Adding Active Directory LDAP into a WebSphere Application Server 8.5 environment

This follows on from some earlier posts: -

Using wsadmin to enable an LDAP Federated Repository in WebSphere Application Server 8.5

More on wsadmin, LDAP servers ( Bluepages ) and WebSphere Application Server

WASX7017E and ADMC0008E seen when federating LDAP into an IBM BPM Advanced 8.0.1 environment

and focuses on the use of Microsoft Active Directory 2008, whereas most of my prior experience ( recently, at least ) has been with IBM Tivoli Directory Server and CA Directory.

So here's the process I followed: -

Start WSAdmin Client

Note - in this scenario, we only have the Deployment Manager and Node Agent running

/opt/ibm/WebSphereProfiles/Dmgr01/bin/wsadmin.sh -lang jython -host `hostname`.uk.ibm.com -port 8879 -user wasadmin -password p455w0rd

Add SSL Signer Certificate for AD to Cell Default Trust Store

cellID=AdminControl.getCell()

AdminTask.retrieveSignerFromPort('[-keyStoreName CellDefaultTrustStore -keyStoreScope (cell):'+cellID+' -host ad_ldap.uk.ibm.com -port 636 -certificateAlias ad_ldap.uk.ibm.com -sslConfigName CellDefaultSSLSettings -sslConfigScopeName (cell):'+cellID+' ]')

Save and Synchronise

AdminConfig.save()

AdminNodeManagement.syncActiveNodes()

Create LDAP Repository

AdminTask.createIdMgrLDAPRepository('[-default true -id ad_ldap.uk.ibm.com -adapterClassName com.ibm.ws.wim.adapter.ldap.LdapAdapter -ldapServerType AD -sslConfiguration -certificateMapMode exactdn -supportChangeLog none -certificateFilter -loginProperties uid]')

Add LDAP Server

AdminTask.addIdMgrLDAPServer('[-id ad_ldap.uk.ibm.com -host ad_ldap.uk.ibm.com -bindDN ad_ldap_bin -bindPassword p455w0rd -referal ignore -sslEnabled true -ldapServerType AD -sslConfiguration -certificateMapMode exactdn -certificateFilter -authentication simple -port 636]')

Add Base Entry

AdminTask.addIdMgrRepositoryBaseEntry('[-id ad_ldap.uk.ibm.com -name dc=uk,dc=ibm,dc=com -nameInRepository dc=uk,dc=ibm,dc=com]')

AdminTask.addIdMgrRealmBaseEntry('[-name defaultWIMFileBasedRealm -baseEntry dc=uk,dc=ibm,dc=com]')

Enable/validate Global Security

AdminTask.setAdminActiveSecuritySettings('[-activeUserRegistry WIMUserRegistry -enableGlobalSecurity true]')

Set User Search Base and Search Filter

Note - your environment WILL almost certainly be different, in terms of object classes, filters etc.

AdminTask.updateIdMgrLDAPEntityType('[-id ad_ldap.uk.ibm.com -name PersonAccount -objectClasses organizationalPerson -searchBases "ou=users,dc=uk,dc=ibm,dc=com" -searchFilter (objectclass=person)]')

Set Group Search Base and Search Filter

Note - your environment WILL almost certainly be different, in terms of object classes, filters etc.

AdminTask.updateIdMgrLDAPEntityType('[-id ad_ldap.uk.ibm.com -name Group -objectClasses group -searchBases "ou=groups,dc=uk,dc=ibm,dc=com" -searchFilter (ObjectCategory=Group)]')

Enable Login if AD is down

AdminTask.updateIdMgrRealm('[-name defaultWIMFileBasedRealm -allowOperationIfReposDown true]')

Save and Synchronise

AdminConfig.save()

AdminNodeManagement.syncActiveNodes()

Restart Deployment Manager and Node Agent

/home/wasadmin/stopManager_PC.sh

/home/wasadmin/stopNode_PC.sh

/home/wasadmin/startManager_PC.sh

/home/wasadmin/startNode_PC.sh

Validate Users/Groups

/opt/ibm/WebSphereProfiles/Dmgr01/bin/wsadmin.sh -lang jython -host `hostname`.uk.ibm.com -port 8879 -user wasadmin -password p455w0rd

print AdminTask.searchGroups(["-cn *"])

cn=developers,o=defaultWIMFileBasedRealm

cn=administrators,o=defaultWIMFileBasedRealm

cn=wasadministrators,ou=groups,dc=uk,dc=ibm,dc=com

print AdminTask.searchUsers(["-cn *"])

cn=ad_ldap_bin,ou=users,dc=uk,dc=ibm,dc=com

cn=wasuser1,ou=users,dc=uk,dc=ibm,dc=com

cn=wasuser2,ou=users,dc=uk,dc=ibm,dc=com

uid=deAdmin,o=defaultWIMFileBasedRealm

uid=wasadmin,o=defaultWIMFileBasedRealm

Note - entries highlighted in bold are from AD, rest are from WAS File-Based Registry 

The job, as Andy Garratt would say, is a good 'un.