Switching to an LDAP user registry when using a clustered WebSphere Application Server Network Deployment

You can authenticate users by using a Lightweight Directory Access Protocol (LDAP) user registry when you have a clustered WebSphere® Application Server Network Deployment. You configure IBM® InfoSphere® Information Server to use LDAP authentication after installation finishes.

Before you begin

  • The InfoSphere Information Server engine performs user authentication separately from other InfoSphere Information Server components. You can configure the engine to use the LDAP user registry that you set up. For IBM AIX®, HP-UX, and Linux® platforms, you can optionally configure Pluggable Authentication Module (PAM) support before you switch the user registry. For more information, see Configuring IBM InfoSphere Information Server to use PAM (Linux, UNIX).
  • The Deployment Manager and all node agents must be running in all cluster installations.

About this task

InfoSphere Information Server supports any LDAP-compliant user registry that IBM WebSphere Application Server Network Deployment supports. For more information about supported LDAP servers, see the IBM WebSphere Application Server Network Deployment system requirements:


  1. Configure the LDAP or federated user registries for the InfoSphere Information Server security domain IBM_Information_Server_sd.
    Select Security > Security domains to access the security domain.

    For information about the procedure for configuring LDAP user registries within clustered WebSphere Application Server Network Deployment installations, see http://www.ibm.com/support/docview.wss?uid=swg27045015.

    For information about configuring a federated repository, see http://www.ibm.com/support/docview.wss?uid=swg27045013.

  2. Synchronize the configuration files on the nodes in the cluster:
    1. In the System administration > Nodes.
    2. Select the check boxes beside all nodes.
    3. Click Synchronize.
    4. Log out of the console.
  3. Stop WebSphere Application Server servers in the InfoSphere Information Server cluster.
  4. Log in to the Domain Name System (DNS) server that hosts the WebSphere Application Server Deployment Manager.
  5. From the command line, run the DirectoryAdmin command.
    This command defines which ID in the user registry will be designated as the InfoSphere Information Server administrator. The user ID must be valid in your external registry. For example, for a LDAP configuration:
    Linux cue graphicUNIX cue graphic
    -user -userid 
    "CN=MyAdmin, OU=Users, DC=Newco, DC=com"-admin -checkid
    Windows cue graphic
    -user -userid 
    "CN=MyAdmin, OU=Users, DC=Newco, DC=com"-admin -checkid

    In the command, the user distinguished name (DN) is case-sensitive and must match the case that is used by LDAP.

  6. If you are switching the user registry for a system that has been used for a while by multiple users, clean up the users and groups that are related to the security configuration. See Switching the user registry configuration for a system in use.
  7. Restart the WebSphere Application Server application servers in the InfoSphere Information Server cluster.
  8. If one of the node agents was not running when you did the previous steps, the user registry configuration at the Deployment Manager and node levels will not match. To fix this problem, run the WebSphere Application Server syncNode command to synchronize the node with the Deployment manager. To run the syncNode command:
    1. Log in to the node.
    2. Run the syncNode command.
      • Linux cue graphicUNIX cue graphic
           dmgr_hostname dmgr_port -user was_admin_username -password 
      • Windows cue graphic
           dmgr_hostname dmgr_port -user was_admin_username -password 
      In the command:
      • dmgr_hostname is the host name of the computer where the Deployment Manager is running.
      • dmgr_port is the port number of the Deployment Manager (the default is 8879).
      • was_admin_username is the user name of the WebSphere Application Server administrator.
      • was_admin_password is the administrator password.
    3. Restart the node agent.

What to do next

After you change the user registry, you can use theWebSphere Application Server administrator user name and password to log in to the InfoSphere Information Server Web console. In the console, grant suite administrator access to additional users as needed. The WebSphere Application Server administrator is granted InfoSphere Information Server administrator privileges by default.