Out of the box, WebSphere Lombardi Edition (Lombardi) comes configured with a single federated internal repository that provides default groups and users for the Lombardi environment. You can create new users and groups in this internal repository and use these users and roles as part of the business process definition. However, many organizations use LDAP for user and group management and would rather use the users and groups from LDAP as part of their business process. In this tutorial, you'll learn how you can use the internal Lombardi repository in conjunction with LDAP. You'll learn how to configure LDAP with Lombardi and use it as part of your business processes.
In this tutorial, you'll learn how to:
- Set up users and groups in LDAP
- Configure LDAP with Lombardi
- Associate LDAP roles with a Lombardi business process
You need to be familiar with WebSphere Lombardi Edition V7.1 and Tivoli LDAP V6.3.
You need WebSphere Lombardi Edition V7.1 and Tivoli LDAP V6.3 installed and running in any supported environment. For this tutorial, we used Microsoft® Windows® XP.
This tutorial takes about 2 hours to complete.
Create sample users and groups in Tivoli LDAP
You'll start by creating sample users and groups in LDAP, which can then be used in Lombardi business processes. Complete the following steps to create sample uses and groups in LDAP.
- Start the LDAP instance by pointing your browser to <LDAP_Install>/sbin/ibmslapd.
- Create a base entry for the LDAP by issuing the following command:
<LDAP_Install>/sbin/idscfgsuf -s dc=ibm,dc=com
- Download and unzip the ldap-nao.ldif file included for download with this tutorial. This file contains sample user and group definitions for LDAP.
- Load the sample users and groups by issuing the following
<LDAP_Install>/bin/ldapadd -h ldap://localhost -D "cn=root" -w password -f ldap-nao.ldifReplace
"cn=root"and password with your LDAP bind username and password.
This sets up an organization called Sample Org with three groups (BankManagerLDAP, BankOfficerLDAP and CustomerLDAP) and a set of sample users in each of the group.
Configure LDAP with WebSphere Lombardi Edition
To configure LDAP with WebSphere Lombardi Edition, start the default application server by doing the following:
- From a command prompt, change the directory to <WLE install directory>\ \AppServer\profiles\Lombardi\bin.
- Type the command
This starts the default server, which hosts the administration console.
- Log on to the administration console with a username and password
of tw_user. You can get the port number by looking in <WLE
install directory>\ \AppServer\profiles\Lombardi\properties\
portdef.props and finding the property value associated with
- In the Application Server administrative console, select Security => Global Security.
- In the User account repository section, select
Configure for Federated Repositories, as shown
in Figure 1.
Figure 1. Select Configure Federated Repositories
- Select Manage Repositories, as shown in Figure 2.
Figure 2. Select Manage Repositories
- On the Manage repositories page, click Add, as shown in
Figure 3. Add a repository
- Enter the following information for the repository, as shown in
- Repository identifier:
- Directory type: Specifies the type of LDAP server to connect to. Select IBM Tivoli Directory Server.
- Primary host name: Specifies the host ID (IP address or domain name service (DNS) name) of the LDAP server.
- Port: Specifies the host port of the LDAP server (default port is 389).
- Bind distinguished name: Specifies the DN to be
used, when binding to the directory service. (Example:
- Bind password: Specifies the password to be used,
when binding to the directory service. (Example:
- Click Apply.
Figure 4. Specify repository properties
- Repository identifier:
- Click Group attribute definition under Additional
Propertiesb>, as shown in Figure 5.
Figure 5. Click Group attribute definition
- On the Group attribute definition page, click Member
Figure 6. Click Member attributes
- On the Member attributes page, click New.
- Specify the following information, as shown in Figure 7, to
indicate how to retrieve user information associated with the
group. This is based on the data you populated in the previous
- Name of member attribute:
- Object class:
- Click OK.
Figure 7. Specify member attributes
Following is the sample LDAP entry that you populated with the information in Figure 7:
dn: cn=CustomerLDAP,ou=groups,DC=IBM,DC=COM objectClass: groupOfUniqueNames objectClass: top cn: CustomerLDAP uniquemember: uid=SamLDAP,ou=people,DC=IBM,DC=COM
- Name of member attribute:
- Click LDAP entity types under Additional
Properties, as shown in Figure 8.
Figure 8. Click LDAP entity types
- Click Group on the LDAP entity type page to change the
objectClassto map to our entity type in LDAP.
- On the Group page, specify
groupOfNames;groupOfUniqueNamesfor Object classes, as shown in Figure 9, and click OK.
Figure 9. Specify object classes
- Click Federated Repositories in the breadcrumb trail at the top of the page to return to the Federated repositories page.
- Click Add Base entry to Realm, as shown in Figure 10.
Figure 10. Select Add Base entry to Realm
- Enter the following information, as shown in Figure 11.
- Distinguished name of a base entry that uniquely
identifies this set of entries in the realm:
dc=IBM,dc=COM. (This entry was populated in LDAP in the previous section.)
- Click OK.
Figure 11. Specify repository identity entries
- Save the changes to the master configuration.
- Stop and restart the server.
Associate LDAP roles in the Lombardi business process
For the purposes of our example, let's assume that as part of your business process you would have defined an activity that needs to be completed by a human. This human activity is assigned to a group, to users, or both. The groups and users can come from the internal Lombardi repository or an external provider like LDAP.
There are two ways you can associate users and groups from LDAP to a Lombardi business process: via the Lombardi Authoring Environment or via the Process Administration console. You would typically use the Process Administration console when you have deployed the process, it's up and running, and you want to declaratively associate roles with the processes.
To associate LDAP roles with processes in the Lombardi Authoring environment, complete the following steps.
- Log in to the Lomardi Authoring Environment.
- Select the appropriate process application and business process definition.
- Select the participant group in the process that you want to associate with an LDAP group. For instance, Figure 12 shows how to add the BankMangerLDAP to the Bank Manager Participant group.
- On the Participant Group page, click on Add Group.
- In the pop up window, type
BankManagerLDAPas shown in Figure 12 and add it to the member list, then save your work.
Figure 12. Add BankManagerLDAP to the member list
To associate LDAP roles with processes in the Process Administration console, do the following:
- Log on to the Lombardi Process Administration console using tw_admin for the user ID and password.
- Click InstalledApps.
- Select the process. For this example, we select an existing VerifyAccount process.
- Click Role Bindings, as shown in Figure 13.
Figure 13. Click Role Bindings
- Click Add Users and Groups next to Bank Manager.
- On the Add People to Bank Manager Role dialog, enter
bankin the Retrieve field, then select BankManagerLDAP and click Add.
- Save the process.
In this tutorial, you learned how to configure LDAP with Lombardo so that you can use it as part of a business process. As part of the tutorial, you created sample users and groups in LDAP and used them to configure LDAP in the administration console and then used the groups in a Lombardi business process.
|Sample user groups||ldap-nao.zip||1KB|
- WebSphere Lombardi Edition Information Center
- developerWorks BPM zone: Get the latest technical resources on IBM BPM solutions, including downloads, demos, articles, tutorials, events, webcasts, and more.
- IBM BPM Journal: Get the latest articles and columns on BPM solutions in this quarterly journal, also available in both Kindle and PDF versions.