Friday, 3 October 2014

Adding Active Directory LDAP into a WebSphere Application Server 8.5 environment

This follows on from some earlier posts: -




and focuses on the use of Microsoft Active Directory 2008, whereas most of my prior experience ( recently, at least ) has been with IBM Tivoli Directory Server and CA Directory.

So here's the process I followed: -

Start WSAdmin Client

Note - in this scenario, we only have the Deployment Manager and Node Agent running

/opt/ibm/WebSphereProfiles/Dmgr01/bin/wsadmin.sh -lang jython -host `hostname`.uk.ibm.com -port 8879 -user wasadmin -password p455w0rd

Add SSL Signer Certificate for AD to Cell Default Trust Store

cellID=AdminControl.getCell()
AdminTask.retrieveSignerFromPort('[-keyStoreName CellDefaultTrustStore -keyStoreScope (cell):'+cellID+' -host ad_ldap.uk.ibm.com -port 636 -certificateAlias ad_ldap.uk.ibm.com -sslConfigName CellDefaultSSLSettings -sslConfigScopeName (cell):'+cellID+' ]')

Save and Synchronise

AdminConfig.save()
AdminNodeManagement.syncActiveNodes()

Create LDAP Repository

AdminTask.createIdMgrLDAPRepository('[-default true -id ad_ldap.uk.ibm.com -adapterClassName com.ibm.ws.wim.adapter.ldap.LdapAdapter -ldapServerType AD -sslConfiguration -certificateMapMode exactdn -supportChangeLog none -certificateFilter -loginProperties uid]')

Add LDAP Server

AdminTask.addIdMgrLDAPServer('[-id ad_ldap.uk.ibm.com -host ad_ldap.uk.ibm.com -bindDN ad_ldap_bin -bindPassword p455w0rd -referal ignore -sslEnabled true -ldapServerType AD -sslConfiguration -certificateMapMode exactdn -certificateFilter -authentication simple -port 636]')

Add Base Entry

AdminTask.addIdMgrRepositoryBaseEntry('[-id ad_ldap.uk.ibm.com -name dc=uk,dc=ibm,dc=com -nameInRepository dc=uk,dc=ibm,dc=com]')
AdminTask.addIdMgrRealmBaseEntry('[-name defaultWIMFileBasedRealm -baseEntry dc=uk,dc=ibm,dc=com]')

Enable/validate Global Security

AdminTask.setAdminActiveSecuritySettings('[-activeUserRegistry WIMUserRegistry -enableGlobalSecurity true]')

Set User Search Base and Search Filter

Note - your environment WILL almost certainly be different, in terms of object classes, filters etc.

AdminTask.updateIdMgrLDAPEntityType('[-id ad_ldap.uk.ibm.com -name PersonAccount -objectClasses organizationalPerson -searchBases "ou=users,dc=uk,dc=ibm,dc=com" -searchFilter (objectclass=person)]')

Set Group Search Base and Search Filter

Note - your environment WILL almost certainly be different, in terms of object classes, filters etc.

AdminTask.updateIdMgrLDAPEntityType('[-id ad_ldap.uk.ibm.com -name Group -objectClasses group -searchBases "ou=groups,dc=uk,dc=ibm,dc=com" -searchFilter (ObjectCategory=Group)]')

Enable Login if AD is down

AdminTask.updateIdMgrRealm('[-name defaultWIMFileBasedRealm -allowOperationIfReposDown true]')

Save and Synchronise

AdminConfig.save()
AdminNodeManagement.syncActiveNodes()

Restart Deployment Manager and Node Agent

/home/wasadmin/stopManager_PC.sh
/home/wasadmin/stopNode_PC.sh
/home/wasadmin/startManager_PC.sh
/home/wasadmin/startNode_PC.sh

Validate Users/Groups

/opt/ibm/WebSphereProfiles/Dmgr01/bin/wsadmin.sh -lang jython -host `hostname`.uk.ibm.com -port 8879 -user wasadmin -password p455w0rd

print AdminTask.searchGroups(["-cn *"])

cn=developers,o=defaultWIMFileBasedRealm
cn=administrators,o=defaultWIMFileBasedRealm
cn=wasadministrators,ou=groups,dc=uk,dc=ibm,dc=com

print AdminTask.searchUsers(["-cn *"])

cn=ad_ldap_bin,ou=users,dc=uk,dc=ibm,dc=com
cn=wasuser1,ou=users,dc=uk,dc=ibm,dc=com
cn=wasuser2,ou=users,dc=uk,dc=ibm,dc=com
uid=deAdmin,o=defaultWIMFileBasedRealm
uid=wasadmin,o=defaultWIMFileBasedRealm

Note - entries highlighted in bold are from AD, rest are from WAS File-Based Registry 

The job, as Andy Garratt would say, is a good 'un.

No comments: