Configuring an LDAP server adapter

The LDAP adapter is configured using the WebSphere Application Server administrative console or the wsadmin commands. See your WebSphere administrative console documentation. If you need to modify this configuration, you can manually edit the wimconfig.xml file, although this is not the preferred method.

About this task
The following code sample is an example of a basic wimconfig.xml file that has been configured to use the LDAP server LDAP1. You can modify the appropriate values that are shown in italic.
Note: The suffixes need to already exist in the LDAP server before you can configure the LDAP repository adapter.
    <config:repositories xsi:type="config:LdapRepositoryType" id="LDAP1" supportPaging="true"
        supportSorting="true" ldapServerType="IDS51">
      <config:baseEntries name="cn=users,dc=yourco,dc=com"/>
      <config:baseEntries name="cn=groups,dc=yourco,dc=com"/>
      <config:ldapServerConfiguration>
        <config:ldapServers bindDN="cn=root" bindPassword="{xor}Nj0y" sslEnabled="false">
          <config:connections host="localhost" port="389"/>
        </config:ldapServers>
      </config:ldapServerConfiguration>
      <config:ldapEntityTypes name="PersonAccount">
        <config:objectClasses>inetOrgPerson</config:objectClasses>
        <config:searchBases>cn=users,dc=yourco,dc=com</config:searchBases>
      </config:ldapEntityTypes>
      <config:ldapEntityTypes name="Group">
        <config:objectClasses>groupOfNames</config:objectClasses>
        <config:searchBases>cn=groups,dc=yourco,dc=com</config:searchBases>
      </config:ldapEntityTypes>
      <config:ldapEntityTypes name="OrgContainer">
        <config:rdnAttributes name="o" objectClass="organization"/>
        <config:rdnAttributes name="ou" objectClass="organizationalunit"/>
        <config:objectClasses>organization</config:objectClasses>
        <config:objectClasses>organizationalUnit</config:objectClasses>
      </config:ldapEntityTypes>
      <config:groupConfiguration>
        <config:memberAttributes dummyMember="uid=dummy" name="member" objectClass="groupOfNames"/>
        <config:membershipAttribute name=""/>
      </config:groupConfiguration>
      <config:attributeConfiguration>
        <config:attributes name="userPassword" propertyName="password"/>
        <config:attributes name="cn" propertyName="displayName">
          <config:entityTypes>Group</config:entityTypes>
        </config:attributes>
        <config:attributes name="cn" propertyName="cn">
          <config:entityTypes>Group</config:entityTypes>
        </config:attributes>
        <config:propertiesNotSupported name="homeAddress"/>
        <config:propertiesNotSupported name="businessAddress"/>
      </config:attributeConfiguration>
      <config:contextPool enabled="true" initPoolSize="1" maxPoolSize="10" 
                                  poolTimeOut="0" prefPoolSize="5"/>
      <config:cacheConfiguration>
        <config:attributesCache cacheSize="4000" cacheTimeOut="1200"
            enabled="true"/>
        <config:searchResultsCache cacheSize="2000" cacheTimeOut="600" enabled="true"/>
      </config:cacheConfiguration>
    </config:repositories>
Note: Out-of-the-box, only groups in database repositories support the members from other repositories. File repositories and LDAP repositories, including Microsoft Active Directory with multiple domains, do not support members from other repositories.

For information about troubleshooting and how to enable trace and logs for virtual member manager, see Logs and trace. See also Migrating a stand-alone LDAP repository to a federated repositories LDAP repository configuration in the WebSphere Application Server information center.

Primary and secondary LDAP server failover

Virtual member manager supports configuration of multiple LDAP servers for fault tolerance and reliability.

The first configured LDAP server is the primary server. The others are secondary servers. At startup, virtual member manager creates connections to the primary server. If the primary server goes down, virtual member manager discards all connections to the primary server and creates new connections to the second configured server. If the second server goes down, virtual member manager discards all connections to the second server and switches to the third configured server, until it rolls back to the primary server. All subsequent connections are created only to the last working server, regardless of whether context pooling is enabled.

This sample configuration contains one primary and two secondary LDAP servers:

<config:connections host="ldap1.mycompany.com" port="389"/>
<config:connections host="ldap2.mycompany.com" port="389"/>
<config:connections host="ldap3.mycompany.com" port="389"/>

You can configure virtual member manager to check if the primary server is running and switch back once it starts running. Use the returnToPrimaryServer parameter of the updateIdMgrLDAPRepository command to configure this. You can also use the primaryServerQueryTimeInterval parameter to change the polling interval for testing the primary server availability.

When a connection attempt is made to an LDAP server, the connection timeout determines the maximum amount of time that virtual member manager waits for the connection to be established. Use the connectTimeout parameter of the updateIdMgrLDAPServer command to specify the connection timeout. The read timeout for dead TCP/IP connections is controlled by the operating system. You can disable context pooling to avoid the need for a read timeout setting. For more information about context pooling, see the topic, Tuning the access to the LDAP server.

For information about configuring virtual member manager using the command line interfaces read about IdMgrRepositoryConfig command group for the AdminTask object in the WebSphere Application Server information center.



Terms of use | Feedback
(C) Copyright IBM Corporation 2010. All Rights Reserved.
IBM virtual member manager 6.1