Friday, 23 January 2015

Using openLDAP on Mac OS X as a user registry with WebSphere Application Server 8.5.5.4

I had a requirement to quickly add an LDAP into an IBM BPM Advanced 8.5.5 environment, hosted on WebSphere Application Server 8.5.5.4, and thought .. hey, why don't I use openLDAP ?

Given that I'm running my servers on a pair of Macs, I wondered whether I could also host my LDAP server natively, rather than needing to build out another VM.

Lo and behold, OS X includes openLDAP, with which I have some experience.

This document was of immense use: -


from which I did the following: -

Configure SLAPD configuration file

/etc/openldap/slapd.conf

include         /private/etc/openldap/schema/core.schema
include         /private/etc/openldap/schema/cosine.schema
include         /private/etc/openldap/schema/inetorgperson.schema

pidfile         /private/var/db/openldap/run/slapd.pid
argsfile        /private/var/db/openldap/run/slapd.args

database        bdb
suffix          "dc=uk,dc=ibm,dc=com" 
rootdn          "cn=root,dc=uk,dc=ibm,dc=com"
# password is 'root'
rootpw          {SSHA}ih08rDcGRC+S5ol888SZG5YUjOX1oVVK
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /private/var/db/openldap/openldap-data
# Indices to maintain
index   objectClass     eq

Create an LDIF file in order to provision groups and users

sample.ldif

version: 1
dn: dc=uk,dc=ibm,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
dc: uk
o: Some Org
description: A sample domain

dn: ou=people,dc=uk,dc=ibm,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people

dn: cn=WebSphereAdmin,ou=people,dc=uk,dc=ibm,dc=com
objectClass: inetOrgPerson
cn: WebSphereAdmin
sn: Admin
givenname: WebSphere
uid: WebSphereAdmin
# the userpassword is set to the SHA1 of 'root'
userPassword: {SSHA}ih08rDcGRC+S5ol888SZG5YUjOX1oVVK
description: WebSphere Admin

dn: cn=BPMAdmin,ou=people,dc=uk,dc=ibm,dc=com
objectClass: inetOrgPerson
cn: BPMAdmin
sn: Admin
givenname: BPM
uid: BPMAdmin
# the userpassword is set to the SHA1 of 'root'
userPassword: {SSHA}ih08rDcGRC+S5ol888SZG5YUjOX1oVVK
description: BPM Admin

Start LDAP

sudo /usr/libexec/slapd -d 127

Add entries via LDIF

ldapadd -x -D cn=root,dc=uk,dc=ibm,dc=com -w root -f ~/sample.ldif 

Validate by querying LDAP

ldapsearch -x -h ldap.uk.ibm.com -p 389 -b dc=uk,dc=ibm,dc=com -D cn=root,dc=uk,dc=ibm,dc=com -w root "(ObjectClass=inetOrgPerson)"

# extended LDIF
#
# LDAPv3
# base <dc=uk,dc=ibm,dc=com> with scope subtree
# filter: (ObjectClass=inetOrgPerson)
# requesting: ALL
#

# WebSphereAdmin, people, uk.ibm.com
dn: cn=WebSphereAdmin,ou=people,dc=uk,dc=ibm,dc=com
objectClass: inetOrgPerson
cn: WebSphereAdmin
sn: Admin
givenName: WebSphere
uid: WebSphereAdmin
userPassword:: e1NTSEF9aWgwOHJEY0dSQytTNW9sODg4U1pHNVlVak9YMW9WVks=
description: WebSphere Admin

# BPMAdmin, people, uk.ibm.com
dn: cn=BPMAdmin,ou=people,dc=uk,dc=ibm,dc=com
objectClass: inetOrgPerson
cn: BPMAdmin
sn: Admin
givenName: BPM
uid: BPMAdmin
userPassword:: e1NTSEF9aWgwOHJEY0dSQytTNW9sODg4U1pHNVlVak9YMW9WVks=
description: BPM Admin

