Switching to an LDAP user registry when using a clustered WebSphere Application Server Network Deployment

You can authenticate users by using a Lightweight Directory Access Protocol (LDAP) user registry when you have a clustered WebSphere® Application Server Network Deployment. You configure IBM® InfoSphere® Information Server to use LDAP authentication after installation finishes.

1. Configure the LDAP or federated user registries for the InfoSphere Information Server security domain IBM_Information_Server_sd.
   Select Security > Security domains to access the security domain.

   For information about the procedure for configuring LDAP user registries within clustered WebSphere Application Server Network Deployment installations, see http://www.ibm.com/support/docview.wss?uid=swg27045015.

   For information about configuring a federated repository, see http://www.ibm.com/support/docview.wss?uid=swg27045013.

2. Synchronize the configuration files on the nodes in the cluster:
   1. In the System administration > Nodes.
   2. Select the check boxes beside all nodes.
   3. Click Synchronize.
   4. Log out of the console.
3. Stop WebSphere Application Server servers in the InfoSphere Information Server cluster.
4. Log in to the Domain Name System (DNS) server that hosts the WebSphere Application Server Deployment Manager.
5. From the command line, run the DirectoryAdmin command.
   This command defines which ID in the user registry will be designated as the InfoSphere Information Server administrator. The user ID must be valid in your external registry. For example, for a LDAP configuration:

   

   /opt/IBM/Information/server/ASBServer/bin/DirectoryAdmin.sh
   -user -userid 
   "CN=MyAdmin, OU=Users, DC=Newco, DC=com"-admin -checkid

   

   C:\IBM\InformationServer\ASBServer\bin\DirectoryAdmin.bat
   -user -userid 
   "CN=MyAdmin, OU=Users, DC=Newco, DC=com"-admin -checkid

   In the command, the user distinguished name (DN) is case-sensitive and must match the case that is used by LDAP.

6. If you are switching the user registry for a system that has been used for a while by multiple users, clean up the users and groups that are related to the security configuration. See Switching the user registry configuration for a system in use.
7. Restart the WebSphere Application Server application servers in the InfoSphere Information Server cluster.
8. If one of the node agents was not running when you did the previous steps, the user registry configuration at the Deployment Manager and node levels will not match. To fix this problem, run the WebSphere Application Server syncNode command to synchronize the node with the Deployment manager. To run the syncNode command:
   1. Log in to the node.
   2. Run the syncNode command.
      • 

        /opt/IBM/WebSphere/AppServer/profiles/custom_profile/bin/syncNode.sh 
           dmgr_hostname dmgr_port -user was_admin_username -password 
           was_admin_password

      • 

        C:\IBM\WebSphere\AppServer\profiles\custom_profile\bin\syncNode 
           dmgr_hostname dmgr_port -user was_admin_username -password 
           was_admin_password

      In the command:

      • dmgr_hostname is the host name of the computer where the Deployment Manager is running.
      • dmgr_port is the port number of the Deployment Manager (the default is 8879).
      • was_admin_username is the user name of the WebSphere Application Server administrator.
      • was_admin_password is the administrator password.
   3. Restart the node agent.
      See Starting IBM WebSphere Application Server (Windows) or Starting IBM WebSphere Application Server (Linux, UNIX).