Configuring a federated repository or stand-alone LDAP registry using wsadmin
You can use the wsadmin tool to configure a federated repository or stand-alone LDAP registry.
About this task
You can use the AdminTask command, ldapsearch to help configure a federated repository or stand-alone LDAP registry by using the following steps.
Before fix pack 8.5.5.19, the application server supports simple bind authentication only and uses simple bind authentication by default.
![[8.5.5.19 or later]](../images/ng_v85519.svg)
The application server supports simple bind authentication and Kerberos
bind authentication with Generic Security Services API (GSSAPI). It uses simple bind authentication
by default.
Procedure
Sample Jython command
The following sample Jython command uses Kerberos GSSAPI bind
authentication.
The following sample Jython command uses simple bind
authentication:
--testquery.py ---------------
queryResult = AdminTask.ldapSearch ('-hostname
testldap.austin.ibm.com -port 389 -baseDN
DC=austinldap,DC=local
-bindDN CN=testuser,CN=Users,DC=austinldap,DC=local
-bindPassword Password123!@#$%^&*() -sslEnabled false
-searchFilter (&(sAMAccountName=wasadmin)(objectClass=person))
-searchLimit 50 -referral ignore')
print queryResult
--------------------------------Important: Kerberos GSSAPI bind authentication in a mixed cell with node
levels earlier than fix pack 8.5.5.19 is not
supported.
--testquery.py ---------------
queryResult = AdminTask.ldapSearch ('-hostname
testldap.austin.ibm.com -port 389 -baseDN
DC=austinldap,DC=local
-bindAuthMechanism GSSAPI
-krb5Principal testuser
-krb5Keytab C:\\WAS_serv1\\krb5_sample.keytab
-krb5Config C:\\WAS_serv1\\krb5_sample.ini
-searchFilter (&(sAMAccountName=wasadmin)(objectClass=person))
-searchLimit 50 -referral ignore')
print queryResult
--------------------------------
To run this Jython command, the following wsadmin command can be used.
wsadmin -conntype NONE -lang jython -f showBluePage.pyThe following parameters are required:
- hostname
- Specifies the LDAP server host name. This host name is either an IP address or a domain name service (DNS) name.
- baseDN
- Specifies the base distinguished name of the directory service, which indicates the starting
point for LDAP searches in the directory service. For example,
ou=Rochester, o=IBM, c=us. - sslEnabled
- Specifies whether secure socket communications is enabled with the Lightweight Directory Access Protocol (LDAP) server. When this option is selected, LDAP Secure Sockets Layer (SSL) settings are used, if specified.
- searchFilter
- Specifies a filter to perform the
ldapsearch.
The following parameters are optional:
- bindDN
- Specifies the distinguished name for the application server. The application server uses the bind distinguished name to bind to the directory service. This parameter is used for simple bind authentication.
- bindPassword
- Specifies the password for the application server. The application server uses the password to bind to the directory service. This parameter is used for simple bind authentication.
- bindAuthMechanism
- Specifies that Kerberos bind authentication Generic Security Services API (GSSAPI) is used to authenticate the application server to an LDAP directory service. Specify this parameter to turn on Kerberos bind authentication with GSSAPI.
- krb5Principal
- Specifies the Kerberos principal name or Kerberos service principal name that is used to
authenticate with the Key Distribution Center (KDC).
This parameter is required for Kerberos bind authentication with GSSAPI.
- krb5TicketCache
- Specifies the file location where Kerberos credentials for the Kerberos principal name or
Kerberos service principal name are stored. This file is known as the Kerberos ticket cache, and
also as the Kerberos credential cache or ccache. If the Kerberosticket cache and the
Kerberos keytab file are both specified, only the Kerberos credentials cache is used. If no Kerberos
credential cache or no Kerberos keytab file is specified, the application server uses the default
keytab file at the default system location.
This parameter is optional for Kerberos bind authentication with GSSAPI.
- krb5Config
- Specifies the Kerberos configuration file name with its full path. The Kerberos configuration
file contains client configuration information, including the locations of each Key Distribution
Center (KDC) for the realm of interest. If no Kerberos configuration file is specified, the
application server uses the configuration file at the default system location. The following
information gives the default file name and location for the Kerberos configuration file:
![[Linux]](../images/nglinux.svg)
![[AIX]](../images/ngaix.svg)
![[z/OS]](../images/ngzos.svg)
![[HP-UX]](../images/nghpux.svg)
![[IBM i]](../images/ngibmi.svg)
![[Solaris]](../images/ngsolaris.svg)
/etc/krb5.conf![[Windows]](../images/ngwin.svg)
C:\Windows\krb5.ini
This parameter is optional for Kerberos bind authentication with GSSAPI.
- krb5Keytab
- Specifies a Kerberos keytab file name with its full path. The Kerberos keytab file contains a
list of keys that are analogous to user passwords. If the Kerberos credentials cache and the
Kerberos keytab file are both specified, only the Kerberos credentials cache is used. If no Kerberos
credential cache or no Kerberos keytab file is specified, the application server uses the default
keytab file at the default system location.
This parameter is optional for Kerberos bind authentication with GSSAPI.
- port
- Specifies the LDAP server port number. The default is 389.
- sslAlias
- Specifies which SSL configuration to use for LDAP.
- searchLimit
- Specifies how many search results to display. The default is 20. The maximum is 100.
- referral
- Specifies the Context.REFERRAL = "java.naming.referral" parameter. Valid
values are
ignore,follow, andthrow.ignoreis the default. - searchScope
- Specifies the search scope. Valid values are
sub,one, andbase.subis the default. - verbose
- true or false.