Configuring the user registry

To use an external security provider, you must add the provider to the federated repository. Several types of repositories are supported, including the local operating system registry, a standalone Lightweight Directory Access Protocol (LDAP) registry, a standalone custom registry, and federated repositories.

About this task

The default installation of IBM® Business Process Manager provides a federated repository that contains the WebSphere® Application Server file registry.

The following steps show an example of configuring an LDAP security provider (such as Microsoft Active Directory) with the federated repository. For more information about how to configure other supported repositories, such as Tivoli Directory Server, refer to the Configuring LDAP as the user account registry section of the IBM Business Process Manager V7.5 Production Topologies IBM Redbook.
Note: IBM recommends that you configure the LDAP security provider using a federated repository (also referred to as virtual member manager).
Restriction:
  • You must search for users by the user ID in stand-alone LDAP user repositories. Searching for users by user first name or last name is not supported in this configuration.
  • If you are using Active Directory as a user repository, and you search for a user name that contains a letter with a diacritical mark, the search will ignore the diacritical mark and will return all user names that contain the character, regardless of whether the character has a diacritical mark. For example, a search on user names that contain the letter e with an accent mark will return not just those user names, but also user names that include e with any other accent mark or e with no accent mark.
Important: The connection with an embedded Enterprise Content Management (ECM) system might be lost if users are deleted and recreated. Refer to Administering the technical user for the IBM BPM document store.
In the LDAP configuration, you can specify one or multiple login properties, such as uid and mail, to allow users to log in to WebSphere Application Server. To give an example, for the following LDAP entry: uid=john1; cn=John Doe; mail=john@company.com, if you specified uid and mail as the login properties, the user can log in with john1 and john@company.com but not with John Doe. Values of login properties must be unique across all repositories participating in a realm. For example, do not use cn as a login property because it might not be unique. The first login property must also be stable. For example, mail is not a stable property because its value can change for events such as a marriage or divorce. The login properties are specified by using the WebSphere Application Server administrative console.
Note: The first login property becomes the user name in the IBM Business Process Manager database. This property must not change. If you change the first login property, it results in the creation of a new user name and a duplicate user entry in the IBM Business Process Manager database. In the example, john1 is the value of the first login property and is the user name in the IBM Business Process Manager database. But, if the first login property changes from uid to mail, the next time the user is synchronized, another entry is created for the user name john@company.com in the IBM Business Process Manager database. Additionally, the next time John logs in, he will not see any of the tasks that were assigned to him prior to the change as he is now considered a new (unrelated) user.

Procedure

  1. Log in to the WebSphere Application Server administrative console.
  2. Click Security > Global security.
  3. Under User account repository, select Federated repositories from the list of Available realm definitions.
  4. Click Configure.
  5. Under Related items, click Manage repositories.
  6. Click Add > LDAP Repository and specify parameters for the provider that you want to add. For example, to add Microsoft Active Directory, specify values such as the following examples:
    Table 1. Parameters for adding a provider
    Parameter Example values
    Repository identifier SALOMLDAP // change to suit
    Directory type Microsoft Windows Active Directory
    Primary host name 10.1.5.18
    Bind distinguished name cn=LDAP_USER,CN=Users,DC=COMPANYQA,DC=com
    Bind password pwsaaswp
  7. Click OK and then Save.
  8. On the Federated repositories page, click Add Base entry to Realm and specify values such as the following examples:
    Table 2. Parameters for adding a base entry to a realm
    Base entry name Example values
    Distinguished name of a base entry that uniquely identifies this set of entries in the realm cn=Users,DC=COMPANYQA,DC=com
    Distinguished name of a base entry in this repository cn=Users,DC=COMPANYQA,DC=com
  9. Click OK and then Save.

    If your external security provider (LDAP) contains many entries, you must increase the maximum number of search results in federated repositories. A full synchronization queries all entries in LDAP. This process is limited by the maximum search value in the wimconfig.xml. In WebSphere Application Server, the default maximum search results is 4500 entries. This value is not the maximum number of LDAP users or groups that WebSphere Application Server can handle; rather, it is the maximum number that is returned based on the configuration value in the wimconfig.xml file. Check the SystemOut.log file for the CWWIM1018E error code. If you have this issue, you can increase the maximum search results in the wimconfig.xml file as described in the MaxResultsExceededException occurs during LDAP repository search topic in the WebSphere Application Server Information Center. After the change, restart the IBM BPM servers, then complete a full synchronization

  10. On the Global Security page, click Set as current and then click Apply.
  11. Shut down all IBM BPM servers. For a network deployment environment, you must shut down all of the servers, node agents, and deployment manager.
  12. Make sure that no duplicate users exist in the WebSphere Application Server file registry and the security provider that you just added. If duplicate users exist, errors will occur when you run IBM Business Process Manager product components.
  13. Start all IBM BPM servers. For a network deployment environment, you must restart all of the servers, node agents, and deployment manager.

    If you have configured a server cluster for your runtime environment, stop and restart all servers in the cluster.

Parent topic: Creating a secure environment