IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
2 replies Latest Post - ‏2013-02-04T13:26:53Z by JMW98
30 Posts

Pinned topic Integarating a second LDAP

‏2013-02-04T09:30:28Z |

We integrated a Domino LDAP to our standalone Websphere Portal 8.0 Express.

Now we need to integrate a second LDAP to this portal but we saw following note in product documentation:

Remember: Before combining multiple user registries, review the registries for the following limitations and correct any issues:

Distinguished names must be unique for a realm over all registries. For example, if uid=wpsadmin,o=yourco exists in LDAP1, it must not exist in LDAP2, LDAP3, or DB1.
The shortname, for example wpsadmin, should be unique for a realm over all registries.
The base distinguished names for all registries used within a realm must not overlap; for example, if LDAP1 is c=us,o=yourco, LDAP2 should not be o=yourco.
Do not leave the base entry blank for any of the registries used within a realm.
If IBM Lotus® Domino® will be one of your user registries in a multiple registry configuration and will share a realm with another user registry, ensure that the groups are stored in a hierarchical format in the Domino Directory as opposed to the default flat-naming structure. For example, the flat-naming convention is cn=groupName and the hierarchical format is cn=groupName,o=root.
The user must exist in a user registry and not within the property extension configuration; otherwise, the user cannot be a member of the realm.

We have "admin admin" user in 1. and 2. LDAPs. Therefore we think we have a problem with these user definitions. Is it correct? If so, since we can not change or remove admin users in LDAPs how can we proceed?

Updated on 2013-02-04T13:26:53Z at 2013-02-04T13:26:53Z by JMW98
  • SystemAdmin
    30895 Posts

    Re: Integarating a second LDAP

    ‏2013-02-04T10:23:50Z  in response to SalimReggae
    Hi Elif,

    yes, this is correct: If you combine multiple user registries to be used by portal in a so called realm, both the user DN and the shortname need to be unique over all the registries. As otherwise portal will receive multiple users when searching for the one configured admin, which is reported as an error then.

    You could rename the admin user in one of the LDAPs to something like "Admin1 Admin1".


    The postings on this site are my own and don't necessarily represent IBM's positions, strategies or opinions.
    • JMW98
      1091 Posts

      Re: Integarating a second LDAP

      ‏2013-02-04T13:26:53Z  in response to SystemAdmin
      If you cannot modify the LDAPs, you could change VMM's PersonAccount entity type definition (in one of VMM's LDAP definition) to exclude the duplicate user. You could do this by modifying either:

      • the search base, if the admin users are under a different node in the DIT


      • the search filter, to explicitly exclude the duplicate user.

      If you choose the search filter option, be sure to include the object class for the entity type to avoid problems like the ones describe in this technote: