Configuring LDAP ACL management with VMM for WebSphere Application Server V7

Use LDAP to define the users and groups who can install mobile applications with the Application Center with the Virtual Member Manager (VMM) API.

About this task

Since IBM® Worklight V6.0, two configuration approaches are available: the JNDI API or the VMM API. This procedure shows you how to use the VMM API to configure LDAP based on the federated repository configuration.

You must configure LDAP based on the federated repository configuration.

Note: The stand-alone LDAP registry is not supported.

Several different repositories, LDAP and non-LDAP, can be configured in the federated repository.

Procedure

Configure the attribute mapping. For users, the Application Center refers to these VMM attributes:
- uid: represents the user login name.
- sn: represents the full name of the user.
For groups, the Application Center refers only to the VMM attribute cn.

If VMM attributes are not identical to LDAP attributes, you must map the VMM attributes to the corresponding LDAP attributes.
Note: In WebSphere® Application Server V7, you cannot configure this mapping with the WebSphere Application Server console.
1. Find in the file WAS_HOME/profiles/profileName/config/cells/cellName/wim/config/wimconfig.xml the section that contains the LDAP repository configuration with id="your LDAP id":
```
<config:repositories xsi:type="config:LdapRepositoryType" adapterClassName="com.ibm.ws.wim.adapter.ldap.LdapAdapter"
               id="your LDAP id"....
```
  Where your LDAP id is the user ID that is configured for you in the LDAP repository.
2. In this section, after the element <config:attributeConfiguration>, add these entries:
```
<config:attributes name="your LDAP attribute for the user full name" propertyName="sn">
                  <config:entityTypes>PersonAccount</config:entityTypes>
            </config:attributes>
            <config:attributes name="your LDAP attribute for the user login name " propertyName="uid">
                  <config:entityTypes>PersonAccount</config:entityTypes>
            </config:attributes>
```
3. Save the file and restart the server.
Configure the Application Center for ACL management with LDAP. In WebSphere Application Server V7, only a WebSphere administrator user can run VMM access. VMM roles are supported only by WebSphere Application Server V8.
You must define these properties:
- ibm.appcenter.ldap.active = true.
- ibm.appcenter.ldap.vmm.active = true.
- ibm.appcenter.ldap.vmm.adminuser = WebSphere administrator user.
- ibm.appcenter.ldap.vmm.adminpwd = WebSphere administrator password. The password can be encoded or not.
- ibm.appcenter.ldap.cache.expiration.seconds = : the delay in seconds before the LDAP cache expires. If no value is entered, the default value is 86400, which is equal to 24 hours.
  Note: See List of JNDI properties for the Application Center for a complete list of properties.
  
  Changes to users and groups on the LDAP server become visible to the Application Center after a delay, which is specified by ibm.appcenter.ldap.cache.expiration.seconds. The Application Center maintains a cache of LDAP data and the changes become visible only after the cache expires. By default, the delay is 24 hours. If you do not want to wait for this delay to expire after changes to users or groups, you can call this command to clear the cache of LDAP data:
```
acdeploytool.sh -clearLdapCache -s serverurl -c context -u user -p password
```
  For more information, see Using the stand-alone tool to clear the LDAP cache.
1. Log in to the WebSphere Application Server console.
2. Select Applications > Application Types > WebSphere enterprise applications.
3. In the Web Module Properties section, select IBM_Application_Center_Services if you deployed WAR files or APPCenterEAR if you deployed an EAR file, and then select Environment entries for Web modules.
4. Set the values for the properties.
5. Click OK and save the configuration.
  The application is automatically restarted.
Optional: Encode the password with the PropFilePasswordEncoder utility.
1. Create a pwd.txt file that contains the entry adminpwd=your clear password, where your clear password is the unencoded administrator password.
2. Run this command:
```
{WAS_HOME}/profiles/profile_name/bin/PropFilePasswordEncoder "file_path/pwd.txt"  adminpwd
```
3. Open the pwd.txt file and copy the encoded password into the value of the ibm.appcenter.ldap.vmm.adminpwd property.