Scenario: Copying users from an HTTP server validation list to the Directory Server
An example of how to copy users from an HTTP server validation list to the Directory Server.
Situation and overview
You currently have an application running in the HTTP Server (powered by Apache) using Internet users in the validation list MYLIB/HTTPVLDL. You would like use these same Internet users with the WebSphere® Application Server (WAS) with LDAP authentication. To avoid duplicate maintenance of user information in the validation list and LDAP, you will also configure the HTTP server application to use LDAP authentication.
To accomplish this, these are the steps you need to take:
- Copy the existing validation list users to the local directory server.
- Configure the WAS server to use LDAP authentication.
- Reconfigure the HTTP server to use LDAP authentication instead of the validation list.
Step 1: Copy the existing validation list users to the local directory server
It is assumed that the directory server has previously been configured with the suffix "o=my company" and is running. LDAP users are to be stored in the directory subtree "cn=users,o=my company". The directory server administrator DN is "cn=administrator" and the administrator password is "secret".
Call the API from the command line as follows:
CALL PGM(QSYS/QGLDCPYVL) PARM('HTTPVLDL MYLIB ' 'cn=administrator' X'00000000' 'secret'
X'00000000' 'cn=users,o=my company' X'00000000' '' X'00000000' X'00000000')
When completed, the directory server will contain inetorgperson entries base on the validation list entries. For example, the validation list user:
User name: jsmith
Description: John Smith
Password: ******
will result in the following directory entry:
dn: uid=jsmith,cn=users,o=my company
objectclass: top
objectclass: person
objectclass: organizationalperson
objectclass: inetorgperson
uid: jsmith
sn: jsmith
cn: jsmith
description: John Smith
userpassword: ******
This entry can now be used to authenticate to the directory server. For example, performing this QSH ldapsearch will read the root DSE entry of the server:
> ldapsearch -D "uid=jsmith,cn=users,o=my company" -w ****** -s base "(objectclass=*)"
Once created, you can edit the directory entries to contain further information. For example, you might want to change the cn and sn values to reflect the user's full name and last name, respectively, or add a telephone number and e-mail address.