LDAP User Registry without SSL
Configure IBM® WebSphere® Portal to use a standalone LDAP user registry to store all user account information for authorization.
If you need to rerun the wp-modify-ldap-security task to change the LDAP repositories or because the task failed, you must choose a new name for the realm using the standalone.ldap.realm parameter or you can set ignoreDuplicateIDs=true in the wklpc.properties file, before rerunning the task.
Perform the following steps to configure a standalone LDAP user registry:
Use a text editor to open the wkplc.properties file, located in the wp_profile_root\\ConfigEngine\\properties directory.
Required: Enter a value for the following required parameters in the wkplc.properties file under the Stand-alone security heading:
Note: See the properties file for specific information about the required parameters and for advanced parameters.standalone.ldap.id
standalone.ldap.host
standalone.ldap.port
standalone.ldap.bindDN
standalone.ldap.bindPassword
standalone.ldap.ldapServerType
standalone.ldap.userIdMap
standalone.ldap.groupIdMap
standalone.ldap.groupMemberIdMap
standalone.ldap.userFilter
standalone.ldap.groupFilter
standalone.ldap.serverId
standalone.ldap.serverPassword
standalone.ldap.realm
standalone.ldap.primaryAdminId
standalone.ldap.primaryAdminPassword
standalone.ldap.primaryPortalAdminId
standalone.ldap.primaryPortalAdminPassword
standalone.ldap.primaryPortalAdminGroup
standalone.ldap.baseDN
Required: Enter a value for the following required entity types parameters in the wkplc.properties file under the LDAP entity types heading:
Note: See the properties file for specific information about the required parameters and for advanced parameters.standalone.ldap.et.group.objectClasses
standalone.ldap.et.group.objectClassesForCreate
standalone.ldap.et.group.searchBases
standalone.ldap.et.personaccount.objectClasses
standalone.ldap.et.personaccount.objectClassesForCreate
standalone.ldap.et.personaccount.searchBase
Required: Enter a value for the following required group member parameters in the wkplc.properties file under the Group member attributes heading:
Note: See the properties file for specific information about the required parameters and for advanced parameters.standalone.ldap.gm.groupMemberName
standalone.ldap.gm.objectClass
standalone.ldap.gm.scope
standalone.ldap.gm.dummyMember
Required: Enter a value for the following required relative distinguished name (RDN®) parameters in the wkplc.propertiesfile under the Default parent, RDN attribute heading:
Note: See the properties file for specific information about the required parameters and for advanced parameters.standalone.ldap.personAccountParent
standalone.ldap.groupParent
standalone.ldap.personAccountRdnProperties
standalone.ldap.groupRdnProperties
Save your changes to the wkplc.properties file.
Run the ./ConfigEngine.sh validate-standalone-ldap -DWasPassword=password task to validate your LDAP server settings.
Attention: If you have not deleted the default file repository, WasPassword is the value entered during installation and not a value found in your LDAP user registry.Note: During the validation task, you may receive the following prompt: Add signer to the trust store now? Press y and Enter.Run the ./ConfigEngine.sh wp-modify-ldap-security -DWasPassword=password task, from thewp_profile_root\\ConfigEngine directory, to set the stand-alone LDAP user registry.
Stop and restart the appropriate servers to propagate the changes. For specific instructions, see the following link under Related tasks: Starting and stopping servers, deployment managers, and node agents.
Run the ./ConfigEngine.sh wp-validate-standalone-ldap-attribute-config -DWasPassword=password task, from the wp_profile_root\\ConfigEngine directory, to check that all defined attributes are available in the configured LDAP user registry.
Important: When you finish configuring your LDAP user registry, see "Adapting the attribute configuration" for information about adding and mapping attributes to ensure proper communication between WebSphere Portal and the LDAP server.Optional: Run the Member Fixer task to update the member names used by Web Content Management with the corresponding members in the LDAP directory. This step ensures that access to the Web content libraries for the Intranet and Internet Site Templates for the contentAuthors group is correctly mapped to the appropriate group in the LDAP directory.
Note: This step is only needed if you have installed the product with Web Content Management and intend to use the Intranet and Internet Site Templates that were optionally installed with the product by running the configure-express task.Edit the wp_profile_root\\PortalServer\\wcm\\shared\\app\\config\\wcmservices\\MemberFixerModule.properties file.
Add the following lines to the file:
uid=xyzadmin,o=defaultWIMFileBasedRealm -> portal_admin_DN
cn=contentauthors,o=defaultWIMFileBasedRealm -> content_authors_group_DN
Where portal_admin_DN is the distinguished name of the portal administrator and content_authors_group_DN is the distinguished name of the content authors group used during LDAP configuration.
Important:Ensure the portal administrator you specify for portal_admin_DN is a member of the group you specify forcontent_authors_group_DN, otherwise the portal administrator cannot access the Web content libraries for the Intranet and Internet Site Templates.
If you plan to run the express-memberfixer task in an environment with multiple realms, remove thecn=contentauthors,o=defaultWIMFileBasedRealm group if it exists. If this group exists in an environment with multiple realms, the Member Fixer task does not have any effect.
Save your changes and close the file.
Run the ./ConfigEngine.sh express-memberfixer -DmemberfixerRealm=realm_name -DPortalAdminPwd=password-DWasPassword=password task, located in the wp_profile_root\\ConfigEngine directory.
Note: Choose the appropriate value to enter for realm_name depending on the type of LDAP user registry you configured:The following table contains the value for realm_name when running the Member Fixer task to update the member names used by Web Content Management:
Type of LDAP
Value
Standalone LDAP
The value specified for realm_name should match the value forstandalone.ldap.realm in the wkplc.properties file.
Federated LDAP
The value specified for realm_name should match the value forfederated.realm in the wkplc.properties file. If the value forfederated.realm is empty, use defaultWIMFileBasedRealmas the default value.
Optional: Assign access to the Web content libraries.
Log in as a portal administrator.
Navigate to Administration -> Portal Content -> Web Content Libraries.
Click the Set permissions icon for the Web library.
Click the Edit Role icon for Editor.
Add the group you specified for content_authors_group_DN as an Editor for the Intranet and Internet libraries.
Click Apply then Done.
If you have created any additional Web Content Management libraries, run the Web content member fixer task to update the member names used by the libraries.