple start Portal cluster.
- Change admin users and set default realm
At this point the default File Based Realm is the default realm. So the WAS and Portal admins are still wasadminfile / wasadminfile. To change the default realm from File Based Realm to the RealmExt realm created above...
The WAS and Portal admin users we want to use are waswpadminext and wpadminext respectively. They can be found via Apache Directory Studio by going to...
DIT | Root DSE | DC=mycompany.com,DC=com | OU=Operations | OU=Users | OU=Portal Users
- Update wkplc.properties VMM Change admin users section.
For EXT users...
newAdminId=cn=waswpadminext,ou=ExtUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com
newAdminPw=ExtP++++For BIZ users...
newAdminId=cn=waswpadminbiz,ou=BizUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com
newAdminPw=BizW++++For myco users...
newAdminID=cn=waswpadminmyco,ou=MyCoUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,DC=com
newAdminPw=P0rt++++- Run...
./ConfigEngine.sh wp-change-was-admin-user -DWasPassword=wasadminfile
- Propagate changes
- Launch WAS Admin Console and try to login as new WAS Admin ID
- Edit wkplc.properties. For EXT...
newAdminId=cn=wpadminext,ou=ExtUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com
newAdminPw=ExtP++++
newAdminGroupId=cn=myco-dg-wpadmins-dev-ext,ou=Portal Groups,ou=Groups,ou=Operations,dc=mycompany,dc=comFor EXT Test, use...
newAdminGroupId=cn=myco-dg-wpadmins-test-ext,ou=Portal Groups,ou=Groups,ou=Operations,dc=mycompany,dc=com
For BIZ...
newAdminId=cn=wpadminbiz,ou=BizUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,dc=com
newAdminPw=BizW++++
newAdminGroupId=CN=myco-dg-wpadmins-dev-biz,OU=Portal Groups,OU=Groups,OU=Operations,DC=mycompany,DC=comFor myco...
newAdminId=cn=wpadminmyco,ou=MyCoUsers,ou=Portal Users,ou=Users,ou=Operations,dc=mycompany,DC=com
newAdminPw=P0rt++++
newAdminGroupId=cn=myco-dg-wpadmins-dev-myco,ou=Portal Groups,ou=Groups,ou=Operations,dc=mycompany,dc=comRun...
./ConfigEngine.sh wp-change-portal-admin-user -DWasPassword=password
- Propagate changes
- Launch Portal Page in Web browser. Login as New Portal Admin User id /pwd
- Now we should see Administration page (as this user is the portal admin user now).
- Logout and Login as Out of Box user id /pwd (original Portal admin id/pwd , from install) , we should not see Administration page , as this user is not Admin User anymore.
- Set the realm created above Default :
- Edit wkplc.properties and set...
realmName=RealmInt defaultRealmName=RealmInt
- Save changes to the wkplc.properties.
- Run the following task:
./ConfigEngine.sh wp-default-realm -DWasPassword=password
- Propagate changes
- Log on to WAS console and verify settings
- Optional: Set LDAP repository to be default repository
At this point the File based Repository (Out of box security configuration) is the default repository. Any New User or Group will be saved in the default repository. To create New user and group in LDAP repository instead of default file based repository perform the following step. Perform the following steps to update the user registry where new users and groups are stored:
- Edit...
/opt/ext/ConfigEngine/properties/wkplc.properties
- Enter a value for the following required parameters in wkplc.properties under the VMM supported entity types configuration heading:
personAccountParent=
groupParent=cn=groups,dc=raleigh,dc=com
personAccountRdnProperties=uid
groupRdnProperties=cn- Save changes to wkplc.properties.
- Update the Group and PersonAccount entity types with corresponding default parent and relative distinguished name.
./ConfigEngine.sh wp-update-entitytypes - DWasPassword=wasadminfile
- Propagate changes
- Log on to WAS console and verify settings
- Optional: Set the default parents per entity type and realm.
- Set the following in in wkplc.properties...
- realmName=RealmExt
- realm.personAccountParent=dc=external,dc=ad
- realm.groupParent=CN=groups,cn=groups,dc=external,dc=com
- realm.orgContainerParent=dc=external,dc=ad
- Run the task...
./ConfigEngine.sh wp-modify-realm-defaultparents -DWasPassword=wasadminfile
- Propagate changes