Adding users to the Lightweight Directory Access Protocol user registry

You can use the Lightweight Directory Access Protocol (LDAP) user registry with any of the authentication mechanisms supported by WebSphere® Application Server. Therefore, it is necessary to add users into the LDAP directory that you want to have authorization to access Application Server resources.

About this task

This information is specific to the iSeries Directory Services product.

A variety of methods are available to add users. However, the easiest way is to create an LDAP Data Interchange Format (LDIF) file. The file contains the set of users to add into the directory. The file is used by the LDAP utilities, such as idsldapmodify. You can run these utilities from either the operating system or from a workstation. If you run these LDAP utilities from the operating system, your LDIF file must reside in the integrated file system.

Complete the following steps to add users to the LDAP user registry:

Procedure

Create an LDIF file and save it in the integrated file system.
Use either the Edit File (EDTF) utility or your workstation text editor to create the file. Save the file in the integrated file system either by mapping a drive or using the file transfer protocol (FTP).
For WebSphere Application Server and LDAP directory services, create entries in the directory that correspond to the ePerson schema definition.
A simple ePerson LDIF entry resembles the following example:
```
dn: cn=John Doe, ou=Rochester, o=IBM, c=US
objectclass: person
objectclass: inetOrgPerson
objectclass: top
objectclass: organizationalPerson
objectclass: ePerson
cn: John Doe
sn: Doe
uid: jdoe
userpassword: secretpass
```
This LDIF entry defines an ePerson for user John Doe. The user identification (uid) for John is set to jdoe and his password is set to secretpass. This entry resides within the Rochester organizational unit, which is within the IBM® organization in the United States. Each of the ou, o, and c containing entries are defined before this ePerson entry is defined. You can define a series of LDIF entries in the same file to define Lightweight Third Party Authentication (LTPA) users for WebSphere Application Server.

If you do not specify a value for the userpassword attribute, the LDAP server attempts to authenticate LTPA users with the user profile for the local operating system that is identified by the uid attribute value. This action might be desirable if users have user profiles for the operating system and do not want to manage passwords in both the operating system user registry and the LDAP directory.

When you create an ePerson entry, make sure that the cn and uid attributes each have a unique value. Do not create two entries that have the same value for the cn and uid attributes.

Important: If you have a large user registry, login performance might be severely impacted if the Group Member ID Map property remains at its default value, which is both groupOfNames:member and groupOfUniqueNames:uniqueMember.

To address this performance problem, specify one of these object classes and not both. You must then exclusively use the selected object class to implement groups in the user registry.
Import the LDIF file entries into your directory on the server.
Use the LDAP ldapadd utility in Qshell Interpreter (QSH) or from a workstation.

What to do next

For more information on importing LDIF entries, see the Directory Services documentation for IBM i 6.1 and 7.1.