![Close [x]](http://dw1.s81c.com/i/c.gif){kind=small}
The IBM Lotus Workplace Web Content Management (hereafter called Web Content Management) technology, acquired from Presence Online/Aptrix, delivers end-to-end Web content management for Internet, intranet, extranet and portal sites. Web Content Management leverages content in back-end systems and reduces development and implementation time, placing content creation and management firmly in the hands of content experts for "author once, publish everywhere" control. It runs on both Domino and WebSphere Application Server and provides for the integration of WebSphere Portal and DB2 Content Manager. This makes this offering fit well with IBM middleware and allows you to leverage existing investments. However, while Web Content Management can handle user and group management internally, many customers instead use an external LDAP server such as IBM Directory Server or Domino Server.
The IBM Lotus Workplace Web Content Management v1.1 (Java Edition) includes a sample LDAP configuration that can be used as is or modified as needed to authenticate Users, establish Groups, and determine User categories. This document describes how to use this sample to implement User authentication and Group access using IBM Directory Server LDAP in a Portal environment. Before you begin the process it is assumed that you have installed and configured your Web Content Management UI and also installed the Content Portlet.
Figure 1 shows the sample configuration discussed in this article. The sample scenario (1) uses LDAP connection attributes and properties file locations specified in the Web Content Management connect.cfg file to (2) map LDAP attributes for the user to an existing Web Content Management Group and define the user€™s profile categories, (3) resulting in content that is specific to the group and user.
Figure 1: The sample authentication configuration
This article describes the supplied LDAP samples. It explains how to configure the Web Content Management properties and configuration files to correspond to those configured with the IBM Directory Server LDAP. It then shows you how to test your configuration to make sure that your scenario behaves properly. It also includes an alternative scenario, which includes modifications to the sample to enable it to access group membership directly from LDAP group membership.
The article first steps you through how to configure the environment to authenticate users via IBM Directory Server (using the default schema) and to use the LDAP attribute givenname to identify group membership. For this group to be recognized by Web Content Management, this exact group name has to be created in the Web Content Management Administrator User Interface (UI).
Before going through the steps in this example, WebSphere Portal, Web Content Management, and IBM Directory Server must be installed on the system or accessible on another system. All components are operational and Portal has been configured to run with LDAP. Default installation directories and LDAP Attributes are assumed.
The sample files are located in the [WebContentMangement-base]\app\samples\LDAP are all the files used in this Sample LDAP configuration, where [WebContentMangement-base]is the directory in which the Web Content Management product is installed.
To verify your LDAP attributes, run the following ldapsearch command:
ldapsearch -D uid=wpsadmin,cn=users,dc=raleigh,dc=ibm,dc=com -w wpsadmin
-b dc=raleigh,dc=ibm,dc=com uid=* |
Results should include a list of all user attributes for all registered users, as shown in Figure 2.
Figure 2: Results of the
ldapsearch command
Configuring Web Content Management for use with the LDAP sample
The first step in configuring the environment is to change the settings in the connect.cfg file:
- Change to the configuration directory for your application (for example, to
D:\Aptrix1.1\app\config). - Make a backup copy of the
connect.cfgfile. - Edit the
config.cfgfile to specify the following values according to the the LDAP server you are using. In the<ModuleConfig>section, add:<ModuleConfig> <Sample> <SampleLDAPProperties value="../config/sampleldaprum.properties" /> <SampleLDAPAdministratorProperies value="../config/sampleldapadmin.properties" /> </Sample> - Add the following section for the LDAP Connection replacing your LDAP values:
<LDAPConnector> <OrganizationName value="raleigh.ibm.com" /> <DefaultHost value="tsmit30.raleigh.ibm.com" /> <DefaultPort value=389 /> <DefaultScope value=SUBTREE /> <!-- The version identifier: 2 or 3 --> <DefaultVersion value=3 /> <!-- The base search scope within the DIT --> <DefaultBaseSearchDN value="dc=raleigh,dc=ibm,dc=com" /> <DefaultAuthDN value="uid=wpsbind,cn=users,dc=raleigh,dc=ibm,dc=com" /> <DefaultAuthPwd value="wpsbind" /> <DirectoryManagerAuthDN value="cn=root" /> <DirectoryManagerAuthPwd value="password" /> <DefaultTimeout value=1000 /> <ConnectionManager> <MaxConnectionPools value=1000 /> <MaxConnectionsPerPool value=64 /> </ConnectionManager> <UseSSL value=false /> </LDAPConnector> - Modify the
UserManagerandAuthorizationManagersections as follows:<UserManager class="com.ilwwcm.sample.ldaprum.framework.SampleCombinedUserManager" > <LDAPUserManager> <DefaultUniqueIDFieldName value="uid" /> <DefaultAuthDN value="uid=wpsbind,cn=users,dc=raleigh,dc=ibm,dc=com" /> <DefaultAuthPwd value="wpsbind" /> <DefaultBaseDN value="cn=users,dc=raleigh,dc=ibm,dc=com" /> </LDAPUserManager> </UserManager> <AuthorisationManager class= "com.ilwwcm.sample.ldaprum.framework.SampleCombinedAuthorisationManager" > <LDAPAuthorisationManager> <DefaultUniqueIDFieldName value="uid" /> </LDAPAuthorisationManager> </AuthorisationManager>
The next step is to change the properties file:
- Copy the sample LDAP runtime user manager configuration files (
sampleldapadmin.propertiesandsampleldaprum.properties) to the configuration directory for your Web Content Management application (for example,D:\Aptrix1.1\app\config). - Change the
sampleldapadmin.propertiesfile to include the specifications for the LDAP administrator user ID and password:DirectoryManagerAuthDN=uid=wpsbind,cn=users,dc=raleigh,dc=ibm,dc=com DirectoryManagerAuthPwd=wpsbind
- Change the
sampleldaprum.propertiesfile to include the specifications for the Web Content Management user group (NewsUser) mapping to the LDAP attribute (givenname) as follows:#--------------------------------------------------------------------- # LDAP Configuration Properties #--------------------------------------------------------------------- username_att=uid password_att=userpassword member_att=uniquemember user_class=person group_class=groupOfUniqueNames org_unit_att=cn org_unit_att_value=users org_att=dc org_att_value=raleigh,dc=ibm,dc=com common_name_att=cn object_class_att=objectclass #--------------------------------------------------------------------- # Group and Category LDAP attributes #--------------------------------------------------------------------- €¦ #the LDAP attributes that define group membership of Users #user_grps=groupSample1,groupSample2 USER_GRPS=GIVENNAME €¦ #map an LDAP value to IBM Lotus Workplace Web Content Management Group values via: #e.g. sampleRoleName_GrpMap=groupSample1 GIVENNAME_GRPMAP=GIVENNAME
- Edit the
aptrixjpe.propertiesfile (located in your config directory) to specify the Runtime User Manager class for themanager.runtimeUserproperty:manager.runtimeUser=[CLASS_NAME] manager.runtimeUser=com.ilwwcm.sample.ldaprum.server.SampleRuntimeUserManager
Next, place the JAR files in the appropriate directories.
- Place the
ilwwcm-sample-ldaprum.jarfilefile into theWEB-INF/libdirectory of your IBM Lotus Workplace Web Content Management WAR file, which is located in theAppServer\installedApps\[Server-name]\[ILWWCM.ear]\ilwwcm.war\WEB-INF\libdirectory in your IBM WebSphere installation. - Ensure that the permissions are set correctly for the files. If you do not, a
java.lang.ClassNotFoundExceptionwill be thrown when you run the application. - If the LDAP
ldapjdk.jarandldapfilt.jarfiles listed below are not in the system class path, then you must copy them into theWEB-INF/libdirectory of your IBM Lotus Workplace Web Content Management WAR file (the same listed in the previous step). If you do not have these JAR files, you can use the LDAP jars provided with this sample may be used instead, though it is recommended that you use the JAR files provided with your LDAP server. For more information on the configuration files see the.txtfiles in theILWWCM-HOME\app\samples\LDAPdirectory - Restart the server.
