Configuring Stand-alone LDAP registry

These are the steps that i followed to configure Stand-alone LDAP registry for the WebSphere Portal Server.

  • Start the server1 and WebSphere_Portal server

  • First change the software/IBM/WebSphere/wp_profile/ConfigEngine/config/helpers/wp_security_ids.properties file like this. Since i used the PortalUsers.ldif file to create users in LDAP, i had to make very few changes in the wp_security_ids.properties. I had to replace youco with spinfotech and use wpsbind for bind user id and wasadmin as websphere application server admin user id.

    # The id specifies a unique identifier for the repository within the cell
    # Characters that are not allowed in normal XML strings ( & < > " ' ) cannot be used in the repository ID.
    standalone.ldap.id=spinfotech

    # Specifies the host name of the primary LDAP server. This host name is either an IP address or a domain name service (DNS) name.
    standalone.ldap.host=192.168.174.1

    # Specifies the LDAP server port.
    standalone.ldap.port=389

    # Specifies the distinguished name for the application server to use when binding to the LDAP repository.
    standalone.ldap.bindDN=uid=wpsbind,cn=users,dc=spinfotech,dc=com

    # Specifies the password for the application server to use when binding to the LDAP repository.
    standalone.ldap.bindPassword=wpsbind

    # Specifies the type of LDAP server to which you connect
    # Supported values on WAS 6.1: IDS4, IDS51, IDS52, IDS6, SECUREWAY
    # Note: If your LDAP server version is not listed, enter the value for the highest listed version of your server
    # Supported values on WAS 7: IDS
    standalone.ldap.ldapServerType=IDS6

    # Specifies the LDAP filter that maps the short name of a user to an LDAP entry.
    # For example, to display entries of the object class = inetOrgPerson type by their IDs, specify inetOrgPerson:uid.
    # This field takes multiple objectclass:property pairs delimited by a semicolon (;).
    # note: not used during node federation to DMGR with WAS ldap security enabled
    standalone.ldap.userIdMap=*:uid

    # Specifies the LDAP filter that maps the short name of a group to an LDAP entry.
    # Specifies the piece of information that represents groups when groups display. For example, to display groups by their names, specify *:cn.
    # The asterisk (*) is a wildcard character that searches on any object class in this case.
    # This field takes multiple objectclass:property pairs, delimited by a semicolon (;).
    # note: not used during node federation to DMGR with WAS ldap security enabled
    standalone.ldap.groupIdMap=*:cn

    # Specifies the LDAP filter that identifies user-to-group relationships.
    # Specifies which property of an objectclass stores the list of members belonging to the group represented by the objectclass.
    # For directory types SecureWay, and Domino, this field takes multiple objectclass:property pairs, delimited by a semicolon (;).
    # For IBM Directory Server, Sun ONE, and Active Directory, this field takes multiple group attribute:member attribute pairs delimited by a semicolon (;).
    # For more information about this syntax, see the LDAP directory service documentation.
    # note: not used during node federation to DMGR with WAS ldap security enabled
    standalone.ldap.groupMemberIdMap=

    # Specifies the LDAP user filter that searches the user registry for users.
    # For example, to look up users based on their user IDs, specify (&(uid=%v)(objectclass=inetOrgPerson))
    # note: not used during node federation to DMGR with WAS ldap security enabled
    standalone.ldap.userFilter=(&(uid=%v)(objectclass=inetOrgPerson))

    # Specifies the LDAP group filter that searches the user registry for groups.
    # note: not used during node federation to DMGR with WAS ldap security enabled
    standalone.ldap.groupFilter=(&(cn=%v)(objectclass=groupOfUniqueNames))

    # Specifies a user ID and password in the repository that is used for internal process communication.
    # note: not used during node federation to DMGR with WAS ldap security enabled
    standalone.ldap.serverId=uid=wpsbind,cn=users,dc=spinfotech,dc=com
    standalone.ldap.serverPassword=wpsbind

    # The security context of this server. A realm with this name will be created.
    standalone.ldap.realm=spinfotech


    # The ID of the WAS admin user. The ID must exist in the LDAP server.
    standalone.ldap.primaryAdminId=uid=wasadmin,cn=users,dc=spinfotech,dc=com
    standalone.ldap.primaryAdminPassword=wasadmin

    # The ID of the portal admin user. The ID must exist in the LDAP server.
    standalone.ldap.primaryPortalAdminId=uid=wasadmin,cn=users,dc=spinfotech,dc=com
    standalone.ldap.primaryPortalAdminPassword=wasadmin

