How to configure Multiple LDAP and Multiple Subtrees
Transcription
How to configure Multiple LDAP and Multiple Subtrees
How to configure Multiple LDAP and Multiple Subtrees in one LDAP for Lotus Connections V2 This document describes the steps to configure your WebSphere Application Servers (WAS) with multiple LDAP servers and multiple subtrees in one LDAP source for production environments of Lotus Connections 2. Prerequisites: 1. LDAP servers store user's information, and users must only exist in one LDAP server (not multiple). 2. Lotus Connections can support environments where each WebSphere Application Server node is configured to reference its dedicated LDAP source. 3. Distinguished names (DN) of a base entry must be unique (the subtree name is unique) among the multiple LDAP servers. LDAP servers supported by Lotus Connections 2.0: • IBM Tivoli Directory Server 6, 6.1 • Microsoft Windows Server 2003 Active Directory • Microsoft Active Directory Application Mode • IBM Lotus Domino 7, 8 • Novell eDirectory 8.8 • Sun ONE iPlanet 5, 6 Configuring multiple LDAP in WAS server console: 1. Access the administration console: http://was.server.com:9060/ibm/console, and login as administrator. 2. Click "Security -> Secure administration, application, and infrastructure", under "User account repository", select "Federated repositories" in "Available realm definitions" field, then click "Configure" button: 3. Input the "Realm name" and "Primary administrative user name" or you can use the default values. 4. Click "Add Base entry to Realm..." which in the table is named "Repositories in the realm", to add a base entry from a LDAP server: 5. Click the "Add Repository..." button to add a new repository. which have been added are listed in the "Repository" field: All repositories 6. Input all required fields like: Repository identifier Directory type Primary host name Port Bind distinguished name Bind password (for security authentication) 7. Specify a property as "Login properties". The login property can be the uid, email, or other properties which have been defined in LDAP server, if the property is not defined in LDAP, you should define a mapping in WAS wim configuration. (see the Appendix section of this document which utilizes ADAM as an example). 8. Click the "Apply" or "OK" buttons, and save the configuration changes. The repository name will list in "Repository" field. 9. Select the repository just added, and input your distinguished name of a base entry which exists in your LDAP server into "Distinguished name of a base entry that uniquely identifies this set of entries in the realm" field, this DN will be used to identify and search users in your LDAP server: 10. Click the "Apply" or "OK" buttons, and save the configuration changes. Then you will see the new repository has been added and shown in the table "Repository in the realm": 11. Repeat steps 1 to 6 to add more LDAP servers. 12. Restart the application server for these changes to take effect (if you have setup a cluster environment, you should first restart Deployment Manager, synchronize all nodes in your cell, and restart all clusters). Congratulations! You have completed the configuration of WebSphere Application Server with multiple LDAP repositories. Users in all repositories can now log in to Lotus Connections- Details on how to configure multiple LDAP subtrees in the WAS console: Just see step 5 above: you can utilize a different distinguished name for the base entry, and you can add more than one DN of base entry, then WAS will find user follow the base entry you provided. The product functions just like a tree: one tree always have many branches, following different branch will lead to a different set of endpoints (users). Appendix: In ADAM, the login property is configured as uid, but there is no uid property in the ADAM LDAP source, therefore custom mapping is needed between WAS and the LDAP source. The detailed steps are the following. Edit wimconfig.xml file and add this section: <config:attributes name="samAccountName" propertyName="uid"> <config:entityTypes>PersonAccount</config:entityTypes> </config:attributes> Follow tag <config:attributeConfiguration>