Body

Configuring MDM Standard Edition for external LDAP

1. Configurations to be done WAS Admin console of MDM.
2. Configurations to be done on imm file.

Configurations to be done on WAS Admin console:

When we are using external LDAP , we have to create federated repositories on MDM WAS. The reason for this being there are default groups like mdm_admin , mdm_all_cvws etc that are created during MDM installation.

Following are the steps to configure MDM to external LDAP using WebSphere Application Server Administrative Console.

1. Open up the WAS administrative console of MDM.
2. Navigate to Security -> Global security
3. Select “Configure” for Federated repositories and the screen would be like this.
4. Click on “Manage repositories” link under section “Related Items”.
5. Add a new LDAP repository. Details of the LDAP repository to be given are in the screenshot below. Need to specify the Primary host name and port number details for the LDAP which you want to use. Click on Apply once the details are given and this new LDAP repository gets added to the list of repositories for this WAS.
6. Now go back to Global security -> Federated repositories. Here Click on “Add repositories(LDAP, custom,etc)…”
7. It will list down the new LDAP repository we have created. Select that repository. We also need to give unique distinguished name of base entry in this repository. For the sample LDIF file we have this would be the string “cn=localhost”. All users and groups from this LDIF file are created from this base entry. It could be different based on your LDAP.
8. Click on Apply and save configuration.
9. Now when we go back to Federated repositories it would look like this.
10. Save all the configurations.
11. We will now define how to identify groups uniquely in our LDIF file. A snapshot of the way groups defined in our LDIF file here :
12. We will have to now define this in our LDAP configuration in WAS. Go to the following link:
13. We have to make sure Object classes property is set to an appropriate value based on your LDIF or LDAP configuration. In this example it had to be “groupOfUniqueNames”.
14. We will now define how to get the relationship between users and groups uniquely in our LDIF file. Go to the following link Global security > Federated repositories > Manage repositories > LDAP1 > Group attribute definition > Member attributes If not present already create a new member attribute with “Name of member attribute” set as “uniquemember” and Object class as “groupOfUnqiueNames”. This is specifically for the LDIF configuration shown here where a user is associated with group by uniquemember/groupOfIniqueNames combination.
15. Save all the configurations and restart MDM server.

Configurations to be done on IMM in MDM Workbench

1. Open the imm file and in the Groups tab create a new group with the same name as the one in external LDAP. In our example it is “Group1”.
2. In all the corresponding sub sections i.e., Attributes/Sources , Relationship Attributes , Composite Views , Interactions , Operations you need to give the appropriate access for this group.
3. I will just take an example of giving users of this group ability to do read write access to legal name and do a memput interaction. Screenshots for the same
4. 
5. 
6. Save the imm file and do deploy hub configuration.

7. Now when we use SOAP UI to do a memput for PerLegalName attribute with these users present in group the txn is successful. Any other user from the LDAP doesn’t have access and MDM fails with the same error.

   Tip : To make users from an LDAP group ability to login to inspector the list of Interactions that are to be given access are APPGETINFO , DICGET , USRGETINFO. Once done this we need to save it and redeploy hub configuration.

   Note : If you create a user and group on WAS instead of external LDAP , in addition to doing imm config changes you would need to add the user entry to mpi_usrhead table.