We integrated a Domino LDAP to our standalone Websphere Portal 8.0 Express.
Now we need to integrate a second LDAP to this portal but we saw following note in product documentation:
Remember: Before combining multiple user registries, review the registries for the following limitations and correct any issues:
Distinguished names must be unique for a realm over all registries. For example, if uid=wpsadmin,o=yourco exists in LDAP1, it must not exist in LDAP2, LDAP3, or DB1.
The shortname, for example wpsadmin, should be unique for a realm over all registries.
The base distinguished names for all registries used within a realm must not overlap; for example, if LDAP1 is c=us,o=yourco, LDAP2 should not be o=yourco.
Do not leave the base entry blank for any of the registries used within a realm.
If IBM Lotus® Domino® will be one of your user registries in a multiple registry configuration and will share a realm with another user registry, ensure that the groups are stored in a hierarchical format in the Domino Directory as opposed to the default flat-naming structure. For example, the flat-naming convention is cn=groupName and the hierarchical format is cn=groupName,o=root.
The user must exist in a user registry and not within the property extension configuration; otherwise, the user cannot be a member of the realm.
We have "admin admin" user in 1. and 2. LDAPs. Therefore we think we have a problem with these user definitions. Is it correct? If so, since we can not change or remove admin users in LDAPs how can we proceed?
This topic has been locked.
2 replies Latest Post - 2013-02-04T13:26:53Z by JMW98
Pinned topic Integarating a second LDAP
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2013-02-04T13:26:53Z at 2013-02-04T13:26:53Z by JMW98
SystemAdmin 110000D4XK30895 PostsACCEPTED ANSWER
Re: Integarating a second LDAP2013-02-04T10:23:50Z in response to SalimReggaeHi Elif,
yes, this is correct: If you combine multiple user registries to be used by portal in a so called realm, both the user DN and the shortname need to be unique over all the registries. As otherwise portal will receive multiple users when searching for the one configured admin, which is reported as an error then.
You could rename the admin user in one of the LDAPs to something like "Admin1 Admin1".
The postings on this site are my own and don't necessarily represent IBM's positions, strategies or opinions.
JMW98 2000000MY61082 PostsACCEPTED ANSWER
Re: Integarating a second LDAP2013-02-04T13:26:53Z in response to SystemAdminIf you cannot modify the LDAPs, you could change VMM's PersonAccount entity type definition (in one of VMM's LDAP definition) to exclude the duplicate user. You could do this by modifying either:
- the search base, if the admin users are under a different node in the DIT
- the search filter, to explicitly exclude the duplicate user.
If you choose the search filter option, be sure to include the object class for the entity type to avoid problems like the ones describe in this technote: