1. IBM WebSphere Portal for Microsoft Windows Guide
  2. LDAP User Registry without SSL

LDAP User Registry without SSL

Configure IBM® WebSphere® Portal to use a standalone LDAP user registry to store all user account information for authorization.

If you need to rerun the wp-modify-ldap-security task to change the LDAP repositories or because the task failed, you must choose a new name for the realm using the standalone.ldap.realm parameter or you can set ignoreDuplicateIDs=true in the wklpc.properties file, before rerunning the task.

Perform the following steps to configure a standalone LDAP user registry:

Note: Use the wp_security_xxx.properties helper file, located in the wp_profile_root/ConfigEngine/config/helpersdirectory, when performing this task to ensure the correct properties are entered. In the instructions below, when the step refers to thewkplc.properties file, you will use your wp_security_xxx.properties helper file.

  1. Use a text editor to open the wkplc.properties file, located in the wp_profile_root\\ConfigEngine\\properties directory.

  2. Required: Enter a value for the following required parameters in the wkplc.properties file under the Stand-alone security heading:

    Note: See the properties file for specific information about the required parameters and for advanced parameters.

    standalone.ldap.id

    standalone.ldap.host

    standalone.ldap.port

    standalone.ldap.bindDN

    standalone.ldap.bindPassword

    standalone.ldap.ldapServerType

    standalone.ldap.userIdMap

    standalone.ldap.groupIdMap

    standalone.ldap.groupMemberIdMap

    standalone.ldap.userFilter

    standalone.ldap.groupFilter

    standalone.ldap.serverId

    standalone.ldap.serverPassword

    standalone.ldap.realm

    standalone.ldap.primaryAdminId

    standalone.ldap.primaryAdminPassword

    standalone.ldap.primaryPortalAdminId

    standalone.ldap.primaryPortalAdminPassword

    standalone.ldap.primaryPortalAdminGroup

    standalone.ldap.baseDN

  3. Required: Enter a value for the following required entity types parameters in the wkplc.properties file under the LDAP entity types heading:

    Note: See the properties file for specific information about the required parameters and for advanced parameters.

    standalone.ldap.et.group.objectClasses

    standalone.ldap.et.group.objectClassesForCreate

    standalone.ldap.et.group.searchBases

    standalone.ldap.et.personaccount.objectClasses

    standalone.ldap.et.personaccount.objectClassesForCreate

    standalone.ldap.et.personaccount.searchBases

  4. Required: Enter a value for the following required group member parameters in the wkplc.properties file under the Group member attributes heading:

    Note: See the properties file for specific information about the required parameters and for advanced parameters.

    standalone.ldap.gm.groupMemberName

    standalone.ldap.gm.objectClass

    standalone.ldap.gm.scope

    standalone.ldap.gm.dummyMember

  5. Required: Enter a value for the following required relative distinguished name (RDN®) parameters in the wkplc.propertiesfile under the Default parent, RDN attribute heading:

    Note: See the properties file for specific information about the required parameters and for advanced parameters.

    standalone.ldap.personAccountParent

    standalone.ldap.groupParent

    standalone.ldap.personAccountRdnProperties

    standalone.ldap.groupRdnProperties

  6. Save your changes to the wkplc.properties file.

  7. Run the ./ConfigEngine.sh validate-standalone-ldap -DWasPassword=password task to validate your LDAP server settings.

    Attention: If you have not deleted the default file repository, WasPassword is the value entered during installation and not a value found in your LDAP user registry.
    Note: During the validation task, you may receive the following prompt: Add signer to the trust store now? Press y and Enter.

  8. Run the ./ConfigEngine.sh wp-modify-ldap-security -DWasPassword=password task, from thewp_profile_root\\ConfigEngine directory, to set the stand-alone LDAP user registry.

  9. Stop and restart the appropriate servers to propagate the changes. For specific instructions, see the following link under Related tasks: Starting and stopping servers, deployment managers, and node agents.

  10. Run the ./ConfigEngine.sh wp-validate-standalone-ldap-attribute-config -DWasPassword=password task, from the wp_profile_root\\ConfigEngine directory, to check that all defined attributes are available in the configured LDAP user registry.

    Important: When you finish configuring your LDAP user registry, see "Adapting the attribute configuration" for information about adding and mapping attributes to ensure proper communication between WebSphere Portal and the LDAP server.

  11. Optional: Run the Member Fixer task to update the member names used by Web Content Management with the corresponding members in the LDAP directory. This step ensures that access to the Web content libraries for the Intranet and Internet Site Templates for the contentAuthors group is correctly mapped to the appropriate group in the LDAP directory.

    Note: This step is only needed if you have installed the product with Web Content Management and intend to use the Intranet and Internet Site Templates that were optionally installed with the product by running the configure-express task.

    1. Edit the wp_profile_root\\PortalServer\\wcm\\shared\\app\\config\\wcmservices\\MemberFixerModule.properties file.

    2. Add the following lines to the file:

      uid=xyzadmin,o=defaultWIMFileBasedRealm -> portal_admin_DN

      cn=contentauthors,o=defaultWIMFileBasedRealm -> content_authors_group_DN

      Where portal_admin_DN is the distinguished name of the portal administrator and content_authors_group_DN is the distinguished name of the content authors group used during LDAP configuration.

      Important:

      • Ensure the portal administrator you specify for portal_admin_DN is a member of the group you specify forcontent_authors_group_DN, otherwise the portal administrator cannot access the Web content libraries for the Intranet and Internet Site Templates.

      • If you plan to run the express-memberfixer task in an environment with multiple realms, remove thecn=contentauthors,o=defaultWIMFileBasedRealm group if it exists. If this group exists in an environment with multiple realms, the Member Fixer task does not have any effect.

    3. Save your changes and close the file.

    4. Run the ./ConfigEngine.sh express-memberfixer -DmemberfixerRealm=realm_name -DPortalAdminPwd=password-DWasPassword=password task, located in the wp_profile_root\\ConfigEngine directory.

      Note: Choose the appropriate value to enter for realm_name depending on the type of LDAP user registry you configured:

      The following table contains the value for realm_name when running the Member Fixer task to update the member names used by Web Content Management:

      Type of LDAP

      Value

      Standalone LDAP

      The value specified for realm_name should match the value forstandalone.ldap.realm in the wkplc.properties file.

      Federated LDAP

      The value specified for realm_name should match the value forfederated.realm in the wkplc.properties file. If the value forfederated.realm is empty, use defaultWIMFileBasedRealmas the default value.

  12. Optional: Assign access to the Web content libraries.

    1. Log in as a portal administrator.

    2. Navigate to Administration -> Portal Content -> Web Content Libraries.

    3. Click the Set permissions icon for the Web library.

    4. Click the Edit Role icon for Editor.

    5. Add the group you specified for content_authors_group_DN as an Editor for the Intranet and Internet libraries.

    6. Click Apply then Done.

    7. If you have created any additional Web Content Management libraries, run the Web content member fixer task to update the member names used by the libraries.