When configuring the security for your application server, you might need to migrate a stand-alone LDAP registry to a federated repositories LDAP repository configuration.
Note the specifications of your stand-alone
LDAP repository that you want to migrate, for reference when configuring
the LDAP repository in federated repositories. To access these fields,
on the administrative console, click Security > Global
security.
Stand-alone LDAP repository configuration | LDAP repository in a federated repositories configuration |
---|---|
Global security > Standalone LDAP registry General properties – Primary administrative user name |
Global security > Federated repositories General properties – Primary administrative user name |
Global security > Standalone LDAP registry LDAP server – Type of LDAP server |
Global security > Federated repositories > Manage
repositories > repository_ID LDAP server – Directory Type |
Global security > Standalone LDAP registry LDAP server – Host |
Global security > Federated repositories > Manage
repositories > repository_ID LDAP server – Primary host name |
Global security > Standalone LDAP registry LDAP server – Port |
Global security > Federated repositories > Manage
repositories > repository_ID LDAP server – Port |
Global security > Standalone LDAP registry LDAP server – Failover hosts |
Global security > Federated repositories > Manage
repositories > repository_ID LDAP server – Failover server used when primary is not available |
Global security > Standalone LDAP registry LDAP server – Base distinguished name (DN) |
Global security > Federated repositories > Repository
reference (Click Add Base entry to realm) General properties – Distinguished name of a base entry that uniquely identifies this set of entries in the realm and General properties – Distinguished name of a base entry in this repository |
Global security > Standalone LDAP registry LDAP server – Search timeout |
Global security > Federated repositories > Manage
repositories > repository_ID > Performance General properties - Limit search time |
Global security > Standalone LDAP registry LDAP server – Server user identity |
Global security > Federated repositories General properties – Server user identity |
Global security > Standalone LDAP registry Security – Bind distinguished name (DN) |
Global security > Federated repositories > Manage
repositories > repository_ID Security – Bind distinguished name |
Global security > Standalone LDAP registry Security – Bind password |
Global security > Federated repositories > Manage
repositories > repository_ID Security – Bind password |
Global security > Standalone LDAP registry >
Advanced Lightweight Directory Access Protocol (LDAP) user registry
settings General properties – Kerberos user filter |
Global security > Federated repositories > Manage
repositories > repository_ID Security – LDAP attribute used for Kerberos principal name |
Global security > Standalone LDAP registry >
Advanced Lightweight Directory Access Protocol (LDAP) user registry
settings General properties – Certificate map mode |
Global security > Federated repositories > Manage
repositories > repository_ID Security – Certificate mapping |
Global security > Standalone LDAP registry >
Advanced Lightweight Directory Access Protocol (LDAP) user registry
settings General properties – Certificate filter |
Global security > Federated repositories > Manage
repositories > repository_ID Security – Certificate filter |
The Realm name field under General Properties
on the federated repositories LDAP configuration panel is not listed
in the previous table because it does not have a one-to-one correspondence
with a field in the stand-alone LDAP configuration panel. The host
name and the port number represent the realm name for the standalone
LDAP server in the WebSphere Application Server cell. For information
on changing the realm name, see the topic Realm configuration settings.
The User Filter, Group Filter, User ID map, Group ID map, and Group member ID map fields also are not listed in the previous table as they do not have a one-to-one correspondence with fields in the federated repositories LDAP repository configuration panel. These LDAP attributes are set differently in the federated repositories LDAP repository configuration and involve multiple steps. These settings are explained in detail in the following sections and procedure.
Migrating from a stand-alone LDAP repository configuration to a federated repositories LDAP repository configuration involves migrating the configuration parameters, most of which are straight forward as shown in Table 1 in the previous section. Migrating the search filters is an important part of migrating a stand-alone LDAP repository configuration to a federated repository LDAP configuration; hence the concept and migration of LDAP search filters is described here in detail.
Stand-alone LDAP registry search filters follow the LDAP filter syntax, where you specify the attribute on which the search is based and its value.
The user filter is used for searching the registry for users. It is used to authenticate a user by using the attribute specified in the filter.
The group filter is used for searching the registry for groups. It specifies the property by which to look up groups.
(&(uid=%v)(objectclass=ePerson))
Searches for users where the uid attribute matches the specified search pattern of the ePerson object class.
(&(cn=%v)(objectclass=user))
Searches for users where the cn attribute matches the specified search pattern of the user object class.
(&(sAMAccountName=%v)(objectcategory=user))
Searches for users where the sAMAccountName attribute matches the specified search pattern of the user object category.
(&(userPrincipalName=%v)(objectcategory=user))
Searches for users where the userPrinciplalName attribute matches the specified search pattern of the user object category.
(&(mail=%v)(objectcategory=user))
Searches for users where the mail attribute matches the specified search pattern of the user object category.
(&(|(sAMAccountName=%v)(userPrincipalName=%v))(objectcategory=user))
Searches for users where the sAMAccountName or the userPrincipalName matches the specified search pattern of the user object category.
Examples of commonly used group filters:
(&cn=%v)(objectCategory=group)
Looks up groups based on their common names (cn).
(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))
Looks up groups based on their common names (cn) and by using the object class of either groupOfNames or groupOfUniqueNames.
As shown in these examples, a stand-alone LDAP registry search filter consists of LDAP attributes and object classes, based on which the search or login is performed.
You can also specify the LDAP attributes and object classes in the LDAP adapter configuration of federated repositories, but they are configured differently and provide more flexibility. In federated repositories the user is represented as PersonAccount entity type and group as Group entity type. Each entity type can have its own RDN (Relative Distinguished Name) property (rdnProperties) and object class. For example, the default RDN property of PersonAccount is uid, and the default RDN property of Group is cn. The default object class mapping depends on the LDAP server type. For example, for Tivoli Directory Server, the object class for PersonAccount is inetOrgPerson and object class for Group is groupOfNames. PersonAccount can also have login properties. When a user logs in or a search is performed for a user in a user registry, these login properties are matched with the pattern. For example, if the login properties are uid and mail, then for the search pattern, a*, all the users who match uid=a* or mail=a* are returned.
Migrating search filters involves one or more of the following steps: setting the correct login properties, mapping the attributes of the back-end repository to the federated repositories properties, setting the object class, setting the search filter by using object class or object category, and setting the member or membership attribute. This mapping and configuration for federated repositories is maintained in the wimconfig.xml file.
In this information ...Related tasks
| IBM Redbooks, demos, education, and more(Index) |