The next step is to set up the users and groups needed:
- Using the
Portal Sign-uppage (see the upper right corner of thePortal Loginpage in Figure 3), add a new user named theresa, be sure to set thegivennameattribute toNewsUser.
Figure 3: The Portal Login page
- Add the user group in Web Content Management:
- Log into the Web Content Management UI as
Administratorand create a new group namedNewsUser. Also makeNewsUsera member of the UIAccessGroup. This access in only for testing purpose. - Verify that user
theresadoes not exist as a Web Content Management user.
- Log into the Web Content Management UI as
The sample scenario delivers content that is targeted to the NewsUser group, so you want to assure that those who have the LDAP attribute givenname set to NewsUser are allowed to see only the news content and those who do not belong to this group do not see the news content.
- Set Content Security. Select one piece of content in the Content Library, and set the security so
NewsUserhas edit rights. - Verify the configuration. Open a new Web Content Management UI and log in as
theresa. Only the authorized components should be displayed. - Log into Portal as
theresaand access theDeptNewspage created in the End2End doc. You should only see the news that was secured forNewsUser. - Log into Portal as
wpsadminand access theDeptNewspage. You should not see the news content.
It is quite common to maintain group membership for users in the LDAP database. The alternative sample scenario, shown in Figure 4, uses LDAP connection attributes and properties file locations specified in the connect.cfg file to (1) query the LDAP to obtain a list of the groups in which the User is a member, (2) which maps to an existing Web Content Management Group, (3) again resulting in content that is specific to the group and user.
Figure 4: Alternate authentication scenario
First, we need to obtain a group membership from LDAP. With some coding changes to the UserAuthorization manager, you can implement a solution that not only authenticates the user using LDAP but also looks up the LDAP group membership for each user and applies that to the Web Content Management resources.
The group membership query in this sample code is similar to the following LDAP search command:
ldapsearch -D uid=wpsadmin,cn=users,dc=raleigh,dc=ibm,dc=com -w wpsadmin
-b dc=raleigh,dc=ibm,dc=com uniqueMember=uid=theresa,cn=users,dc=raleigh,dc=ibm,dc=com cn |
In this command, the €“D and €“w options are the user id and password specified in the connect.config file in the the LDAP connector stanza.
<DefaultAuthDN value="uid=wpsbind,cn=users,dc=raleigh,dc=ibm,dc=com" /> <DefaultAuthPwd value="wpsbind" /> |
The €“b option is the base dn from the DefaultBaseSearchDN stanza:
<DefaultBaseSearchDN value="dc=raleigh,dc=ibm,dc=com" /> |
The uniqueMember and cn attributes are both defined in the sampleldaprum.properties file and are used with the authenticated user to retrieve the groups name for the user.
member_att=uniqueMember €¦ common_name_att=cn |
For limitations see the "Known Limitations" section.
Follow these steps for the alternate scenario:
- Create a Project in WebSphere Studio Application Developer.
- Import the source from the Web Content Management
INSTALL/app/samples/LDAP/sourcedirectory - Edit the Project Java Build Path. Right-click on Project Name -> Properties -> Java Build Path -> Add Libraries and add the following files:
Ilwwcm-framework.jarilwwcm-server.jarldapjdk.jarldapfilt.jarilwwcm-commons-xmlpersistency.jarilwwcm-commons-utils.jarilwwcm-commons-version.jarilwwcm-commons-properties.jar
- Add the resource bundle property classes to the package
com.ilwwcm.sample.ldarum. To add the resource bundles, you must extract them fromilwwcm-ldaprum.jarfile and import them into your project. The resource bundles should be:ldaprum_de.propertiesldaprum_en.propertiesldaprum_es.propertiesldaprum_fr.propertiesldaprum_it.propertiesldaprum_ja.propertiesldaprum_ko.propertiesldaprum.propertiesldaprum_sv.propertiesldaprum_zh.propertiesldaprum_zh_TW.properties
- Edit the
SampleLDAPUser.javafile to add the following imports to the import section./** Imports for Checking Groups in LDAP */ import com.presence.connect.utils.Config; import com.presence.connect.utils.ConfigKeys; import com.presence.connect.connector.ldap.LDAPConnectionParam; import com.presence.connect.connector.ConnectionManager; import com.presence.connect.connector.ConnectorException; import com.presence.connect.connector.ldap.LDAPConnector;
- Add the following global variables to the class:
/** LDAP Connection Parameters*/ private LDAPConnectionParam m_dirMgrParam; /** LDAP Host*/ private String m_ldapHost = null; /** LDAP port */ private int m_ldapPort; /** Use SSL */ private boolean m_useSSL; /** Connection Timeout */ private int m_timeout = Connect.getAppConfig().getInt(ConfigKeys.BASE_CONNECTOR + ConfigKeys.SEPARATOR + ConfigKeys.LDAP_CONNECTOR_CONFIG + ConfigKeys.SEPARATOR + ConfigKeys.LDAP_TIMEOUT, -1);
- Add the Connection setup and creation information to the top of the
SampleLDAPUser(ConnectLDAPEntry p_ldapEntry)method./** Create new LDAPConnector and set host, port, and SSL configuration from the values in connect.cfg*/ LDAPConnector connector = new LDAPConnector(); Config config = connector.getConnectorConfig(); m_ldapHost = config.getString(ConfigKeys.LDAP_HOST); m_ldapPort = config.getInt(ConfigKeys.LDAP_PORT); m_useSSL = config.getBoolean(ConfigKeys.USE_SSL); // set up an LDAP connector for the search using the // directory manager connection parameters // create directory manager connection param, to be used for all searches m_dirMgrParam = new LDAPConnectionParam(m_ldapHost, m_ldapPort, SampleAdministratorProperties.getDirectoryManagerAuthDN(), SampleAdministratorProperties.getDirectoryManagerAuthPwd(), m_timeout); m_dirMgrParam.setSSL(m_useSSL);
-
Add the following line to get the User Distinguished Name in the
SampleLDAPUser(ConnectLDAPEntry p_ldapEntry)method. This code is used in the LDAP query to find the groups of which the user is a member.//get the User DN to be used when finding the user's groups String userDN = p_ldapEntry.getDN();
Add this immediately immediately after:
// get the User name String[] values = p_ldapEntry.getValues(SampleLDAPProperties.getUsernameAtt());
- Change the
setUserGroupscall in theSampleLDAPUser(ConnectLDAPEntry p_ldapEntry)method to pass theUserDN:// get the UserGroups by user DN setUserGroups(userDN);
- Override the
setUserGroupsmethod with the following method.private void setUserGroups(String userDN) { //create the search string, get the search property from SampleLDAPRum.properties String p_search = new String(SampleLDAPProperties.getMemberAtt()+ "=" + userDN ); //get the Group Name Attribute from the SampleLDAPRum.properties String groupNameAtt = SampleLDAPProperties.getCommonNameAtt(); s_log.info(2, ResourceBundleUtils.getFormattedString (SampleLdapRumBundleKeyConstants.SAMPLE_LDAPRUM_BUNDLE_NAME, SampleLdapRumBundleKeyConstants.SEARCHING_FOR_1, new Object[] {p_search})); LDAPConnector connector = new LDAPConnector(); connector.setConnectionParam(m_dirMgrParam); // Explicitly connect try { connector.connect(); } catch (ConnectorException ce) { s_log.warn(1, ResourceBundleUtils.getFormattedString (SampleLdapRumBundleKeyConstants.SAMPLE_LDAPRUM_BUNDLE_NAME, SampleLdapRumBundleKeyConstants.SEARCH_FAILED_WARNING_3, new Object[] {null, ce, ce})); } // perform search to find group. // we may need to retry because a connection could have timed-out at the LDAP Server // or from the other end. // A connection may also timeout via AbstractConnection. ConnectionManager connMgr = connector.getConnectionManager(); ConnectLDAPEntry[] results = null; ConnectLDAPEntry result = null; boolean continueAttempts = true; for (int attempt = 0, maxAttempts = connMgr.getMax() + 1; attempt < maxAttempts && continueAttempts; attempt++) { s_log.info(2, ResourceBundleUtils.getFormattedString (SampleLdapRumBundleKeyConstants.SAMPLE_LDAPRUM_BUNDLE_NAME, SampleLdapRumBundleKeyConstants.SEARCH_ATTEMPT_1, new Object[] {String.valueOf(attempt)})); // ask the Connector to perform a search for the group given a member // attribute equal to the user dn multiple groups may be returned. try { results = connector.search(null, null, p_search); for (int i=0; i < results.length; i++){ ConnectLDAPEntry groupObject = results[i]; String[] groupNames = groupObject.getValues(groupNameAtt); if (groupNames.length > 0 ){ //we assume that each group only has 1 group name, or 1 CN, // and we add it to our User's Group attribute m_groups.add(groupNames[0]); } } // the search finished without an exception, no need keep going continueAttempts = false; } // if we get an exception, there is something wrong with the connection // it may have been broken from the other end, so disconnect internally // so we can try again catch (ConnectorException e) { s_log.warn(1, ResourceBundleUtils.getFormattedString (SampleLdapRumBundleKeyConstants.SAMPLE_LDAPRUM_BUNDLE_NAME, SampleLdapRumBundleKeyConstants.SEARCH_FAILED_WARNING_3, new Object[] {p_search, e, e})); try { // disconnect the connection first because it's not working, and // we want it to reconnect if it's used again if (connector.getConnection() != null) { connector.getConnection().disconnect(); } connector.disconnect(); // try and flush any broken connections out of the pool. connMgr.releaseFree(); } catch (ConnectorException ce) { s_log.warn(1, ResourceBundleUtils.getFormattedString (SampleLdapRumBundleKeyConstants.SAMPLE_LDAPRUM_BUNDLE_NAME, SampleLdapRumBundleKeyConstants.FAILED_TO_DISCONNECT_EXCEPTION_2, new Object[] {ce, ce})); // can't continue to retry if we get an error here break; } } } // free the connection by disconnecting the connector try { // disconnect the connection first so we don't re-use it if (connector.getConnection() != null) { connector.getConnection().disconnect(); } connector.disconnect(); // try and flush any broken connections out of the pool. connMgr.releaseFree(); } catch (ConnectorException e) { s_log.warn(2, ResourceBundleUtils.getFormattedString (SampleLdapRumBundleKeyConstants.SAMPLE_LDAPRUM_BUNDLE_NAME, SampleLdapRumBundleKeyConstants.COULDNT_DISCONNECT_AFTER_AUTH_2, new Object[] {e, e})); } } - Save the files and rebuild the project.
- Export the project as
ilwwcm-sample-ldaprum.jar. - Replace the
ilwwcm-sample-ldaprum.jarin theWEB-INF/libdir of theilwwcm warfile with the one you exported. - From the WebSphere Administration Console, restart the Web Content Management application.
- Test your modifications.
- Verify that
theresais member ofNewsUserLDAP/Portal group andwpsadminis not a member of this group. - Login to Portal as
theresa, navigate to the news page and you should see the news items created in the End2End doc. - Login to WebSphere Portal as
wpsadminand you should see an authorization message
Any debugging messages are written to the server's system out log.
- Verify that
Traces can be enhanced to provide more detail level information from Web Content Management. To do this, edit the connect.cfg file, find the entry for the LogManager, and change the TraceLevel to the following:
<LogManager>
<ErrorLog>
<File LogFile="../connect/log/error.log" FlushLog=false Buffered=true TraceTime=true TraceDate=true
TraceLevel=3 Rollover=Size MaxFileSize=5M />
</ErrorLog>
<FullLog>
<File LogFile="../connect/log/connect.log" FlushLog=false Buffered=true TraceTime=true TraceLevel=3
TraceDate=true TraceThread=true Rollover=Size MaxFileSize=5M />
<Screen Buffered=false TraceTime=true TraceLevel=0 TraceDate=false TraceThread=true />
</FullLog>
<DebugLog>
<File LogFile="../connect/log/debug.log" FlushLog=false Buffered=false TraceTime=true TraceLevel=3
Rollover=Size MaxFileSize=5M>
<Packages>
<!-- by default not debugging any package -->
</Packages>
</File>
</DebugLog>
</LogManager> |
Error message can be found in the following locations:
- Informational and error messages from WebSphere Portal are in the
[WAS-HOME]\PortalServer\log\SystemOut.logand[WAS-HOME]\PortalServer\log\SystemErr.log. - Informational and error messages from Web Content Management are posted to
[ILWWCM-Base]\app\connect\log\connect.log. You cannot open this file directly with a text editor such as WordPad, however if you make a copy, the copy is accessible for viewing with WordPad.
Delete the logs each time WebSphere Portal is started. On Windows systems, you can do this with a BAT file similar to the following:
d: del D:\ILWWCM11GM\app\connect\log\*.* del D:\WebSphere\PortalServer\log\*.* cd \WebSphere\AppServer\bin call startserver.bat WebSphere_Portal -user uid=wpsbind,cn=users,dc=raleigh,dc=ibm,dc=com -password wpsbind pause |
The following are known limitations:
- Groups must be defined to Web Content Management even if they exist in the LDAP.
- Menus that use the users matching categories will not apply to categories profiled for the group. Categories associated to Users Profile only are used in menus specifying Matching Profile rule of Current User Categories.
- User access to the Web Content Management UI using LDAP is not fully supported and may have unpredictable results in some UI administrative actions
This article provided two configuration examples for using externally managed LDAP to deliver managed content to users based on their group membership. Your configuration may vary based on your LDAP attributes and content delivery requirements. This article can assist you in implementing a configuration that matches your specific needs and environment..
| Name | Size | Download method |
|---|---|---|
| ContentMgmtLDAP.zip | 8 KB | FTP |HTTP |
Information about download methods
Theresa Smit has a wide breath of application development knowledge in her more than 28 years in computing technologies. Currently she is part of the IBM WebSphere Portal development organization, working with external and internal customers to use portal technologies to manage and deliver Web content. In additional to the WebSphere Portal product, she also supports usage of IBM Lotus Workplace Web Content Management, WebSphere Portal content publishing, and Personalization components. She has authored other articles and presented at developerWorks, WebSphere Portal, Lotus, and IBM Content Manager technical conferences.
Table of contents
Local resources
Tags
Use the slider bar to see more or fewer tags.
For articles in technology zones (such as Java technology, Linux, Open source, XML), Popular tags shows the top tags for all technology zones. For articles in product zones (such as Info Mgmt, Rational, WebSphere), Popular tags shows the top tags for just that product zone.
For articles in technology zones (such as Java technology, Linux, Open source, XML), My tags shows your tags for all technology zones. For articles in product zones (such as Info Mgmt, Rational, WebSphere), My tags shows your tags for just that product zone.
Popular article tags |
My article tagsSkip to tags list
Popular article tags |
My article tags
