Monday, 17 December 2012

More on wsadmin, LDAP servers ( Bluepages ) and WebSphere Application Server

This is an update to my previous post, and follows an interaction with an IBM colleague, who wasn't able to get this working, at least initially.

When I looked back at my steps, I'm not sure how I got it working - perhaps I made some changes that didn't make it into the original blog post :-(

Ah well, c'est la vie.

Anyway, here's an up-to-date set of instructions: -

Change to the WAS profile's binary directory

$ cd /opt/IBM/WebSphere80/AppServer/profiles/E1PCDMProfile/bin/

Start the wsadmin client
$ ./wsadmin.sh -lang jython -user e1wasadmin -password passw0rd

WASX7209I: Connected to process "dmgr" on node E1PCDMNODENode using SOAP connector;  The type of process is: DeploymentManager
WASX7031I: For help, enter: "print Help.help()"

List the existing repositories - to start with, we only have one - fileRegistry.xml

wsadmin>AdminTask.listIdMgrRepositories()

'{InternalFileRepository={repositoryType=File, host=LocalHost}}'

Start the process of configuring the WIM user registry

wsadmin>AdminTask.configureAdminWIMUserRegistry('[-realmName defaultWIMFileBasedRealm -verifyRegistry false ]')

''

Create a new LDAP repository

wsadmin>AdminTask.createIdMgrLDAPRepository('[-default true -id LDAP1 -adapterClassName com.ibm.ws.wim.adapter.ldap.LdapAdapter -ldapServerType IDS -sslConfiguration -certificateMapMode exactdn -supportChangeLog none -certificateFilter -loginProperties uid]') 

'CWWIM5046W Each configured repository must contain at least one base entry. Add a base entry before saving the configuration. For LDAP repository, add the LDAP server before adding the base entry.'

Now we have TWO repositories
wsadmin>AdminTask.listIdMgrRepositories()

'{InternalFileRepository={repositoryType=File, host=LocalHost}, LDAP1={repositoryType=LDAP, specificRepositoryType=IDS}}'

Add an LDAP server to the new repository

wsadmin>AdminTask.addIdMgrLDAPServer('[-id LDAP1 -host bluepages.ibm.com -port 389 -bindDN uid=7712663228,c=gb,ou=bluepages,o=ibm.com -bindPassword passw0rd! -referal ignore -sslEnabled false -ldapServerType IDS -sslConfiguration -certificateMapMode exactdn -certificateFilter]')

'CWWIM5027W The configuration is not complete. Saving an incomplete configuration can cause startup problems.'

Set the login properties

wsadmin>AdminTask.updateIdMgrLDAPRepository('[-id LDAP1 -adapterClassName com.ibm.ws.wim.adapter.ldap.LdapAdapter -ldapServerType IDS -sslConfiguration -certificateMapMode exactdn -certificateFilter -supportChangeLog none -loginProperties uid]')

'CWWIM5027W The configuration is not complete. Saving an incomplete configuration can cause startup problems.'

Set the base entry

wsadmin>AdminTask.addIdMgrRepositoryBaseEntry('[-id LDAP1 -name o=ibm.com -nameInRepository o=ibm.com]')

'CWWIM5028I  The configuration is saved in a temporary workspace. You must use the "$AdminConfig save" command to save it in the master repository.'

wsadmin>AdminTask.addIdMgrRealmBaseEntry('[-name defaultWIMFileBasedRealm -baseEntry o=ibm.com]') 

'CWWIM5028I  The configuration is saved in a temporary workspace. You must use the "$AdminConfig save" command to save it in the master repository.'

Validate the admin user - which remains in the fileRegistry repository, rather than in LDAP

wsadmin>AdminTask.validateAdminName('[-registryType WIMUserRegistry -adminUser e1wasadmin ]')

'true'

Enable global security - this allows us to secure the admin console by default

wsadmin>AdminTask.setAdminActiveSecuritySettings('[-activeUserRegistry WIMUserRegistry -enableGlobalSecurity true]')

''

Set the user search base

wsadmin>AdminTask.updateIdMgrLDAPEntityType('[-id LDAP1 -name PersonAccount -objectClasses ibmPerson;inetorgperson -searchBases c=us,ou=bluepages,o=ibm.com -searchFilter ]')

'CWWIM5028I  The configuration is saved in a temporary workspace. You must use the "$AdminConfig save" command to save it in the master repository.'

Set the group search base

wsadmin>AdminTask.updateIdMgrLDAPEntityType('[-id LDAP1 -name Group -objectClasses groupOfNames -searchBases ou=memberlist,ou=ibmgroups,o=ibm.com -searchFilter ]')

'CWWIM5028I  The configuration is saved in a temporary workspace. You must use the "$AdminConfig save" command to save it in the master repository.'
Save the configuration

wsadmin>AdminConfig.save()

''
Sync the nodes

wsadmin>AdminNodeManagement.syncActiveNodes()

---------------------------------------------------------------
 AdminNodeManagement:        Synchronize the active nodes
 Usage: AdminNodeManagement.syncActiveNodes()
 Return: If the command is successfully invoked, a value of 1 is returned. 
---------------------------------------------------------------
 
1


List the repositories ( again )

wsadmin>AdminTask.listIdMgrRepositories()

'{InternalFileRepository={repositoryType=File, host=LocalHost}, LDAP1={repositoryType=LDAP, specificRepositoryType=IDS, host=bluepages.ibm.com}}'

List the base entry for the newly added LDAP repository

wsadmin>AdminTask.listIdMgrRepositoryBaseEntries('[-id LDAP1]')

'{o=ibm.com=o=ibm.com}'

We're finished

wsadmin> quit

That's it, that's the lot.

This time, after restarting the WAS server ( in my case, it's a Deployment Manager ), I can search for, and find, "real" users and groups from LDAP.

Sweet .....

PS For the record, this time around, I'm using WebSphere Application Server 8.0.0.3

No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...