This section describes how to configure and link the SQL repository definition file, userProfile.xml, and the LDAP repository’s ldapUserProfile.xml file for the purpose of creating an LDAP-based user directory.
Set up implicit repository linking for the two repositories. Implicit linking is a technique in which linked profile items share a unique property in both repositories, and linking is performed dynamically through code. In previous versions of the ATG Personalization module, implicit linking was the recommended technique for splitting profile data among repositories of different types; in ATG 6.0, this technique was superseded by the composite repository configuration described in Setting Up a Composite Profile Repository. Using implicit linking is still required, however, if you want to set up an LDAP-based user directory, and information about it is included in this manual for that purpose.
Follow the directions in Linking SQL and LDAP Repositories. In particular, make sure you perform the steps in the subsection Configuring Personalization Module Components for Linked Repositories.
Follow the directions exactly to set up the
userview.Determine the attributes that you will use as the
entryIdandparentIdLDAP attributes.These must be attributes that exist in one of the object classes given as the object classes of a
user. For example, the default LDAP repository implementation shows that a user has the object classestop,person,organizationalPerson, andinetorgPerson. Pick or create an attribute in one of these object classes that will act as anentryId. Do the same thing forparentId.The
parentIdattribute holds theentryIdof an object’s parent object. For example, assume that the organizational unitPeople(ou=People,dc=atg.com) has theentryId4. Also assume that there’s a user in thePeopleorganization whoseuseridisjohnq.Johnqwill have anentryIdof, for example,5, and aparentIdof4. Make LDAP properties out of these attributes (see example).Note: On iPlanet 5.0, this relationship is already set up. However, you may not be able to find
entryIdandparentIdas attributes of any object class. The process described here should work successfully regardless of whether you can find the attributes.If you have a different version of the iPlanet (Sun ONE) directory server, or another brand of server altogether, follow the instructions above to add the necessary attributes to your schema. Then set the values of those attributes for each organization and user that you want to expose in your ATG environment. Make sure that the values set up the relationship pattern outlined above: the root organizational unit has a particular
entryIdand an emptyparentId. Then, all child organizational units and users of the root organization have uniqueentryIdsand aparentIdthat is the same as the root organization’sentryId.Turn the default
organizationSQL item descriptor into a linked item descriptor. Do this by using XML combination to add a new property,ldapOrganization, to theorganizationitem descriptor. This property looks very much like the sampleldapUserproperty described in Linking SQL and LDAP Repositories.Also, you must add a new view called
organizationalUnitto theldapUserProfile.xmlfile. See the sampleuserProfile.xmlbelow for details. This configuration is produced by using the example in Linking SQL and LDAP Repositories as a model and substituting theorganizationitem descriptor foruserin the instructions. Pick a particular item descriptor in the LDAP repository which represents an LDAP organization.Note: There is sometimes more than one object class that represents an organization in an LDAP system. For example, some people consider a domain to be a type of organization (
dc=atg.com). In addition, a typical LDAP installation contains the object classesorganizationandorganizationalUnit. As an ATG installation uses only one item descriptor for all organizations, there can be only one LDAP object class which represents implicitly linked organizations. The default isorganizationalUnit, as this is the most commonly used LDAP organizational structure. Note that the root organization must also be an organizational unit.OrganizationalUnitis in the default installation -- you can select any one object class to represent organizations in LDAP. Unfortunately, you cannot use your domain as your root organization for the reasons listed above. The key point is that there can be only one object class which corresponds to an organization in ATG.Make sure there is a root organization in ATG that is linked to your chosen LDAP root organization. This step needs to be performed only if
useGSARepositoryIdAsPrimaryKeyis true (see the description of the ProfileUserDirectory component, and the important notes that follow it, for more information). IfuseGSARepositoryIdAsPrimaryKeyis false, the SQL repository root organization will be created for you the first time it is accessed.If no root organization exists in your SQL repository, create an organization item whose
uniqueIdPropertyLocalproperty value matches theuniqueIdPropertyRemoteproperty value of the LDAP repository item that corresponds to your chosen LDAP root organization. See Linking SQL and LDAP Repositories for explanations of these terms.Example: Assume you pick the organization with the DN “
ou=People,dc=atg.com” in LDAP as your root LDAP organization. You’ve set up your LDAP repository’sorganizationitem descriptor to have a property,name, that corresponds to the LDAP attributeou. If you used the instructions here as a guide, you would have an item in theorganizationalUnititem descriptor of your LDAP repository whosenameisPeople. You would also set up your SQL repositoryorganizationitem descriptor to have a property namedldapOrganizationthat is aRepositoryLinkPropertyDescriptor. In the example, theuniqueIdPropertyLocalisname, and theuniqueIdPropertyRemoteis alsoname. In order to link a SQL repository item with the previously mentioned LDAP item, all you would have to do would be to create a SQL repositoryorganizationitem whosenameisPeople. TheRepositoryLinkPropertyDescriptordoes the rest.If there is a pre-existing root organization in your SQL repository, modify the default root organization to point to the LDAP root organization.
The following steps show how to modify the default root organization:
In the ACC, select People and Organizations > Profile Repository.
Perform a query for items of type
Organization.Edit the organization with the ID
root, changing itsnameproperty to the name of your selected LDAP root organization, for examplePeople.
Alternatively, use a SQL editor to change the entry in the
dps_organizationtable whoseorg_idisroot. Change thenameproperty toPeople.Make sure your LDAP database is using a password encryption scheme supported by ATG’s
NDSPasswordHashercomponent. For iPlanet, the supported schemes areclearText(no encryption), SHA, and SSHA.In the iPlanet Admin UI, go to
Server Config > Configuration > Data > Passwords. Scroll down to the “password encryption” entry. Change the value to a supported encryption scheme.In addition, make sure that the
passwordHasherproperty of the ATG installation’sPropertyManagercomponent points to theNDSPasswordHashercomponent as follows:passwordHasher=/atg/adapter/ldap/NDSPasswordHasherAnd then set the encryption property of this component to the appropriate value (
clearText, SHA, or SSHA), for example:encryption=SHANotes:
If you change your password encryption scheme, you must then regenerate the passwords for all existing users in your LDAP database. This is because all existing users already have their passwords stored in the database and encrypted with the old scheme.
If you use an LDAP server other than iPlanet, you must create and configure a custom password hasher component rather than using
NDSPasswordHasher. For more information, see LDAP Password Encryption in the LDAP Repositories chapter of the ATG Repository Guide.
