Follow this topic to manually configure Lightweight Directory
Access Protocol (LDAP) repository in a federated repository configuration.
Before you begin
As a prerequisite, you need to add an LDAP repository to your WebSphere® Application Server
configuration, where you define the following information:
Table 1. Prerequisite LDAP repository information .
The following table lists prerequisite LDAP repository information for an LDAP repository that
supports simple bind authentication.
Item Name |
Example |
Repository identifier |
ldaprepo1 |
Directory type |
IBM®
Tivoli® Directory
Server |
Primary host name |
localhost |
Port |
389 |
Bind distinguished name |
cn=ldapadmin |
Bind password |
yourpwd |
Login properties |
uid (a property that contains login information) |
About this task
At this point, you have a valid LDAP repository ready to be manually configured in a
federated repository configuration. The following task sets up an LDAP server that uses simple
bind authentication.
You can set up an LDAP server that uses Kerberos
bind authentication with GSSAPI (Generic Security Services API) as this type of authentication is
supported.
Procedure
- Map the federated repository entity types to the LDAP object
classes.
- Configure the LDAP repository to match the used LDAP object class for users.
- In the administrative console, click Security > Global security.
- Under User account repository, select Federated repositories from the
Available realm definitions field and click Configure. To configure for a specific domain in
a multiple security domain environment, click Security domains > domain_name. Under
Security Attributes, expand User Realm, and click Customize for this domain. Select
the Realm type as Federated repositories and then click Configure.
- Under Related items, click Manage repositories.
- Select the repository (for example,
ldaprepo1
).
- Click LDAP entity types.
- Click PersonAccount.
- Insert the objectclass name used in our LDAP server, for example,
inetOrgPerson
.
- Click Apply.
- Click Save.
See Configuring supported entity types in a federated repository configuration for an explanation of the supported entity
types.
See https://www.ibm.com/docs/en/SSAW57_8.5.5/com.ibm.websphere.wim.doc/DefaultLDAPMapping.htm for a description of the LDAP default mappings.
- Configure the LDAP repository to match the used LDAP objectclass for
groups
- In the administrative console, click Security > Global security.
- Under User account repository, select Federated repositories from the Available realm
definitions field and click Configure. To configure for a specific domain in a multiple
security domain environment, click Security domains > domain_name. Under Security
Attributes, expand User Realm, and click Customize for this domain. Select the Realm
type as Federated repositories and then click Configure.
- Under Related items, click Manage repositories.
- Select
ldaprepo1
.
- Click LDAP entity types.
- Click Group.
- Insert the objectclass name used for your LDAP server, for example,
groupOfUniqueNames
.
- Click Apply.
- Click Save.
See Group attribute definition settings for an explanation
of group attribute definitions.
- Map the federated repository property names to the LDAP
attribute names.
- Configure the supported LDAP repository attributes.
- In the administrative console, click Security > Global security.
- Under User account repository, select Federated repositories from the Available realm
definitions field and click Configure. To configure for a specific domain in a multiple
security domain environment, click Security domains > domain_name. Under Security
Attributes, expand User Realm, and click Customize for this domain. Select the Realm
type as Federated repositories and then click Configure.
- Under Related items, click Manage repositories > repository_ID, and then, under
Additional properties, click the LDAP attributes link.
- If the attribute mapping exists, you must first delete the existing mapping for the LDAP
attribute, and then add a new mapping for the attribute. Select the checkbox next to the LDAP
attribute name and click Delete.
- To add an attribute mapping, click Add, and select Supported.
- Enter the LDAP attribute name in the Name field, the federated repositories property name
in the Property name field, and the entity type which applies the attribute mapping in the
Entity types field.
- Configure the unsupported properties of the federated
repository. To indicate that a given federated repository property,
such as departmentNumber is not supported by any LDAP attributes,
you need to define an unsupported property.
- On the LDAP attributes panel, click Add, and select Unsupported from
the drop-down menu.
- Enter the federated repositories property name in the Property
name field, and the entity type in the Entity types field.
- Click Apply and then Save.
- Configure the LDAP repository to match the used LDAP attributes
for a user.
- Edit the file
{WAS_HOME}\profiles\{profileName}\config\cells\{cellName}\wim\config\wimconfig.xml
- Look for the section in this file containing the LDAP repository
configuration, For example,
<config:repositories
xsi:type="config:LdapRepositoryType"
adapterClassName="com.ibm.ws.wim.adapter.ldap.LdapAda
pter" id="ldaprepo1" ...>
<config:attributeConfiguration>
...
<config:attributes name="anLDAPattribute"
propertyName="aVMMattribute"/>
...
<config:attributeConfiguration>
- Add an element of type
config:attributes
to define the mapping between a given
federated repository property name, such as departmentNumber
, to a desired LDAP
attribute name, such as warehouseSection
.Note: For all given federated repository
properties, a one-to-one mapping is assumed. If no explicit mapping of the given type is defined,
for example the federated repository property departmentNumber
, the underlying LDAP
attribute name, departmentNumber
is assumed.
- Configure the unsupported properties of the federated repository.
To
indicate that a given federated repository property, such as
departmentNumber
is
not supported by any LDAP attributes, you need to define the following
type of element:
<config:repositories xsi:type="config:LdapRepositoryType"
adapterClassName="com.ibm.ws.wim.adapter.ldap.LdapAdapter"
id="ldaprepo1" ...>
<config:attributeConfiguration>
...
<config:propertiesNotSupported name=" departmentNumber"/>
...
<config:attributeConfiguration>
- Configure the LDAP repository to match the used LDAP user membership
attribute in the groups.
- In the administrative console, click Security > Global security.
- Under User account repository, select Federated
repositories from the Available realm definitions field and click Configure.
To configure for a specific domain in a multiple security domain environment,
click Security domains > domain_name. Under Security
Attributes, expand User Realm, and click Customize for this
domain. Select the Realm type as Federated repositories and
then click Configure.
- Under Related items, click Manage repositories.
- Select
ldaprepo1
- Click Group attribute defintions.
- Click Member attributes.
- Check if your LDAP attributes (for example,
uniqueMember)
is
specified for your LDAP objectclass (for example, groupOfUniqueNames
).
- If not specified, click New and add the pair (objectclass
/ member attribute name) that applies to your LDAP schema (for
example,
uniqueMember / groupOfUniqueNames
- If specified, proceed.
- Click Apply.
- Click Save.
- Map other LDAP settings by configuring a new base entry
for the new LDAP repository.
- In the administrative console, click Security > Global security.
- Under User account repository, select Federated
repositories from the Available realm definitions field and click Configure.
To configure for a specific domain in a multiple security domain environment,
click Security domains > domain_name. Under Security
Attributes, expand User Realm, and click Customize for this
domain. Select the Realm type as Federated repositories and
then click Configure.
- Click Add Base Entry to Realm.
- Select
ldaprepo1
.
- Specifiy:
- The base entry within the federated repository realm, for example,
o=Default
Organization
- The base entry within the LDAP repository, for example,
o=Default
Organization
- Click Apply.
- Click Save.
For an explanation of base entries, see the Configuring supported
entity types in a federated repository configuration topic.
Results
After completing these steps, your federated repository matches
the LDAP server settings.