Map an account from Active Directory to administrative
roles in IBM® WebSphere® Application Server.
Before you begin
This task is not required if you do not use Microsoft™ Active Directory.
Ensure
that you have configured IBM Connections
to use Active Directory as the user directory. For more information,
refer to Setting up federated repositories.
Ensure
that you have configured WebSphere Application
Server to use the Kerberos and LTPA authentication option. For more
information, refer to Configuring SPNEGO and Kerberos (optionally) on WebSphere
Application Server.
Select an Active Directory account
to map to administrative roles in IBM WebSphere Application Server.
Note: Don't use the
same Active Directory account for the following roles:
- The bind account configured under LDAP configuration in WAS.
- The application account
- The SPN account for SPNEGO setup
- The Window service account to start WAS
For example, if the bind user is locked out, then no users can log into
the application. If the SPN account is locked or the password has
been changed, then it will affect the entire sso configuration (SPNEGO).
About this task
After enabling Kerberos and LTPA authentication in WebSphere Application Server,
the default file-based repository no longer works and you can no longer
log in to the WebSphere Application
Server Integrated Solution Console using the wasadmin account. Any
services that require authentication and that use the wasadmin ID
no longer work. Consequently, some functions in IBM Connections fail, including search indexing,
notifications, and adding widgets.
To prevent such problems,
you must map an account in Active Directory to the IBM Connections administrative roles in IBM WebSphere Application Server.
To
map the Active Directory account, complete the following steps:
Procedure
- Map an Active Directory account to administrative roles:
- Log in to the WebSphere Application
Server Integrated Solution Console on the Deployment Manager.
- Click and select Admin Security Manager.
- Enter the Active Directory account name in the Search
string field and click Search.
- Select the account name in the Available column
and click to add the account name to the Mapped to role column.
- Click OK.
- Click Add and select Administrator.
- Enter the Active Directory account name in the Search
string field and click Search.
- Select the account name in the Available column
and click to add the account name to the Mapped to role column.
- Click OK.
- Click Save.
- Change J2C authentication:
- Click .
- Under Additional Properties, click .
- In the SIB Security Resource Wizard window, click Users,
enter the Active Directory account in the Search pattern field,
and click Next.
- Select the check box for the account name and click Next.
- If you are satisfied with the summary information, click Finish.
Note: If
you subsequently change the password for the Active Directory account
that you map in this step, you must also change the password for the
ConnectionsAdmin J2C alias.
- Update the messaging bus configuration. Complete the steps
in the Updating the messaging bus configuration when the connectionsAdmin
user ID changes topic.
- For each application, update the mapping for the dsx-admin,
search-admin, and widget-admin Java EE roles, replacing the currently
mapped user with the Activity Directory account. Go to the Switching
to unique administrator IDs for system level communication topic
and complete Step 3.
- Modify the runtime user for the Search application:
- Click .
- Under Details Properties, click User
RunAs Roles.
- Select the Admin option.
- Enter the new user name and password.
- Click Apply.
Note: If you subsequently change
the password for the Active Directory account that you map in this
step, you must also change the password for the ConnectionsAdmin J2C
alias.
- (Only required if you use Windows™ services
for starting or stopping IBM Connections)
Edit your Windows services
to use your Active Directory account instead of wasadmin to start
and stop IBM Connections.