Mapping an Active Directory account to administrative roles
Map an account from Active Directory to administrative roles in IBM® WebSphere® Application Server.
Before you begin
This task is not required if you do not use Microsoft™ Active Directory.
Ensure that you have configured HCL Connections™ to use Active Directory as the user directory. For more information, refer to Setting up federated repositories.
Ensure that you have configured WebSphere® Application Server to use the Kerberos and LTPA authentication option. For more information, refer to Configuring SPNEGO and Kerberos (optionally) on WebSphere Application Server.
- The bind account configured under LDAP configuration in WAS.
- The application account
- The SPN account for SPNEGO setup
- The Window service account to start WAS
About this task
After enabling Kerberos and LTPA authentication in WebSphere® Application Server, the default file-based repository no longer works and you can no longer log in to the WebSphere® Application Server Integrated Solution Console using the wasadmin account. Any services that require authentication and that use the wasadmin ID no longer work. Consequently, some functions in Connections fail, including search indexing, notifications, and adding widgets.
To prevent such problems, you must map an account in Active Directory to the Connections administrative roles in IBM® WebSphere® Application Server.
To map the Active Directory account, complete the following steps:
Procedure
- Map an Active Directory account to administrative roles:
- Log in to the WebSphere® Application Server Integrated Solution Console on the Deployment Manager.
- Click Admin Security Manager. and select
- Enter the Active Directory account name in the Search string field and click Search.
- Select the account name in the Available column and click to add the account name to the Mapped to role column.
- Click OK.
- Click Add and select Administrator.
- Enter the Active Directory account name in the Search string field and click Search.
- Select the account name in the Available column and click to add the account name to the Mapped to role column.
- Click OK.
- Click Save.
- Change J2C authentication:
- Click .
- Under Additional Properties, click .
- In the SIB Security Resource Wizard window, click Users, enter the Active Directory account in the Search pattern field, and click Next.
- Select the check box for the account name and click Next.
- If you are satisfied with the summary information, click Finish.Note: If you subsequently change the password for the Active Directory account that you map in this step, you must also change the password for the ConnectionsAdmin J2C alias.
- Update the messaging bus configuration. Complete the steps in the Updating the messaging bus configuration when the connectionsAdmin user ID changes topic.
- For each application, update the mapping for the dsx-admin, search-admin, and widget-admin Java EE roles, replacing the currently mapped user with the Activity Directory account. Go to the Switching to unique administrator IDs for system level communication topic and complete Step 3.
- Modify the runtime user for the Search application:
- Click .
- Under Details Properties, click User RunAs Roles.
- Select the Admin option.
- Enter the new user name and password.
- Click Apply.Note: If you subsequently change the password for the Active Directory account that you map in this step, you must also change the password for the ConnectionsAdmin J2C alias.
- (Only required if you use Windows™ services for starting or stopping Connections) Edit your Windows™ services to use your Active Directory account instead of wasadmin to start and stop Connections.