    # The user group with admin permission in portal. The group must exist in the LDAP server.
    standalone.ldap.primaryPortalAdminGroup=cn=wpsadmins,cn=groups,dc=spinfotech,dc=com

    # The LDAP base entry.
    # This is the startpoint for all LDAP searches of Websphere Application Server Security
    standalone.ldap.baseDN=dc=spinfotech,dc=com

    ########################
    ##
    ## LDAP entity types
    ##
    ########################

    # Entity type Group

    # The search filter that you want to use to search the entity type.
    # VMM uses this filter as an addition during search requests in your environment
    # The syntax is like a standard LDAP searchfilter like (objectclass=groupOfUniqueNames)
    # In general this value can be left blank
    standalone.ldap.et.group.searchFilter=

    # One or more object classes (separated by ';') for the entity type.
    standalone.ldap.et.group.objectClasses=groupOfUniqueNames

    # The object class(es) (separated by ';') to use when an entity type is created. If the value of this parameter is the same as the objectClass parameter, you do not need to specify this parameter.
    standalone.ldap.et.group.objectClassesForCreate=

    # The search base or bases to use while searching the entity type.
    standalone.ldap.et.group.searchBases=


    # Entity type PersonAccount

    # The search filter that you want to use to search the entity type.
    # VMM uses this filter as an addition during search requests in your environment
    # The syntax is like a standard LDAP searchfilter like (objectclass=inetOrgPerson)
    # In general this value can be left blank
    standalone.ldap.et.personaccount.searchFilter=

    # One or more object classes (separated by ';') for the entity type.
    # Please check this value with the objectclass used in your LDAP for type User
    standalone.ldap.et.personaccount.objectClasses=inetOrgPerson

    # The object class(es) (separated by ';') to use when an entity type is created. If the value of this parameter is the same as the objectClass parameter, you do not need to specify this parameter.
    standalone.ldap.et.personaccount.objectClassesForCreate=

    # The search base or bases to use while searching the entity type.
    standalone.ldap.et.personaccount.searchBases=

    ########################
    ##
    ## End LDAP entity types
    ##
    ########################

    ###################################################
    ##
    ## Group member attributes
    ##
    ###################################################

    # The name of the LDAP attribute that is used as the group member attribute. For example, member or uniqueMember.
    standalone.ldap.gm.groupMemberName=uniqueMember

    # The group object class that contains the member attribute. For example, groupOfNames or groupOfUnqiueNames.
    # If you do not define this parameter, the member attribute applies to all group object classes.
    standalone.ldap.gm.objectClass=groupOfUniqueNames

    # The scope of the member attribute. The valid values for this parameter include the following:
    # direct - The member attribute only contains direct members.
    # nested - The member attribute that contains the direct members and the nested members.
    standalone.ldap.gm.scope=direct

    # If you create a group without specifying a member, a dummy member will be filled in to avoid creating an exception about missing a mandatory attribute.
    standalone.ldap.gm.dummyMember=uid=dummy


    ###############################
    # Default parent, RDN attribute
    ###############################

    # The default parents to be set for the the entity types PersonAccount and Group
    standalone.ldap.personAccountParent=cn=users,dc=spinfotech,dc=com
    standalone.ldap.groupParent=cn=groups,dc=spinfotech,dc=com

    # The RDN attribute names for the entity types PersonAccount and Group
    # To reset all the values of the rdnProperties parameter, specify a blank string ("").
    standalone.ldap.personAccountRdnProperties=uid
    standalone.ldap.groupRdnProperties=cn

    ###################################################
    ##
    ## End Group member attributes
    ##
    ###################################################



    ###############################################################################
    ##
    ## Advanced Properties
    ##
    ###############################################################################


    ###################
    # Group config
    ###################

    # The name of the membership attribute. For example, memberOf in an active directory server and ibm-allGroups in IDS.
    standalone.ldap.gc.name=

    # Updates the group membership if the member is deleted or renamed. Some LDAP servers, for example, Domino server, do not clean up
    # the membership of the user when a user is deleted or renamed. If you choose these LDAP server types in the ldapServerType property,
    # the value of this parameter is set to true. Use this parameter to change the value. The default value is false.
    standalone.ldap.gc.updateGroupMembership=

    # The scope of the membership attribute. The valid values for this parameter include the following:
    # direct - The membership attribute only contains direct groups.
    # nested - The membership attribute that contains the direct groups and the nested groups.
    # all - The membership attribute contains direct groups, nested groups, and dynamic members.
    # The default value is direct.
    standalone.ldap.gc.scope=direct


    # Controls how aliases are dereferenced. The default value is always. Valid values include:
    # always - always deference aliases
    # never - never deference aliases
    # finding - deference aliases only during name resolution
    # searching - deference aliases only after name resolution
    standalone.ldap.derefAliases=always

    # Indicates the authentication method to use. The default value is simple. Valid values include: none or strong.
    standalone.ldap.authentication=simple

    # The LDAP referral. The default value is ignore. Valid values include: follow, throw, or false.
    standalone.ldap.referral=ignore

    # Specifies the delimiter used for this realm. The default value is /.
    standalone.ldap.delimiter=/

    # Whether the query matches case sensitivity.
    # note: not used during node federation to DMGR with WAS ldap security enabled
    standalone.ldap.ignoreCase=true

    # Specifies whether secure socket communication is enabled to the LDAP server.
    # When enabled (sslEnabled=true), the Secure Sockets Layer (SSL) settings for LDAP are used.
    # The default value is false.
    standalone.ldap.sslEnabled=false

    # Specifies the name of the application server SSL configuration to be used for SSL enabled LDAP server.
    # This property is used to specify a non default SSL configuration if standalone.ldap.sslEnabled=true is set
    standalone.ldap.sslConfiguration=

    # Specifies whether to map X.509 certificates into a LDAP directory by exact distinguished name or certificate filter.
    # Specify the certificate filter to use the specified filter for the mapping, if client certificate authentication is used
    # for portal server.
    # Valid values include: EXACT_DN, CERTIFICATE_FILTER
    standalone.ldap.certificateMapMode=EXACT_DN

    # Specifies the filter certificate mapping property for the LDAP filter, if client certificate authentication is used
    # for portal server.
    # The filter is used to map attributes in the client certificate to entries within the LDAP repository.
    standalone.ldap.certificateFilter=

    # Should be set to true by default to reuse the LDAP connection.
    # note: not used during node federation to DMGR with WAS ldap security enabled
    standalone.ldap.reuseConnection=true

    # Specifies the timeout value in miliseconds for an LDAP server to respond before aborting a request.
    standalone.ldap.searchTimeLimit=120000

    # Defines if VMM will enable the ConnectionPool
    standalone.ldap.connectionPool=false

    # Indicates if sorting is supported or not. The default value is false.
    standalone.ldap.supportSorting=false

    # Indicates if paging is supported or not.
    standalone.ldap.supportPaging=false

    # Indicates if transactions are supported or not. The default value is false.
    standalone.ldap.supportTransactions=false

    # Specifies if the external ID is unique. The default value is true.
    standalone.ldap.isExtIdUnique=true

    # Indicates if external names are supported or not. The default value is false.
    standalone.ldap.supportExternalName=false

    # Indicates to translate RDN or not. The default value is false.
    standalone.ldap.translateRDN=false

    # The value of the search count limit.
    standalone.ldap.searchCountLimit=500

    # The value of search page size.
    standalone.ldap.searchPageSize=

    # Indicates to return to the primary LDAP server when it is available. The default value is true.
    standalone.ldap.returnToPrimaryServer=

    # Indicates the polling interval for testing the primary server availability.
    # The value of this parameter is specified in minutes. The default value is 15.
    standalone.ldap.primaryServerQueryTimeInterval=

    # Indicates the property name used for login.
    standalone.ldap.loginProperties=uid

    # The maximum number of context instances that can be maintained concurrently by the context pool.
    # The default value is 20.
    standalone.ldap.cp.maxPoolSize=20


  • Once the wp_security_ids.properties is ready use it as parentProperties file to execute validate ldap task. This task makes sure that the values that your settings are Ok.

    ./ConfigEngine.sh validate-standalone-ldap -DWasPassword=wasadmin -DparentProperties=/software/IBM/WebSphere/wp_profile/ConfigEngine/config/helpers/wp_security_ids.properties


  • Once the validation is successful you can execute the wp-modify-ldap-security task to enable the security

    ./ConfigEngine.sh wp-modify-ldap-security -DWasPassword=wasadmin -DparentProperties=/software/IBM/WebSphere/wp_profile/ConfigEngine/config/helpers/wp_security_ids.properties


  • Restart both the server1 and WebSphere_Portal server



After enabling security you can see all the properties that you set from the WAS Admin Console like this.



Click on configure button and you will see the detailed configuration

No comments: