Setting up federated repositories
Use federated repositories with IBM® WebSphere® Application Server to manage and secure user and group identities.
Before you begin
Ensure that you have completed the steps described in Preparing to configure the LDAP directory.
You can configure the user directory for IBM® Connections to be populated with users from more than one LDAP directory.
- If you are using IBM® Tivoli® Directory Security Server, decide whether your deployment will rely on the LDAP groupOfNames or groupOfUniqueNames object class for group entities. WebSphere® Application Server uses groupOfNames by default. In most cases, you need to delete this default mapping and create a new mapping for group entities using the LDAP groupOfUniqueNames object class.
- If you are using the groupOfUniqueNames object class for group entities, use the uniqueMember attribute for the group member attribute.
- If you are using the groupOfNames object class group entities, use the member attribute for the group member attribute.
About this task
Procedure
- Start WebSphere® Application Server and log in to the Integrated Solutions Console on the Deployment Manager by going to the following web address: http://websphere_Application_Server_host_name:9060/ibm/console
- Click Log in and enter the credentials of the administrative user ID that you specified during the installation of WebSphere® Application Server.
- Click .
- Select Federated Repositories from the Available realm definitions field, and then click Configure.
- If installing IBM® Connections
Content Manager, set the realm name to defaultWIMFileBasedRealm.
Note: After installation has completed, you can change the realm name as you prefer. When changing realms names, the logs might show LTPA errors, and as such the scheduled tasks list should be cleared to avoid errors in the logs.
- Click Add repositories and then, on the Repository reference page, click .
- On the New page, type a repository identifier, such as myFavoriteRepository into the Repository identifier field.
- Specify the LDAP directory that you are using in the Directory
type field.
For more information about supported directory products, see Detailed system requirements for IBM® Connections.
- Type the host name of the primary LDAP directory server in the Primary host name field. The host name is either an IP address or a domain name service (DNS) name.
- If your directory does not allow LDAP attributes to be searched anonymously, provide values for the Bind distinguished name and Bind password fields. For example, the Domino® LDAP directory does not allow anonymous access, so if you are using a Domino® directory, you must specify the user name and password with administrative level access in these fields.
- Specify the login attribute or attributes that you want
to use for authentication in the Login properties field.
Separate multiple attributes with a semicolon. For example: uid;mail.
See Choosing login values for information about the types of login values that can be used.Note: If you are using Active Directory and you use an email address as the login, specify mail as the value for this property. If you use the samAccountName attribute as the login, specify uid as the value for this property.For login property configuration specific to FileNet®, refer to Configuring Profile and Community membership lookups for FileNet®.
- Click Apply and then click Save.
- On the Repository reference page,
the following fields represent the LDAP attribute type and value pairs
for the base element in the realm and the LDAP repository. (The type
and value pair are separated by an equal sign (=), for example: o=example.
These can be the same value when a single LDAP repository is configured
for the realm or can be different in a multiple LDAP repository configuration.)
- Distinguished name of a base entry that uniquely identifies this set of entries in the realm
- Identifies entries in the realm. For example, on an IBM Directory Server or Active Directory,
the base entry is dc=example, dc=com.Tip: If you are using Domino LDAP, set this field to root. By using "root," you ensure that WebSphere does not use a base entry when searching this repository. The reason that you do this has to do with how groups work in Domino LDAP: by default Domino uses flat groups, and therefore they do not belong to a base certifier. If you set the Distinguished name of a base entry that uniquely identifies this set of entries in the realm field to root, no base is used when searching this directory, and all users and groups from the directory are found.
- Distinguished name of a base entry in this repository
- Identifies entries in the LDAP directory. Leave this field blank.
This value defines the location in the LDAP directory information tree from which the LDAP search begins. The entries beneath it in the tree can also be accessed by the LDAP search. In other words, the search base entry is the top node of a subtree which consists of many possible entries beneath it.
- Click Apply and then click Save.
- Click OK to return the Federated Repositories page.
- In the Repository Identifier column, click the link for the repository or repositories that you just added.
- In the Additional Properties area, click the Federated repositories entity types to LDAP object classes mapping link.
- Click
the Group entity type and modify the object
classes mapping. You can also edit the Search bases and Search
filters fields, if necessary. Enter LDAP parameters that
are suitable for your LDAP directory.Note: You can accept the default object classes value for Group. However, if you are using Domino®, change the value to dominoGroup.
- Click Apply and then click Save.
- Click the PersonAccount entity type
and modify the default object classes mapping. You can also edit the Search
bases and Search filters fields,
if necessary. Enter LDAP parameters that are suitable for your LDAP
directory. Click Apply, and then click Save to
save this setting.Note: If you are using a Domino® LDAP, replace the default mapping with dominoPerson object classes for person accounts.
- In the navigation links at the beginning of the page, click the name of the repository that you have just modified to return to the Repository page.
- Optional: If your applications rely on group
membership from LDAP, complete the following steps:
- Click the Group attribute definition link in the Additional Properties area, and then click the Member attributes link.
- Click New to create a group attribute definition.
- Enter group membership values in the Name of member attribute and Object class fields.
- Click Apply and then click Save.
Notes:- If you have already accepted the default groupOfNames value for Group, then you can also accept the default value for Member.
- If you changed objectclass for Group to dominoGroup earlier, you must add dominoGroup to the definition of Member.
- If you do not configure the group membership attribute, then the group member attribute is used when you search group membership. If you need to enable searches of nested group membership, then you must configure the group membership attribute.
- Consider an example of group membership attribute for using Activities: the Member attribute type is used by the groupOfNames object class, and the uniqueMember attribute type is used by groupOfUniqueNames.
- Here are the required Objectclass/Attribute pairings broken out
by LDAP directory type:
Table 1. Objectclass/Attribute pairings for LDAP directories Required Objectclass/Attribute pairings broken out by LDAP directory type
LDAP Group member attribute/objectclass pairing Group member operational attribute IBM® Tivoli® Directory Security Server 6.4 attribute: uniquemember
objectclass: groupOfUniqueNames
nested attribute: ibm-membershipGroup
nested objectclass: ibm-nestedGroup
ibm-allGroups
Active Directory 2012 R2 and 2016 attribute: member
objectclass: group
memberOf
IBM® Domino® 8.5.3, 9.0.1 attribute: member
objectclass: dominoGroup
DominoAccessGroups
Oracle Directory Server Enterprise 11.1.2 attribute:uniquemember
objectclass: groupOfUniqueNames
isMemberOf
Novell eDirectory 8.8 SP8 attribute: member
objectclass: groupOfNames
groupMembership
Note: Select a Scope option based on LDAP type.For more information about making nested group memberships available, refer to Locating user group memberships in a Lightweight Directory Access Protocol registry for IBM® Directory Server and Domino® and to Authentication using Microsoft™ Active Directory for Active Directory.- Select Nested for IBM® Tivoli® Directory Security Server and IBM® Domino® directories. Nested contains only immediate members of the group without members of subgroups.
- Select Direct for Active Directory. Direct contains direct members and members nested within subgroups of this group.
- Optional: You will generally achieve best LDAP
performance by enabling Context Pooling. To enable Context Pooling,
follow these steps:
- Under Additional Properties, click the Performance link.
- Ensure that the setting Use connection pooling is not checked
- Select the Enable context pooling option. The default settings of Initial size specified as 1, Preferred size as 3, and Maximum size as 0 work well.
- If you want to support more than one LDAP directory, repeat steps 6-23 for each additional LDAP directory.
- Set the new repository as the current repository:
- Click Global Security in the navigation links at the beginning of the page.
- Select Federated Repositories from the Available realm definitions field, and then click Set as current.
- Click Apply and then click Save.
- Enable login security on WebSphere® Application Server:
- Select the Administrative Security and Application Security check boxes. For better performance, clear the Java 2 security check box.
- Click Apply and then click Save.
The administrative user name and password are now required because you set up security on WebSphere® Application Server. -
From the WebSphere® Application Server Integrated
Solutions Console, navigate to . In the Domain name field, enter the domain name for the Connections environment, for
example .example.ibm.com
Refer to Setting the single sign-on domain name for more information.
-
To enable single sign-on (SSO) for IBM® Connections,
prepare the WebSphere® Application Server environment by
completing the following steps:
Note: For more information about SSO security, see Configuring single sign-on.
- Create an administrator for WebSphere® Application Server:
- Restart the DM and then log into the DM again.
- Click Add. and then click
- Select Adminstrator from the Roles box and then search for a user.
- Select the target user and click the arrow to move the user name to the Mapped to role box.
- Click OK and then click Save.
- Log out of the DM.
- Restart the DM and the nodes.
- Log into the DM using the new administrator credentials.
Notes:- Ensure that this user ID does not have spaces in the name.
- Set a primary administrative user:
- Click .
- Select Federated Repositories from the Available realm definitions field, and then click Configure.
- Enter the user name that you mapped in the previous step in the Primary administrative user name box.
- Click Apply and then click Save.
- Log out of the DM and restart WebSphere® Application Server.
- When WebSphere® Application Server is running again, log in to the Integrated Solutions Console using the primary administrative user name and password.
- Optional: Test the new configuration by adding some LDAP users to the WebSphere® Application Server with administrative roles.
- Optional: If you are using SSL for LDAP, add
a signer certificate to your trust store by completing the following
steps:
- From the WebSphere® Application Server Integrated Solutions Console, select .
- Type the DNS name of the LDAP directory in the Host field.
- Type the secure LDAP port in the Port field (typically 636).
- Type an alias name, such as LDAPSSLCertificate, in the Alias field.
- Click Apply and then click Save.
- Optional: Verify that users in the LDAP directory
have been successfully added to the repository: