We integrated a Domino LDAP to our standalone Websphere Portal 8.0 Express.
Now we need to integrate a second LDAP to this portal but we saw following note in product documentation:
Remember: Before combining multiple user registries, review the registries for the following limitations and correct any issues:
Distinguished names must be unique for a realm over all registries. For example, if uid=wpsadmin,o=yourco exists in LDAP1, it must not exist in LDAP2, LDAP3, or DB1.
The shortname, for example wpsadmin, should be unique for a realm over all registries.
The base distinguished names for all registries used within a realm must not overlap; for example, if LDAP1 is c=us,o=yourco, LDAP2 should not be o=yourco.
Do not leave the base entry blank for any of the registries used within a realm.
If IBM Lotus® Domino® will be one of your user registries in a multiple registry configuration and will share a realm with another user registry, ensure that the groups are stored in a hierarchical format in the Domino Directory as opposed to the default flat-naming structure. For example, the flat-naming convention is cn=groupName and the hierarchical format is cn=groupName,o=root.
The user must exist in a user registry and not within the property extension configuration; otherwise, the user cannot be a member of the realm.
We have "admin admin" user in 1. and 2. LDAPs. Therefore we think we have a problem with these user definitions. Is it correct? If so, since we can not change or remove admin users in LDAPs how can we proceed?
SystemAdmin 110000D4XK30895 Posts
Re: Integarating a second LDAP2013-02-04T10:23:50ZThis is the accepted answer. This is the accepted answer.Hi Elif,
yes, this is correct: If you combine multiple user registries to be used by portal in a so called realm, both the user DN and the shortname need to be unique over all the registries. As otherwise portal will receive multiple users when searching for the one configured admin, which is reported as an error then.
You could rename the admin user in one of the LDAPs to something like "Admin1 Admin1".
The postings on this site are my own and don't necessarily represent IBM's positions, strategies or opinions.
JMW98 2000000MY61136 Posts
Re: Integarating a second LDAP2013-02-04T13:26:53ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin 110000D4XK
- the search base, if the admin users are under a different node in the DIT
- the search filter, to explicitly exclude the duplicate user.
If you choose the search filter option, be sure to include the object class for the entity type to avoid problems like the ones describe in this technote: