Configure WebSphere Portal for LDAP Searches

 

+
Search Tips   |   Advanced Search

 

Contents

  1. Overview
  2. Search on LDAP directory using LDAPSearch
  3. Use aliases in the LDAP directory
  4. Search multiple object classes
  5. Use the ldapsearch utility to validate LDAP settings

 

Overview

Use the IBM Web Administration for iSeries tool when configuring WebSphere Portal instances. The wizard creates the necessary servers (HTTP and WAS), configures the server for Portal, configures the database for Portal, configures security (LDAP) for Portal, and deploys the portlets installed with the WebSphere Portal product. You can edit the Portal instance configuration manually after you have used the WebSphere Portal wizard.

This section describes procedures for configuring LDAP searches and aliases in the LDAP directory.

 

Search on LDAP directory using LDAPSearch

The example LDAP configurations shown in this section are relatively simple and are intended to show you how to derive values for the wpconfig.properties file from the simple example directory setups.

You can use the ldapsearch utility to help you determine the correct settings for WebSphere Portal to access the directory. Using the ldapsearch utility, you can search the directory, specifying LDAP search bases, search filters, and other parameters in much the same way that WebSphere Portal will search the directory.

 

Use aliases in the LDAP directory

The default configuration assumes that the LDAP directory does not contain aliases. If the LDAP directory contains aliases that are used during logon, perform the following procedure:

  1. Edit...

    WAS_HOME/jndi.properties

  2. Search for the property java.naming.ldap.derefAliases.

  3. Set the property value to always...

    (java.naming.ldap.derefAliases=always)

 

Search multiple object classes

To configure WebSphere Portal to support multiple object classes for user and group searches, perform the following steps:

  1. Be sure security has been enabled on WebSphere Portal.

  2. Edit the file <wp_home>/shared/app/wmm/wmm.xml.

  3. Find the supportedLdapEntryType stanzas.

  4. Within each stanza, find the objectClassesForRead line.The object classes specified in the objectClassesForRead attribute are used to determine if a LDAP entry belongs to this member type. Separate each object class by a semicolon ";".

    In the following example, any LDAP entries will be considered a "Person" in Member Manager if it contains either "inetOrgPerson" or "ePerson" in its object class attribute: 

    <supportedLdapEntryType name="Person" 
                        rdnAttrTypes="uid" 
                        objectClassesForRead="inetOrgPerson;ePerson" 
                        objectClassesForWrite="inetOrgPerson;ePerson"/>

    In the following example, any LDAP entries will be considered a "Group" in Member Manager if it contains either "inetOrgPerson" or "ePerson" in its object class attribute: 

    <supportedLdapEntryType name="Group" 
                        rdnAttrTypes="cn" 
                        objectClassesForRead="groupOfNames;ibm-appUUIDAux" 
                        objectClassesForWrite="groupOfNames;ibm-appUUIDAux"/>

 

Use the ldapsearch utility to validate LDAP settings

If you specify an LDAP suffix of dc=yourco,dc=com, a user suffix of cn=users, a user prefix of uid, and an objectclass of inetOrgPerson, and set the LDAP access identity for WebSphere Portal to wpsbind with the password wpsbind, then the ldapsearch command will perform an equivalent search to what WebSphere Portal will perform, for a user wpsadmin, is as follows.

This command is shown on two lines but must be entered as one line. 

ldapsearch -b "dc=yourco,dc=com" -h <directory hostname> -D "uid=wpsbind,cn=users,dc=yourco,dc=com" -w "wpsbind" 
"(&(uid=wpsadmin)(objectclass=inetOrgPerson))"

If you get back a listing of the attributes of the entry in the directory for wpsadmin, then you have the correct set of LDAP parameters set for the directory.

A complete description of the ldapsearch utility is beyond the scope of this document, but you can simply specify ldapsearch with no parameters on a command line to get a listing of the syntax for the utility.

 

See also