Setting up federated repositories 

---

Use federated repositories with IBM® WebSphere® Application Server to manage and secure user and group identities.

Before starting

Ensure that you have completed the steps described in the Preparing to configure the LDAP directory topic.

You can configure the user directory for IBM Connections to be populated with users from more than one LDAP directory.

Important: Ensure that you meet the following guidelines for entity-object class mapping:

• If you are using a Domino® LDAP, replace the default mapping with dominoPerson and dominoGroup object classes for person account and group entities.

• If you are using IBM Tivoli® Directory Server, decide whether your deployment will rely on the LDAP groupOfNames or groupOfUniqueNames object class for group entities. WAS uses groupOfNames by default. In most cases, you need to delete this default mapping and create a new mapping for group entities using the LDAP groupOfUniqueNames object class.

• If you are using the groupOfUniqueNames object class for group entities, use the uniqueMember attribute for the group member attribute.

• If you are using the groupOfNames object class group entities, use the member attribute for the group member attribute.
  
  

About this task

To set up federated repositories in WAS...

Procedure

1. Start WAS and log in to the Integrated Solutions Console on the dmgr by going to the following web address: http://<websphere_Application_Server_host_name>:9060/ibm/console

2. Click Log in and enter the credentials of the administrative user ID that you specified during the installation of WAS.

3. Click Security -> Global Security.

4. Select Federated Repositories from the Available realm definitions field, and then click Configure.

5. Click Add Base entry to Realm, and then, on the Repository reference page, click Add Repository.

6. On the New page, type a repository identifier, such as myFavoriteRepository into the Repository identifier field.

7. Specify the LDAP directory that you are using in the Directory type field.
   

   Directory type option	LDAP directory supported by IBM Connections
   IBM Tivoli Directory Server	IBM Tivoli Directory Server 6.2 (FP 2)
   z/OS® Integrated Security Services LDAP Server
   IBM Lotus® Domino	IBM Lotus Domino 8.0.2, and 8.5.1
   Novell Directory Services	eDirectory 8.8
   Sun Java™ System Directory Server	Sun Java System Directory Server 6.3
   Microsoft™ Windows™ Active Directory	Microsoft Active Directory 2003 (SP2), 2008
   Microsoft Active Directory Application Mode	Microsoft Active Directory Application Mode Note: Referred to as Active Directory Lightweight Directory Services (AD LDS) in Windows Server 2008.

   The following table identifies the LDAP directories that WAS V7 and IBM Connections 3 support.
   
   Table 1. Options to specify a supported LDAP directory
   

8. Type the host name of the primary LDAP directory server in the Primary host name field. The host name is either an IP address or a domain name service (DNS) name.

9. If your directory does not allow LDAP attributes to be searched anonymously, provide values for the Bind distinguished name and Bind password fields. For example, the Domino LDAP directory does not allow anonymous access, so if you are using a Domino directory, specify the user name and password with administrative level access in these fields.

10. Specify the login attribute or attributes that you want to use for authentication in the Login properties field. Separate multiple attributes with a semicolon. For example: uid;mail.
    
    See the Choosing log in values topic for information about the types of login values that can be used.
    
    Note: If you are using Active Directory and you use an email address as the login, specify mail as the value for this property. If you use the samAccountName attribute as the login, specify uid as the value for this property.
    

11. Click Apply, and then click Save to save this setting.

12. On the Repository reference page, the following fields represent the LDAP attribute type and value pairs for the base element in the realm and the LDAP repository. (The type and value pair are separated by an equal sign (=), for example: o=example. These can be the same value when a single LDAP repository is configured for the realm or can be different in a multiple LDAP repository configuration.)
    
    Distinguished name of a base entry that uniquely identifies this set of entries in the realm

    • Identifies entries in the realm. For example, on a Domino LDAP server: cn=john doe, o=example.

      Distinguished name of a base entry in this repository

    • Identifies entries in the LDAP directory. For example, cn=john doe, o=example.
      
      This value defines the location in the LDAP directory information tree from which the LDAP search begins. The entries beneath it in the tree can also be accessed by the LDAP search. In other words, the search base entry is the top node of a subtree which consists of many possible entries below it. For example, the search base entry could be o=example and one of the entries underneath this search base could be cn=john doe, o=example.
      
      Note: If you have defined flat groups in the Domino directory, do not enter a value in this field. Flat groups are group names such as SalesGroup, as opposed to: cn=SalesGroup,ou=Groups. If you configure a search base in this Step, you will not be able to access the groupgs. If you plan to set up single sign-on, see the Enabling single sign-on for Domino topic.
      

