Follow this topic to manually configure Lightweight Directory
Access Protocol (LDAP) repository in a federated repository configuration.
Before you begin
As a prerequisite, you need to add a LDAP repository to your WebSphere
® Application Server configuration,
where you define the following information:
Table 1. Prerequisite
LDAP repository information. This table lists prerequisite
LDAP repository information,
Item Name |
Example |
Repository identifier |
ldaprepo1 |
Directory type |
IBM® Tivoli® Directory
Server |
Primary host name |
localhost |
Port |
389 |
Bind distinguished name |
cn=ldapadmin |
Bind password |
yourpwd |
Login properties |
uid (a property containing
login information) |
See
Lightweight Directory Access Protocol repository configuration settings for the specific
steps you must perform to establish this LDAP repository.
About this task
At this point, you have a valid LDAP repository ready to
be manually configured in a federated repository configuration.
Procedure
- Map the federated repository entity types to the LDAP object
classes.
- Configure the LDAP repository to match the used LDAP object class
for users.
- In the administrative console, click Security > Global security.
- Under User account repository, select Federated repositories from
the Available realm definitions field and click Configure.
- Under Related items, click Manage repositories.
- Select the repository (for example, ldaprepo1).
- Click LDAP entity types.
- Click PersonAccount.
- Insert the objectclass name used in our LDAP server, for
example, inetOrgPerson.
- Click Apply.
- Click Save.
See Configuring supported entity types in a federated repository configuration for an explanation of the supported entity types.
See http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.wim.doc.en/ldap.html for a description of the LDAP default mappings.
- Configure the LDAP repository to match the used LDAP objectclass for
groups
- In the administrative console, click Security > Global security.
- Under User account repository, select Federated repositories from
the Available realm definitions field and click Configure.
- Under Related items, click Manage repositories.
- Select ldaprepo1.
- Click LDAP entity types.
- Click Group.
- Insert the objectclass name used for your LDAP server, for example, groupOfUniqueNames.
- Click Apply.
- Click Save.
See Group attribute definition settings for an explanation
of group attribute definitions.
- Map the federated repository property names to the LDAP
attribute names.
- Configure the LDAP repository to match the used LDAP attributes
for a user.
- Edit the file
{WAS_HOME}\profiles\{profileName}\config\cells\{cellName}\wim\config\wimconfig.xml
- Look for the section in this file containing the LDAP repository
configuration, For example,
<config:repositories
xsi:type="config:LdapRepositoryType"
adapterClassName="com.ibm.ws.wim.adapter.ldap.LdapAda
pter" id="ldaprepo1" ...>
<config:attributeConfiguration>
...
<config:attributes name="anLDAPattribute"
propertyName="aVMMattribute"/>
...
<config:attributeConfiguration>
- Add an element of type config:attributes to define
the mapping between a given federated depository property name, such
as departmentNumber, to a desired LDAP attribute
name, such as warehouseSection.
Note: For all given
federated depository properties, a one-to-one mapping is assumed.
If no explicit mapping of the above type is defined, for example the
federated repository property departmentNumber, the
underlying LDAP attribute name, departmentNumber is
assumed.
- Configure the unsupported properties of the federated repository.
To
indicate that a given federated repository property, such as
departmentNumber is
not supported by any LDAP attributes, you need to define the following
type of element:
<config:repositories xsi:type="config:LdapRepositoryType"
adapterClassName="com.ibm.ws.wim.adapter.ldap.LdapAdapter"
id="ldaprepo1" ...>
<config:attributeConfiguration>
...
<config:propertiesNotSupported name=" departmentNumber"/>
...
<config:attributeConfiguration>
- Configure the LDAP repository to match the used LDAP user membership
attribute in the groups.
- In the administrative console, click Security > Global security.
- Under User account repository, select Federated repositories from
the Available realm definitions field and click Configure.
- Under Related items, click Manage repositories.
- Select ldaprepo1
- Click Group attribute defintions.
- Click Member attributes.
- Check if your LDAP attributes (for example, uniqueMember) is
specified for your LDAP objectclass (for example, groupOfUniqueNames).
- If not specified, click New and add the pair (objectclass
/ member attribute name) that applies to your LDAP schema (for
example, uniqueMember / groupOfUniqueNames
- If specified, proceed.
- Click Apply.
- Click Save.
- Map other LDAP settings by configuring a new base entry
for the new LDAP repository.
- In the administrative console, click Security > Global security.
- Under User account repository, select Federated repositories from
the Available realm definitions field and click Configure.
- Click Add Base Entry to Realm.
- Select ldaprepo1.
- Specifiy:
- The base entry within the federated repository realm, for example, o=Default
Organization
- The base entry within the LDAP repository, for example, o=Default
Organization
- Click Apply.
- Click Save.
For an explanation of base entries, see the Configuring supported
entity types in a federated repository configuration topic.
Results
After completing these steps, your federated repository matches
the LDAP server settings.
What to do next