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

ldapsearch -x -h ldap.uk.ibm.com -p 389 -b dc=uk,dc=ibm,dc=com -D cn=root,dc=uk,dc=ibm,dc=com -w root "(ObjectClass=organizationalUnit)"

# extended LDIF
#
# LDAPv3
# base <dc=uk,dc=ibm,dc=com> with scope subtree
# filter: (ObjectClass=organizationalUnit)
# requesting: ALL
#

# people, uk.ibm.com
dn: ou=people,dc=uk,dc=ibm,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

WAS Configuration

Start WAS admin client

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -host `hostname` -port 8879 -lang jython -user wasadmin -password passw0rd

Create LDAP Repository

AdminTask.createIdMgrLDAPRepository('[-default true -id ldap.uk.ibm.com -adapterClassName com.ibm.ws.wim.adapter.ldap.LdapAdapter -ldapServerType CUSTOM -sslConfiguration -certificateMapMode exactdn -supportChangeLog none -certificateFilter -loginProperties uid]')

Add LDAP Server

AdminTask.addIdMgrLDAPServer('[-id ldap.uk.ibm.com -host ldap.uk.ibm.com -bindDN cn=root,dc=uk,dc=ibm,dc=com -bindPassword root -referal ignore -sslEnabled false -ldapServerType CUSTOM -sslConfiguration -certificateMapMode exactdn -certificateFilter -authentication simple -port 389]')

Add Base Entry

AdminTask.addIdMgrRepositoryBaseEntry('[-id ldap.uk.ibm.com -name ou=people,dc=uk,dc=ibm,dc=com -nameInRepository ou=people,dc=uk,dc=ibm,dc=com]')

Add Realm Base Entry

AdminTask.addIdMgrRealmBaseEntry('[-name defaultWIMFileBasedRealm -baseEntry ou=people,dc=uk,dc=ibm,dc=com]')

Add User Object Classes and Search Base

AdminTask.addIdMgrLDAPEntityType('[-id ldap.uk.ibm.com -name PersonAccount -objectClasses inetOrgPerson;person -searchBases ou=people,dc=uk,dc=ibm,dc=com -searchFilter (ObjectClass=inetOrgPerson)]')

Add Group Object Class and Search Base

AdminTask.addIdMgrLDAPEntityType('[-id ldap.uk.ibm.com -name Group -objectClasses organizationalUnit -searchBases ou=people,dc=uk,dc=ibm,dc=com -searchFilter (ObjectClass=organizationalUnit)]')

Enable Allow Operation If Repository Down

AdminTask.updateIdMgrRealm('[-name defaultWIMFileBasedRealm -allowOperationIfReposDown true]')

Save and Sync

AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
quit

Once WAS has been restarted, the users in the Federated Repository can be validated: -

print AdminTask.listRegistryUsers(['-securityRealmName', 'defaultWIMFileBasedRealm', '-displayAccessIds', 'true'])

[[accessId user:defaultWIMFileBasedRealm/uid=wasadmin,o=defaultWIMFileBasedRealm] [name wasadmin@defaultWIMFileBasedRealm] ]
[[accessId user:defaultWIMFileBasedRealm/uid=deAdmin,o=defaultWIMFileBasedRealm] [name deAdmin@defaultWIMFileBasedRealm] ]
[[accessId user:defaultWIMFileBasedRealm/cn=BPMAdmin,ou=people,dc=uk,dc=ibm,dc=com] [name BPMAdmin@defaultWIMFileBasedRealm] ]
[[accessId user:defaultWIMFileBasedRealm/cn=WebSphereAdmin,ou=people,dc=uk,dc=ibm,dc=com] [name WebSphereAdmin@defaultWIMFileBasedRealm] ]

print AdminTask.listRegistryUsers(['-securityRealmName', 'defaultWIMFileBasedRealm'])

wasadmin@defaultWIMFileBasedRealm
deAdmin@defaultWIMFileBasedRealm
BPMAdmin@defaultWIMFileBasedRealm
WebSphereAdmin@defaultWIMFileBasedRealm

No comments: