You can authenticate users by using a Lightweight Directory
Access Protocol (LDAP) user registry when you have a clustered WebSphere® Application Server Network
Deployment. You configure IBM®
InfoSphere® Information Server to
use LDAP authentication after installation finishes.
Before you begin
- The InfoSphere Information Server engine
performs user authentication separately from other InfoSphere Information Server components.
You can configure the engine to use the LDAP user registry that you
set up. For IBM AIX®, HP-UX, and Linux® platforms,
you can optionally configure Pluggable Authentication Module (PAM)
support before you switch the user registry. For more information,
see Configuring IBM InfoSphere Information Server to use PAM (Linux, UNIX).
- The Deployment Manager and all node agents must be running in
all cluster installations.
About this task
InfoSphere Information Server supports
any LDAP-compliant user registry that IBM
WebSphere Application Server Network Deployment supports.
For more information about supported LDAP servers, see the IBM
WebSphere Application Server Network Deployment system
requirements:
Procedure
- Configure the LDAP or federated user registries for the InfoSphere Information Server security
domain IBM_Information_Server_sd.
- Synchronize the configuration files on the nodes in the
cluster:
- In the .
- Select the check boxes beside all nodes.
- Click Synchronize.
- Log out of the console.
- Stop WebSphere Application Server servers
in the InfoSphere Information Server cluster.
- Log in to the Domain Name System (DNS) server that hosts
the WebSphere Application Server Deployment
Manager.
- From the command line, run the DirectoryAdmin command.
This command defines which ID in the user registry will be designated
as the
InfoSphere Information Server administrator.
The user ID must be valid in your external registry. For example,
for a LDAP configuration:


/opt/IBM/Information/server/ASBServer/bin/DirectoryAdmin.sh
-user -userid
"CN=MyAdmin, OU=Users, DC=Newco, DC=com"-admin -checkid

C:\IBM\InformationServer\ASBServer\bin\DirectoryAdmin.bat
-user -userid
"CN=MyAdmin, OU=Users, DC=Newco, DC=com"-admin -checkid
In the
command, the user distinguished name (DN) is case-sensitive and must
match the case that is used by LDAP.
- If you are switching the user registry for a system that
has been used for a while by multiple users, clean up the users and
groups that are related to the security configuration. See Switching the user registry configuration for a system in use.
- Restart the WebSphere Application Server application
servers in the InfoSphere Information Server cluster.
- If one of the node agents was not running when you did
the previous steps, the user registry configuration at the Deployment
Manager and node levels will not match. To fix this problem, run the WebSphere Application Server syncNode command
to synchronize the node with the Deployment manager. To run the syncNode command:
- Log in to the node.
- Run the syncNode command.
- Restart the node agent.
What to do next
After you change the user registry, you can use theWebSphere Application Server administrator
user name and password to log in to the InfoSphere Information Server Web
console. In the console, grant suite administrator access to additional
users as needed. The WebSphere Application Server administrator
is granted InfoSphere Information Server administrator
privileges by default.