Connecting the stand-alone Bandwidth Manager to the LDAP server
Configure the IBM® WebSphere® Application Server federated repository for LDAP access.
About this task
The LDAP server must be running when you configure access to it. If you are configuring a cluster, perform these steps on the deployment manager.
Procedure
- Disable secure access to Virtual Member Manager.
- Open the wimconfig.xml file.
Linux stand-alone server:
/opt/IBM/WebSphere/AppServer/profiles/Host_name/config/cells/Cell_name/wim/config/wimconfig.xmlLinux node:
/opt/IBM/WebSphere/AppServer/profiles/DeploymentManager_name/config/cells/Cell_name/wim/config/wimconfig.xmlWindows stand-alone server:
C:\Program Files\WebSphere\AppServer\profiles\Host_name\config\cells\Cell_name\wim\config\wimconfig.xmlWindows node:
C:\Program Files\WebSphere\AppServer\profiles\DeploymentManager_name\config\cells\Cell_name\wim\config\wimconfig.xml - Search for the string isSecurityEnabled and change the value to false.
- Save the file.
- Open the wimconfig.xml file.
- Stop and restart the deployment manager, which also synchronizes the changes with the nodes if you are running in a cluster.
- Log in to the Integrated Solutions Console as the WebSphere administrator.
- In the navigation tree, click Security > Global security.
- Locate the "User account repository" sections of the Global Security page.
- In the Available realm definitions list, select Federated repositories and click the Set as current button.
- Click Configure button and define
settings for the LDAP connection:
- On the "Federated Repositories" page, type a descriptive name, such as LdapRealm, in the Realm name field.
- In the Primary administrative user name field, type the user name (only the user name itself, not the full distinguished name) of the LDAP server's administrative user. The user must be in the LDAP repository.
- Click the Add Base entry to Realm button in the "Repositories in the realm" table.
- On the "Repository reference" page, click the Add Repository button.
- In the "LDAP server" section, specify the properties
for your LDAP directory:
Table 1. LDAP directory properties Property Value Repository identifier Type a descriptive name, such as LDAP. Directory type Select the LDAP directory used by your deployment. Primary host name Enter the short host name, fully qualified domain name, or IP address of the server where the LDAP directory resides. The fully qualified domain name is recommended. - In the "Security" section, fill in security settings
for your LDAP directory:
Table 2. LDAP Security properties Property Value Bind distinguished name Type the user name and domain name of a user with full permissions to access the LDAP server. Use LDAP canonical name format; cn=administrator,cn=users,o=ibm Bind password Type the password for the LDAP user specified in the Bind distinguished name field. Login properties Delete the "uid" string that appears in this field, and leave the field blank. - Click the Apply button, and then click the Save link in the "Messages" box at the beginning of the page.
If an error message appears, double-check the settings you entered, particularly the Bind distinguished name, and correct the settings as needed.
When the LDAP settings are configured correctly, a web page appears so that you can enter two more distinguished names.
- For both occurrences of the Base entry distinguished
name field, type the Base search entry; for example, ou=sametime,dc=lotus,dc=com.
Then click OK.
The "Federated Repositories" page reappears, and you can continue configuring the LDAP connection.
- Click the Apply button, and then click the Save link in the "Messages" box at the beginning of the page.
- Optional: In the Additional Properties section, select LDAP entity types.
- Optional: Select PersonAccount as
the entity type and enter a Search Filter that
matches the object class and naming attributes you will use to locate
users in the directory, then click OK. Tip: The filter should be consistent with the one used by the Sametime® community server to look up users. For example, (|(objectclass=inetOrgPerson)(objectclass=ePerson))
You cannot specify replacement parameters directly in these search filters, so you cannot limit searches to a set attributes (uid, mail, cn, for example) using this syntax. However, the same function is achieved using the same set of attributes as specified in the login properties for the LDAP. The federated repository uses these attributes to do an implicit replacement at run time.
- Create a similar filter for the Group entity
type, then click OK.
If an error message appears, double-check the settings you entered, particularly the Bind distinguished name, and correct the settings as needed.
When the LDAP settings are configured correctly, a web page appears so that you can enter two more distinguished names.
- For both occurrences of the Base entry distinguished name fields, type only the domain from the user string, then click OK.
- For Realm name, type ldapRealm.
- For Primary administrative user name, enter the general name used for administration, such as administrator. Then click OK.
- From the Available realm definitions menu, select Federated repositories and click the Set as current button.
- Click the Apply button, and then click the Save link in the "Messages" box at the beginning of the page.
- Optional: In the Repositories in the realm list, select each resource that you did not create and click Remove. The only resource listed should be the one you just created.
- The Bandwidth Manager server uses the uid attribute
internally to search for users through the Virtual Member Manager.
If the uid attribute maps directly to the corresponding uid in
the LDAP directory, you do not need to make any changes. Proceed to
the last step.
If the uid attribute does not map directly to the corresponding uid in the LDAP directory, change the mapping in the wimconfig.xml file to map the uid attribute to a different LDAP attribute.
For example, it is common that the Media Manager server uses the mail identifier to identify users in the SIP URI, from which Bandwidth Manager extracts user IDs for lookup in the Virtual Member Manager.
The following example maps the Virtual Member Manager uid attribute to the LDAP mail attributeConfiguration section of the wimconfig.xml file.
<config:attributeConfiguration> ... <config:attributes name="mail" propertyName="uid"> <config:entityTypes>PersonAccount</config:entityTypes> </config:attributes> </config:attributeConfiguration> - The Bandwidth Manager server uses the email attribute
in the LDAP directory to look up users in the LDAP directory and assign
the correct call rate policy. If your LDAP directory uses a different
attribute for users’ email addresses, such as mail, email,
and emailAddress, change the mapping in the wimconfig.xml file
to map the mail attribute to a different LDAP
attribute.
The following example comments out the default mapping of samAccountName.
<config:attributeConfiguration> ... <!-- <config:attributes name="samAccountName" propertyName="uid"> <config:entityTypes>PersonAccount</config:entityTypes> </config:attributes> --!> ... </config:attributeConfiguration>Add the appropriate mapping in the attributeConfiguration section of the wimconfig.xml file. This example maps the uid attribute to the mail attribute.<config:attributeConfiguration> ... <config:attributes name="mail" propertyName="uid"> <config:entityTypes>PersonAccount</config:entityTypes> </config:attributes> ... </config:attributeConfiguration> - Save and close the wimconfig.xml file.
- If you have more than one LDAP directory, repeat the previous two steps on all directories.
- Stop and restart the deployment manager, which also synchronizes the changes with the nodes if you are running in a cluster.