1. IBM WebSphere Portal for IBM i for Power Systems Guide
  2. Standalone LDAP without SSL

Standalone LDAP without SSL

Configure IBM® WebSphere® Portal to use a standalone LDAP user registry to store all user account information for authorization.

In a single server environment the following task does not have a dependency on the server status; therefore, the WebSphere_Portal and server1 servers can be either stopped or started. In a clustered environment you must stop all application servers on the system including WebSphere_Portal and server1 and then start the nodeagent and deployment manager servers before starting the following task.

If you need to rerun the wp-modify-ldap-security task to change the LDAP repositories or because the task failed, you must choose a new name for the realm using the standalone.ldap.realm parameter or you can set ignoreDuplicateIDs=true in thewklpc.properties file, before rerunning the task.

Perform the following steps to configure a standalone LDAP user registry:

Note: Use the wp_security_xxx.properties helper file, located in the wp_profile_root/ConfigEngine/config/helpersdirectory, when performing this task to ensure the correct properties are entered. In the instructions below, when the step refers to thewkplc.properties file, you will use your wp_security_xxx.properties helper file.

  1. Use a text editor to open the wkplc.properties file, located in the wp_profile_root/ConfigEngine/properties directory.

  2. Required: Enter a value for the following required parameters in the wkplc.properties file under the Stand-alone security heading:

    Note: See the properties file for specific information about the required parameters and for advanced parameters. 
    standalone.ldap.id
standalone.ldap.host
standalone.ldap.port
standalone.ldap.bindDN
standalone.ldap.bindPassword
standalone.ldap.ldapServerType
standalone.ldap.userIdMap
standalone.ldap.groupIdMap
standalone.ldap.groupMemberIdMap
standalone.ldap.userFilter
standalone.ldap.groupFilter
standalone.ldap.serverId
standalone.ldap.serverPassword
standalone.ldap.realm
standalone.ldap.primaryAdminId
standalone.ldap.primaryAdminPassword
standalone.ldap.primaryPortalAdminId
standalone.ldap.primaryPortalAdminPassword
standalone.ldap.primaryPortalAdminGroup
standalone.ldap.baseDN

  3. Required: Enter a value for the following required entity types parameters in the wkplc.properties file under the LDAP entity types heading:

    Note: See the properties file for specific information about the required parameters and for advanced parameters. 
    standalone.ldap.et.group.objectClasses
standalone.ldap.et.group.objectClassesForCreate
standalone.ldap.et.group.searchBases
standalone.ldap.et.personaccount.objectClasses
standalone.ldap.et.personaccount.objectClassesForCreate
standalone.ldap.et.personaccount.searchBases

  4. Required: Enter a value for the following required group member parameters in the wkplc.properties file under the Group member attributes heading:

    Note: See the properties file for specific information about the required parameters and for advanced parameters. 
    standalone.ldap.gm.groupMemberName
standalone.ldap.gm.objectClass
standalone.ldap.gm.scope
standalone.ldap.gm.dummyMember

  5. Required: Enter a value for the following required relative distinguished name (RDN®) parameters in the wkplc.propertiesfile under the Default parent, RDN attribute heading:

    Note: See the properties file for specific information about the required parameters and for advanced parameters.
    standalone.ldap.personAccountParent
standalone.ldap.groupParent
standalone.ldap.personAccountRdnProperties
standalone.ldap.groupRdnProperties

  6. Save your changes to the wkplc.properties file.

  7. Run the ConfigEngine.sh validate-standalone-ldap -DWasPassword=password task to validate your LDAP server settings.

    Attention: If you have not deleted the default file repository, WasPassword is the value entered during installation and not a value found in your LDAP user registry.
    Note: During the validation task, you may receive the following prompt: Add signer to the trust store now? Press y, then Enter.

  8. Run the ConfigEngine.sh wp-modify-ldap-security -DWasPassword=password task, from the wp_profile_root/ConfigEngine directory, to set the standalone LDAP user registry.

  9. Stop and restart the appropriate servers to propagate the changes. For specific instructions, see the following link under Related tasks: Starting and stopping servers, deployment managers, and node agents.

  10. Run the ConfigEngine.sh wp-validate-standalone-ldap-attribute-config -DWasPassword=password task, from the wp_profile_root/ConfigEngine directory, to check that all defined attributes are available in the configured LDAP user registry.

    Important: When you finish configuring your LDAP user registry, see “Adapting the attribute configuration" for information about adding and mapping attributes to ensure proper communication between WebSphere Portal and the LDAP server.

  11. Optional: Run the Member Fixer task to update the member names used by Web Content Management with the corresponding members in the LDAP directory. This step ensures that access to the Web content libraries for the Intranet and Internet Site Templates for the contentAuthors group is correctly mapped to the appropriate group in the LDAP directory.

    Note: This step is only needed if you have installed the product with Web Content Management and intend to use the Intranet and Internet Site Templates that were optionally installed with the product by running the configure-express task.

    1. Edit the wp_profile_root/PortalServer/wcm/shared/app/config/wcmservices/MemberFixerModule.properties file.

    2. Add the following lines to the file:

      uid=xyzadmin,o=defaultWIMFileBasedRealm -> portal_admin_DN

      cn=contentauthors,o=defaultWIMFileBasedRealm -> content_authors_group_DN

      Where portal_admin_DN is the distinguished name of the portal administrator and content_authors_group_DN is the distinguished name of the content authors group used during LDAP configuration.

      Important:

      Important:

      • Ensure the portal administrator you specify for portal_admin_DN is a member of the group you specify forcontent_authors_group_DN, otherwise the portal administrator cannot access the Web content libraries for the Intranet and Internet Site Templates.

      • If you plan to run the express-memberfixer task in an environment with multiple realms, remove the cn=contentauthors,o=defaultWIMFileBasedRealm group if it exists. If this group exists in an environment with multiple realms, the Member Fixer task does not have any effect.

    3. Save your changes and close the file.

    4. Run the ConfigEngine.sh express-memberfixer -DmemberfixerRealm=realm_name -DPortalAdminPwd=password -DWasPassword=password task, located in the wp_profile_root/ConfigEngine directory.

      Note: Choose the appropriate value to enter for realm_name depending on the type of LDAP user registry you configured.

      The following tables describes the value for realm_name when running the Member Fixer task to update the member names used by Web Content Management:

      Type of LDAP

      Value

      Standalone LDAP

      The value specified for realm_name should match the value forstandalone.ldap.realm in the wkplc.properties file.

  12. Optional: Assign access to the Web content libraries.

    1. Log in as a portal administrator.

    2. Navigate to Administration -> Portal Content -> Web Content Libraries.

    3. Click the Set permissions icon for the Web library.

    4. Click the Edit Role icon for Editor.

    5. Add the group you specified for content_authors_group_DN as an Editor for the Intranet and Internet libraries.

    6. Click Apply then Done.

    7. If you have created any additional Web Content Management libraries, run the Web content member fixer task to update the member names used by the libraries.