Monday, 19 November 2012

Using wsadmin to enable an LDAP Federated Repository in WebSphere Application Server 8.5

This article is somewhat of an aide memoire for me, allow me to remember how to enable WebSphere Application Server to talk to an LDAP server, without needing to use a GUI :-)

I pulled this together using my own WAS 8.5 VM running on RHEL 6.3, as ever, and a remote LDAP ( albeit IBM Tivoli Directory Server rather than Microsoft Active Directory ).

Start wsadmin client

$ cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin
$ ./wsadmin.sh -lang jython

List existing repositories

wsadmin> AdminTask.listIdMgrRepositories()

should return: -

'{InternalFileRepository={repositoryType=File, host=LocalHost}}'

Configure the Administrative User Registry ( assume that we're keeping the WAS admin in file-based registry )

wsadmin> AdminTask.configureAdminWIMUserRegistry('[-realmName defaultWIMFileBasedRealm -verifyRegistry false ]')

Add the LDAP server

wsadmin> AdminTask.createIdMgrLDAPRepository('[-default true -id LDAP1 -adapterClassName com.ibm.ws.wim.adapter.ldap.LdapAdapter -ldapServerType IDS -sslConfiguration -certificateMapMode exactdn -supportChangeLog none -certificateFilter -loginProperties uid]') 

wsadmin> AdminTask.addIdMgrLDAPServer('[-id LDAP1 -host bluepages.ibm.com -port 389 -bindDN uid=8817222GB,c=gb,ou=bluepages,o=ibm.com -bindPassword passw0rd! -referal ignore -sslEnabled false -ldapServerType IDS -sslConfiguration -certificateMapMode exactdn -certificateFilter]')

wsadmin> AdminTask.updateIdMgrLDAPRepository('[-id LDAP1 -loginProperties [""]]')

wsadmin> AdminTask.updateIdMgrLDAPRepository('[-id LDAP1 -adapterClassName com.ibm.ws.wim.adapter.ldap.LdapAdapter -ldapServerType IDS -sslConfiguration -certificateMapMode exactdn -certificateFilter -supportChangeLog none -loginProperties uid]')

Add the Base Entries

wsadmin> AdminTask.addIdMgrRepositoryBaseEntry('[-id LDAP1 -name o=ibm.com -nameInRepository o=ibm.com]')

wsadmin> AdminTask.addIdMgrRealmBaseEntry('[-name defaultWIMFileBasedRealm -baseEntry o=ibm.com]') 

Validate the Admin Name ( wasadmin in file-based registry )

wsadmin> AdminTask.validateAdminName('[-registryType WIMUserRegistry -adminUser wasadmin ]')

Enable Global Security and set Federated Repositories to be default

wsadmin> AdminTask.setAdminActiveSecuritySettings('[-activeUserRegistry WIMUserRegistry -enableGlobalSecurity true]')

Set the LDAP search filters

wsadmin> AdminTask.updateIdMgrLDAPEntityType('[-id LDAP1 -name PersonAccount -objectClasses inetOrgPerson -searchBases ou=bluepages,o=ibm.com -searchFilter ]') 

Save changes

wsadmin> AdminConfig.save()

Validate changes

wsadmin> AdminTask.listIdMgrRepositories()

should return: -

'{InternalFileRepository={repositoryType=File, host=LocalHost}, LDAP1={repositoryType=LDAP, specificRepositoryType=IDS, host=bluepages.ibm.com}}'

wsadmin> AdminTask.listIdMgrRepositoryBaseEntries('[-id LDAP1]')

should return: -

'{o=ibm.com=o=ibm.com}'

That's it, that's all she wrote :-)

10 comments:

Ashrith said...

i tried setting up in my environment with WAS 8.5 . I had command output as success , but actually its not authenticating with the LDAP[w3] User

logii said...

Even I tried configuring W3 LDAP with my WAS8.5 with the above mentioned steps. But authentication failed :( :(

Dave Hay said...

Asrith, Logii - I've since repeated the same steps using my Bluepages credentials for WAS 7 and 8, without problems.

Assuming that you're an IBMer, you may wish to check your intranet password, and ensure that you've not locked your account :-)

Ashrith said...

cross checked and my intranet id and password is not locked.
I exactly copy pasted the set of commands you have given. The only change i did was UID and the password . Do i need to modify any other command according to my environment ?
Thanks in Advance :-)

Dave Hay said...

@Ashrith, as per Sametime, we'll handle this via Notes email :-)

Radek Baranowski said...

in case you want to use mail (intranet id) instead of digit-based IBM uid (this is strictly for IBMers aiming at connecting to bluepages), change your login property to mail (in place of "uid"). you might also need change entity type for PersonAccount to ePerson (my case) instead of inetOrgPerson.

Dave Hay said...

@Radek - good points, thanks

DMinMD said...

Junior admin here attempting a WAS 8.5 upgrade... I'm attempting to add 2 LDAPs to the Federated Repository but get an SECJ7339E error (from console). I've confirmed the admin name is valid. Any idea on what could cause that?

Radek Baranowski said...

a bug, perhaps ? http://www-01.ibm.com/support/docview.wss?uid=swg1PK37602
supposed to have been corrected a long time ago, but might have made it somehow to 8.5. local fix: Use wsadmin to enable security to the Custom User Registry

any other factors like SSL? did you change primary administrative name ? are you allowed to update LDAP? did you remove file based registry entry from federated configuration definition ?

Dave Hay said...

@DMinMD - the SECJ7339E message is a little too generic to say for sure, but it could be a range of issues, including user/group search filters, duplicate IDs across LDAPs ( you did say that you'd added TWO LDAPs ) etc.

You'll need to enable tracing to be sure, and also look for additional SECJxxxxx exceptions, which may provide more information, regards, Dave