Integrate an LDAP user registry into a WebSphere Lombardi Edition business process

In this tutorial, you'll learn how to integrate the users and groups in your LDAP repository into your WebSphere® Lombardi Edition business processes, including setting up users and groups in LDAP, configuring LDAP with Lombardi, and associating LDAP roles with a Lombardi business process.

Naveen Balani (banaveen@in.ibm.com), Software Architect, IBM

Naveen Balani's photoNaveen Balani works as a Software Architect in IBM India. He is a Master Author Level 3 with IBM developerWorks, having published over 50 articles on various topics. He has authored several books, including Beginning Spring Framework 2 and Apache CXF Web Service Development, and several IBM Redbooks. You can find out more about Naveen on his web site at www.naveenbalani.com.



31 October 2011

Introduction

Out of the box, WebSphere Lombardi Edition (Lombardi) comes configured with a single federated internal repository that provides default groups and users for the Lombardi environment. You can create new users and groups in this internal repository and use these users and roles as part of the business process definition. However, many organizations use LDAP for user and group management and would rather use the users and groups from LDAP as part of their business process. In this tutorial, you'll learn how you can use the internal Lombardi repository in conjunction with LDAP. You'll learn how to configure LDAP with Lombardi and use it as part of your business processes.

Objectives

In this tutorial, you'll learn how to:

  • Set up users and groups in LDAP
  • Configure LDAP with Lombardi
  • Associate LDAP roles with a Lombardi business process

Prerequisites

You need to be familiar with WebSphere Lombardi Edition V7.1 and Tivoli LDAP V6.3.

System requirements

You need WebSphere Lombardi Edition V7.1 and Tivoli LDAP V6.3 installed and running in any supported environment. For this tutorial, we used Microsoft® Windows® XP.

Duration

This tutorial takes about 2 hours to complete.


Create sample users and groups in Tivoli LDAP

You'll start by creating sample users and groups in LDAP, which can then be used in Lombardi business processes. Complete the following steps to create sample uses and groups in LDAP.

  1. Start the LDAP instance by pointing your browser to <LDAP_Install>/sbin/ibmslapd.
  2. Create a base entry for the LDAP by issuing the following command:
    <LDAP_Install>/sbin/idscfgsuf -s dc=ibm,dc=com
  3. Download and unzip the ldap-nao.ldif file included for download with this tutorial. This file contains sample user and group definitions for LDAP.
  4. Load the sample users and groups by issuing the following command:
    <LDAP_Install>/bin/ldapadd -h ldap://localhost -D "cn=root" -w password -f ldap-nao.ldif Replace "cn=root" and password with your LDAP bind username and password.

    This sets up an organization called Sample Org with three groups (BankManagerLDAP, BankOfficerLDAP and CustomerLDAP) and a set of sample users in each of the group.


Configure LDAP with WebSphere Lombardi Edition

To configure LDAP with WebSphere Lombardi Edition, start the default application server by doing the following:

  1. From a command prompt, change the directory to <WLE install directory>\ \AppServer\profiles\Lombardi\bin.
  2. Type the command startserver server1

    This starts the default server, which hosts the administration console.

  3. Log on to the administration console with a username and password of tw_user. You can get the port number by looking in <WLE install directory>\ \AppServer\profiles\Lombardi\properties\ portdef.props and finding the property value associated with WC_adminhost property.
  4. In the Application Server administrative console, select Security => Global Security.
  5. In the User account repository section, select Configure for Federated Repositories, as shown in Figure 1.
    Figure 1. Select Configure Federated Repositories
    Select Configure Federated Repositories
  6. Select Manage Repositories, as shown in Figure 2.
    Figure 2. Select Manage Repositories
    Select Manage Repositories
  7. On the Manage repositories page, click Add, as shown in Figure 3.
    Figure 3. Add a repository
    Add a repository
  8. Enter the following information for the repository, as shown in Figure 4:
    • Repository identifier: TLDAP
    • Directory type: Specifies the type of LDAP server to connect to. Select IBM Tivoli Directory Server.
    • Primary host name: Specifies the host ID (IP address or domain name service (DNS) name) of the LDAP server.
    • Port: Specifies the host port of the LDAP server (default port is 389).
    • Bind distinguished name: Specifies the DN to be used, when binding to the directory service. (Example: cn=root)
    • Bind password: Specifies the password to be used, when binding to the directory service. (Example: password)
    • Click Apply.
    Figure 4. Specify repository properties
    Specify repository properties
  9. Click Group attribute definition under Additional Propertiesb>, as shown in Figure 5.
    Figure 5. Click Group attribute definition
    Click Group attribute definition
  10. On the Group attribute definition page, click Member attributes.
    Figure 6. Click Member attributes
    Click Member attributes
  11. On the Member attributes page, click New.
  12. Specify the following information, as shown in Figure 7, to indicate how to retrieve user information associated with the group. This is based on the data you populated in the previous section.
    • Name of member attribute: uniquemember
    • Object class: groupOfUniqueNames
    • Click OK.
    Figure 7. Specify member attributes
    Specify member attributes

