I pulled this together using my own WAS 8.5 VM running on RHEL 6.3, as ever, and a remote LDAP ( albeit IBM Tivoli Directory Server rather than Microsoft Active Directory ).
Start wsadmin client
$ cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin
$ ./wsadmin.sh -lang jython
List existing repositories
wsadmin> AdminTask.listIdMgrRepositories()
should return: -
'{InternalFileRepository={repositoryType=File, host=LocalHost}}'
Configure the Administrative User Registry ( assume that we're keeping the WAS admin in file-based registry )
wsadmin> AdminTask.configureAdminWIMUserRegistry('[-realmName defaultWIMFileBasedRealm -verifyRegistry false ]')
Add the LDAP server
wsadmin> AdminTask.createIdMgrLDAPRepository('[-default true -id LDAP1 -adapterClassName com.ibm.ws.wim.adapter.ldap.LdapAdapter -ldapServerType IDS -sslConfiguration -certificateMapMode exactdn -supportChangeLog none -certificateFilter -loginProperties uid]')
wsadmin> AdminTask.addIdMgrLDAPServer('[-id LDAP1 -host bluepages.ibm.com -port 389 -bindDN uid=8817222GB,c=gb,ou=bluepages,o=ibm.com -bindPassword passw0rd! -referal ignore -sslEnabled false -ldapServerType IDS -sslConfiguration -certificateMapMode exactdn -certificateFilter]')
wsadmin> AdminTask.updateIdMgrLDAPRepository('[-id LDAP1 -loginProperties [""]]')
wsadmin> AdminTask.updateIdMgrLDAPRepository('[-id LDAP1 -adapterClassName com.ibm.ws.wim.adapter.ldap.LdapAdapter -ldapServerType IDS -sslConfiguration -certificateMapMode exactdn -certificateFilter -supportChangeLog none -loginProperties uid]')
Add the Base Entries
wsadmin> AdminTask.addIdMgrRepositoryBaseEntry('[-id LDAP1 -name o=ibm.com -nameInRepository o=ibm.com]')
wsadmin> AdminTask.addIdMgrRealmBaseEntry('[-name defaultWIMFileBasedRealm -baseEntry o=ibm.com]')
Validate the Admin Name ( wasadmin in file-based registry )
wsadmin> AdminTask.validateAdminName('[-registryType WIMUserRegistry -adminUser wasadmin ]')
Enable Global Security and set Federated Repositories to be default
wsadmin> AdminTask.setAdminActiveSecuritySettings('[-activeUserRegistry WIMUserRegistry -enableGlobalSecurity true]')
Set the LDAP search filters
wsadmin> AdminTask.updateIdMgrLDAPEntityType('[-id LDAP1 -name PersonAccount -objectClasses inetOrgPerson -searchBases ou=bluepages,o=ibm.com -searchFilter ]')
Save changes
wsadmin> AdminConfig.save()
Validate changes
wsadmin> AdminTask.listIdMgrRepositories()
should return: -
'{InternalFileRepository={repositoryType=File, host=LocalHost}, LDAP1={repositoryType=LDAP, specificRepositoryType=IDS, host=bluepages.ibm.com}}'
wsadmin> AdminTask.listIdMgrRepositoryBaseEntries('[-id LDAP1]')
should return: -
'{o=ibm.com=o=ibm.com}'
That's it, that's all she wrote :-)
10 comments:
i tried setting up in my environment with WAS 8.5 . I had command output as success , but actually its not authenticating with the LDAP[w3] User
Even I tried configuring W3 LDAP with my WAS8.5 with the above mentioned steps. But authentication failed :( :(
Asrith, Logii - I've since repeated the same steps using my Bluepages credentials for WAS 7 and 8, without problems.
Assuming that you're an IBMer, you may wish to check your intranet password, and ensure that you've not locked your account :-)
cross checked and my intranet id and password is not locked.
I exactly copy pasted the set of commands you have given. The only change i did was UID and the password . Do i need to modify any other command according to my environment ?
Thanks in Advance :-)
@Ashrith, as per Sametime, we'll handle this via Notes email :-)
in case you want to use mail (intranet id) instead of digit-based IBM uid (this is strictly for IBMers aiming at connecting to bluepages), change your login property to mail (in place of "uid"). you might also need change entity type for PersonAccount to ePerson (my case) instead of inetOrgPerson.
@Radek - good points, thanks
Junior admin here attempting a WAS 8.5 upgrade... I'm attempting to add 2 LDAPs to the Federated Repository but get an SECJ7339E error (from console). I've confirmed the admin name is valid. Any idea on what could cause that?
a bug, perhaps ? http://www-01.ibm.com/support/docview.wss?uid=swg1PK37602
supposed to have been corrected a long time ago, but might have made it somehow to 8.5. local fix: Use wsadmin to enable security to the Custom User Registry
any other factors like SSL? did you change primary administrative name ? are you allowed to update LDAP? did you remove file based registry entry from federated configuration definition ?
@DMinMD - the SECJ7339E message is a little too generic to say for sure, but it could be a range of issues, including user/group search filters, duplicate IDs across LDAPs ( you did say that you'd added TWO LDAPs ) etc.
You'll need to enable tracing to be sure, and also look for additional SECJxxxxx exceptions, which may provide more information, regards, Dave
Post a Comment