Switching to an LDAP user registry when using a clustered WebSphere Application Server Network Deployment
You can authenticate users by using a Lightweight Directory Access Protocol (LDAP) user registry when you have a clustered WebSphere® Application Server Network Deployment. You configure IBM® InfoSphere® Information Server to use LDAP authentication after installation finishes.
Before you begin
- The InfoSphere Information Server engine performs user authentication separately from other InfoSphere Information Server components. You can configure the engine to use the LDAP user registry that you set up. For IBM AIX®, HP-UX, and Linux® platforms, you can optionally configure Pluggable Authentication Module (PAM) support before you switch the user registry. For more information, see Configuring IBM InfoSphere Information Server to use PAM (Linux, UNIX).
- The Deployment Manager and all node agents must be running in all cluster installations.
About this task
InfoSphere Information Server supports any LDAP-compliant user registry that IBM WebSphere Application Server Network Deployment supports. For more information about supported LDAP servers, see the IBM WebSphere Application Server Network Deployment system requirements:
- IBM WebSphere Application Server Network Deployment: http://www-01.ibm.com/support/docview.wss?uid=swg27047911
- Configure the LDAP or federated user registries for the InfoSphere Information Server security
domain IBM_Information_Server_sd. Selectto access the security domain.
For information about the procedure for configuring LDAP user registries within clustered WebSphere Application Server Network Deployment installations, see http://www.ibm.com/support/docview.wss?uid=swg27045015.
For information about configuring a federated repository, see http://www.ibm.com/support/docview.wss?uid=swg27045013.
- Synchronize the configuration files on the nodes in the
- In the .
- Select the check boxes beside all nodes.
- Click Synchronize.
- Log out of the console.
- Stop WebSphere Application Server servers in the InfoSphere Information Server cluster.
- Log in to the Domain Name System (DNS) server that hosts the WebSphere Application Server Deployment Manager.
- From the command line, run the DirectoryAdmin command.
This command defines which ID in the user registry will be designated as the InfoSphere Information Server administrator. The user ID must be valid in your external registry. For example, for a LDAP configuration:
/opt/IBM/Information/server/ASBServer/bin/DirectoryAdmin.sh -user -userid "CN=MyAdmin, OU=Users, DC=Newco, DC=com"-admin -checkid
C:\IBM\InformationServer\ASBServer\bin\DirectoryAdmin.bat -user -userid "CN=MyAdmin, OU=Users, DC=Newco, DC=com"-admin -checkid
In the command, the user distinguished name (DN) is case-sensitive and must match the case that is used by LDAP.
- If you are switching the user registry for a system that has been used for a while by multiple users, clean up the users and groups that are related to the security configuration. See Switching the user registry configuration for a system in use.
- Restart the WebSphere Application Server application servers in the InfoSphere Information Server cluster.
- If one of the node agents was not running when you did
the previous steps, the user registry configuration at the Deployment
Manager and node levels will not match. To fix this problem, run the WebSphere Application Server syncNode command
to synchronize the node with the Deployment manager. To run the syncNode command:
- Log in to the node.
- Run the syncNode command.
In the command:
/opt/IBM/WebSphere/AppServer/profiles/custom_profile/bin/syncNode.sh dmgr_hostname dmgr_port -user was_admin_username -password was_admin_password
C:\IBM\WebSphere\AppServer\profiles\custom_profile\bin\syncNode dmgr_hostname dmgr_port -user was_admin_username -password was_admin_password
- dmgr_hostname is the host name of the computer where the Deployment Manager is running.
- dmgr_port is the port number of the Deployment Manager (the default is 8879).
- was_admin_username is the user name of the WebSphere Application Server administrator.
- was_admin_password is the administrator password.
- Restart the node agent.