    Following is the sample LDAP entry that you populated with the information in Figure 7:

    dn: cn=CustomerLDAP,ou=groups,DC=IBM,DC=COM
    objectClass: groupOfUniqueNames
    objectClass: top
    cn: CustomerLDAP
    uniquemember: uid=SamLDAP,ou=people,DC=IBM,DC=COM
  13. Click LDAP entity types under Additional Properties, as shown in Figure 8.
    Figure 8. Click LDAP entity types
    Click LDAP entity types
  14. Click Group on the LDAP entity type page to change the objectClass to map to our entity type in LDAP.
  15. On the Group page, specify groupOfNames;groupOfUniqueNames for Object classes, as shown in Figure 9, and click OK.
    Figure 9. Specify object classes
    Specify object classes
  16. Click Federated Repositories in the breadcrumb trail at the top of the page to return to the Federated repositories page.
  17. Click Add Base entry to Realm, as shown in Figure 10.
    Figure 10. Select Add Base entry to Realm
    Select Add Base entry to Realm
  18. Enter the following information, as shown in Figure 11.
    • Repository: TLDAP
    • Distinguished name of a base entry that uniquely identifies this set of entries in the realm: dc=IBM,dc=COM. (This entry was populated in LDAP in the previous section.)
    • Click OK.
    Figure 11. Specify repository identity entries
    Specify repository identity entries
  19. Save the changes to the master configuration.
  20. Stop and restart the server.

Associate LDAP roles in the Lombardi business process

For the purposes of our example, let's assume that as part of your business process you would have defined an activity that needs to be completed by a human. This human activity is assigned to a group, to users, or both. The groups and users can come from the internal Lombardi repository or an external provider like LDAP.

There are two ways you can associate users and groups from LDAP to a Lombardi business process: via the Lombardi Authoring Environment or via the Process Administration console. You would typically use the Process Administration console when you have deployed the process, it's up and running, and you want to declaratively associate roles with the processes.

To associate LDAP roles with processes in the Lombardi Authoring environment, complete the following steps.

  1. Log in to the Lomardi Authoring Environment.
  2. Select the appropriate process application and business process definition.
  3. Select the participant group in the process that you want to associate with an LDAP group. For instance, Figure 12 shows how to add the BankMangerLDAP to the Bank Manager Participant group.
  4. On the Participant Group page, click on Add Group.
  5. In the pop up window, type BankManagerLDAP as shown in Figure 12 and add it to the member list, then save your work.
    Figure 12. Add BankManagerLDAP to the member list
    Add BankManagerLDAP to the member list

To associate LDAP roles with processes in the Process Administration console, do the following:

  1. Log on to the Lombardi Process Administration console using tw_admin for the user ID and password.
  2. Click InstalledApps.
  3. Select the process. For this example, we select an existing VerifyAccount process.
  4. Click Role Bindings, as shown in Figure 13.
    Figure 13. Click Role Bindings
    Click Role Bindings
  5. Click Add Users and Groups next to Bank Manager.
  6. On the Add People to Bank Manager Role dialog, enter bank in the Retrieve field, then select BankManagerLDAP and click Add.
  7. Save the process.

Conclusion

In this tutorial, you learned how to configure LDAP with Lombardo so that you can use it as part of a business process. As part of the tutorial, you created sample users and groups in LDAP and used them to configure LDAP in the administration console and then used the groups in a Lombardi business process.


Download

DescriptionNameSize
Sample user groupsldap-nao.zip1KB

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Business process management on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Business process management, WebSphere
ArticleID=768953
ArticleTitle=Integrate an LDAP user registry into a WebSphere Lombardi Edition business process
publish-date=10312011