Follow this topic to manually configure Lightweight Directory Access
Protocol (LDAP) repository in a federated repository configuration.
Before you begin
As a prerequisite, you need to add a LDAP repository to your WebSphere
Application Server configuration, where you define the following information:
Item Name |
Example |
Repository identifier |
ldaprepo1 |
Directory type |
IBM Tivoli Directory Server |
Primary host name |
localhost |
Port |
389 |
Bind distinguished name |
cn=ldapadmin |
Bind password |
yourpwd |
Login properties |
uid (a property containing login information) |
See
Lightweight Directory Access Protocol repository configuration settings for the specific steps you must perform to establish this
LDAP repository.
About this task
At this point, you have a valid LDAP repository ready to be manually
configured in a federated repository configuration.
Procedure
- Map the federated repository entity types to the LDAP object classes.
- Configure the LDAP repository to match the used LDAP object class for
users.
- In the administrative console, click Security > Secure administration,
applications, and infrastructure.
- Under User account repository, select Federated repositories from
the Available realm definitions field and click Configure.
- Under Related items, click Manage repositories.
- Select the repository (for example, ldaprepo1).
- Click LDAP entity types.
- Click PersonAccount.
- Insert the objectclass name used in our LDAP server, for example, inetOrgPerson.
- Click Apply.
- Click Save.
See Configuring supported entity types in a federated repository configuration for
an explanation of the supported entity types.
See http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.wim.doc.en/ldap.html for a description of the LDAP default mappings.
- Configure the LDAP repository to match the used LDAP objectclass for
groups
- In the administrative console, click Security > Secure administration,
applications, and infrastructure.
- Under User account repository, select Federated repositories from
the Available realm definitions field and click Configure.
- Under Related items, click Manage repositories.
- Select ldaprepo1.
- Click LDAP entity types.
- Click Group.
- Insert the objectclass name used for your LDAP server, for example, groupOfUniqueNames.
- Click Apply.
- Click Save.
See Group attribute definition settings for an explanation of group attribute definitions.
- Map the federated repository property names to the LDAP attribute
names.
- Configure the LDAP repository to match the used LDAP attributes for a
user.
- Edit the file
{WAS_HOME}\profiles\{profileName}\config\cells\{cellName}\wim\config\wimconfig.xml
- Look for the section in this file containing the LDAP repository configuration,
For example,
<config:repositories
xsi:type="config:LdapRepositoryType"
adapterClassName="com.ibm.ws.wim.adapter.ldap.LdapAda
pter" id="ldaprepo1" ...>
<config:attributeConfiguration>
...
<config:attributes name="anLDAPattribute"
propertyName="aVMMattribute"/>
...
<config:attributeConfiguration>
- Add an element of type config:attributes to define the
mapping between a given federated depository property name, such as departmentNumber,
to a desired LDAP attribute name, such as warehouseSection.
Note: For
all given federated depository properties, a one-to-one mapping is assumed.
If no explicit mapping of the above type is defined, for example the federated
repository property departmentNumber, the underlying LDAP
attribute name, departmentNumber is assumed.
- Configure the unsupported properties of the federated repository.
To
indicate that a given federated repository property, such as
departmentNumber is
not supported by any LDAP attributes, you need to define the following type
of element:
<config:repositories xsi:type="config:LdapRepositoryType"
adapterClassName="com.ibm.ws.wim.adapter.ldap.LdapAdapter"
id="ldaprepo1" ...>
<config:attributeConfiguration>
...
<config:propertiesNotSupported name=" departmentNumber"/>
...
<config:attributeConfiguration>
- Configure the LDAP repository to match the used LDAP user membership attribute
in the groups.
- In the administrative console, click Security > Secure administration,
applications, and infrastructure.
- Under User account repository, select Federated repositories from
the Available realm definitions field and click Configure.
- Under Related items, click Manage repositories.
- Select ldaprepo1
- Click Group attribute defintions.
- Click Member attributes.
- Check if your LDAP attributes (for example, uniqueMember) is
specified for your LDAP objectclass (for example, groupOfUniqueNames).
- If not specified, click New and add the pair (objectclass /
member attribute name) that applies to your LDAP schema (for example, uniqueMember
/ groupOfUniqueNames
- If specified, proceed.
- Click Apply.
- Click Save.
- Map other LDAP settings by configuring a new base entry for the
new LDAP repository.
- In the administrative console, click Security > Secure administration,
applications, and infrastructure.
- Under User account repository, select Federated repositories from
the Available realm definitions field and click Configure.
- Click Add Base Entry to Realm.
- Select ldaprepo1.
- Specifiy:
- The base entry within the federated repository realm, for example, o=Default
Organization
- The base entry within the LDAP repository, for example, o=Default
Organization
- Click Apply.
- Click Save.
For an explanation of base entries, see Configuring supported entity types in a federated repository configuration
Results
After completing these steps, your federated repository matches the
LDAP server settings.
What to do next