13. Click Apply and Save to save this setting, and then click OK to return the Federated Repositories page.

14. In the Repository Identifier column, click the link for the repository or repositories that you just added.

15. In the Additional Properties area, click the LDAP entity types link.

16. Click the Group entity type and modify the object classes mapping. You can also edit the Search bases and Search filters fields, if necessary. Enter LDAP parameters that are suitable for your LDAP directory. Click Apply, and then click Save to save this setting.
    
    Note: You can accept the default object classes value for Group. However, if you are using Domino, change the value to dominoGroup.
    

17. Click the PersonAccount entity type and modify the default object classes mapping. You can also edit the Search bases and Search filters fields, if necessary. Enter LDAP parameters that are suitable for your LDAP directory. Click Apply, and then click Save to save this setting.
    
    Note: You can accept the default object classes value for PersonAccount. However, if you are using Domino, change the value to dominoPerson.
    

18. In the navigation links at the top of the page, click the name of the repository that you have just modified to return to the Repository page.

19. Optional: If your applications rely on group membership from LDAP...

    1. Click the Group attribute definition link in the Additional Properties area, and then click the Member attributes link.
       

    2. Click New to create a group attribute definition.
       

    3. Enter group membership values in the Name of member attribute and Object class fields.
       

    4. Click Apply, and then click Save to save this setting.
       
    Notes:
    

    • • If you have already accepted the default groupOfNames value for Group, then you can also accept the default value for Member.

      • If you changed objectclass for Group to dominoGroup in step 16, then add dominoGroup to the definition of Member.

      • If you do not configure the group membership attribute, then the group member attribute is used when you search group membership. If you need to enable searches of nested group membership, then configure the group membership attribute.

      • Consider an example of group membership attribute for using Activities: the Member attribute type is used by the groupOfNames object class, and the uniqueMember attribute type is used by groupOfUniqueNames.
        
        

20. If you want to support more than one LDAP directory, repeat steps 8-22 for each additional LDAP directory.

21. Set the new repository as the current respository:

    1. Click Global Security in the navigation links at the top of the page.
       

    2. Select Federated Repositories from the Available realm definitions field, and then click Set as current.
       

    3. Click Apply.
       

22. Enable login security on WAS:

    1. Select the Administrative Security and Application Security check boxes. For better performance, clear the Java 2 security check box.
       

    2. Click Apply and then click Save to save this configuration.
       
    The administrative user name and password are now required because you have just set up security on WAS.
    

23. Log out of the WAS admin console and restart WAS. If you are performing this task on the dmgr console, restart that console.

24. When WAS is running again, log in to the Integrated Solutions Console using your primary administrative user name and password.
    

25. Optional: Test the new configuration by adding some LDAP users to the WAS with administrative roles.

26. Optional: If you are using SSL for LDAP, add a signer certificate to your trust store by completing the following steps:

    1. From the WAS admin console, select SSL Certificate and key management -> Key Stores and certificates -> CellDefaultTrustStore -> Signer Certificates -> Retrieve from port.
       

    2. Type the DNS name of the LDAP directory in the Host field.
       

    3. Type the secure LDAP port in the Port field (typically 636).
       

    4. Type an alias name, such as LDAPSSLCertificate, in the Alias field.
       

    5. Click Apply and then click Save.
       

27. Optional: If you plan to enable single sign-on (SSO) for IBM Connections, prepare the WAS environment by completing the following steps:

    1. From the WAS admin console, select Security -> Global security -> web and SIP security -> Single sign-on (SSO).
       

    2. Select Enabled, Interoperability Mode, and web inbound security attribute propagation.
       

    3. Return to the Global security page and click web and SIP security -> General settings.
       

    4. Select Use available authentication data when an unprotected URI is accessed.
       

    5. Click Apply and then click Save.
       
    Note: For more information about SSO security, see the Configuring single sign-on topic. For more information about setting the SSO domain name, see the Setting the single sign-on domain name topic.
    

28. Optional: Verify that users in the LDAP directory have been successfully added to the repository:

    1. From the WAS admin console, select Users and Groups -> Manage Users.
       

    2. In the Search by field, enter a user name that you know to be in the LDAP directory and click Search. If the search succeeds, you have partial verification that the repository is configured correctly. However, this check cannot check for the groups that a user belongs to.
       

Results

You have configured WAS to use a federated repository.

What to do next

Restart WAS.

Parent topic

Pre-installation tasks

Related concepts
Create databases
Configure single sign-on
Choosing login values

Related tasks
Preparing to configure the LDAP directory
Install IBM WAS
Populating the Profiles database
Install IBM Connections 3.0.1
Setting the single sign-on domain name

Enable single sign-on for Domino: ic301

+

Search Tips   |   Advanced Search