When you install IBM®
InfoSphere® Information Server,
users are set up to use the internal registry. If your organization
uses Lightweight Directory Access Protocol (LDAP) for authentication,
you can choose to configure IBM
InfoSphere Information Server to
use LDAP as well, after installation.
Before you begin
The InfoSphere Information Server engine
performs user authentication separately from other InfoSphere Information Server components.
You can configure the engine to share the LDAP user registry as well;
however, it requires that you configure Pluggable Authentication Module
(PAM) support. Configuring PAM for the engine must be done before
switching InfoSphere Information Server to
use the LDAP user registry. See Configuring the engine to use PAM.
About this task
InfoSphere Information Server supports
any LDAP-compliant user registry that IBM
WebSphere® Application Server Liberty Profile supports.
For more information about supported LDAP servers, see the WebSphere Application Server Liberty
Profile system
requirements:
Procedure
- Stop the application server:


IS_install_path/ASBServer/bin/MetadataServer.sh stop

net stop InfoSvr
- Remove the default built-in user registry from the WebSphere Application Server Liberty
Profile configuration
by commenting out the following line in the IS_install_path/wlp/usr/servers/iis/server.xml file:
<usr_iisRegistry dataSourceRef="DataSource_ASBDataSource"/>
- Add the LDAP configuration in the IS_install_path/wlp/usr/servers/iis/server.xml file,
anywhere before the closing
server
element, as documented
in Configuring LDAP user registries with the Liberty
profile. If you have a large LDAP server, such
as when it has more than 10,000 users, it is strongly recommended
to use the optional ldapCache
configuration, such
as in the following example.
<ldapRegistry
id="BluePages" realm="ldap" ignoreCase="true"
host="bluepages.ibm.com" port="389"
baseDN="o=ibm.com"
ldapType="IBM Tivoli Directory Server">
<idsFilters
userFilter="(&(emailAddress=%v)(objectclass=person))"
groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))"
userIdMap="*:emailAddress"
groupIdMap="*:cn"
groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniquemember"/>
<ldapCache>
<attributesCache size="4000" timeout="300000" enabled="true" sizeLimit="2000"/>
<searchResultsCache size="2000" timeout="300000" enabled="true" resultsSizeLimit="1000"/>
</ldapCache>
</ldapRegistry>
- Start the application server:


IS_install_path/ASBServer/bin/MetadataServer.sh run

net start InfoSvr
- If you are switching the user registry for a system that
has been used for a while by multiple users, clean up the users and
groups that are related to the security configuration. See Switching the user registry configuration
for a system in use.
- Manually configure one LDAP user as an administrator user
to be able to login to the IBM
InfoSphere Information Server Web console and
further assign roles to LDAP users and groups:
cd IS_install_path/ASBServer/bin
./DirectoryAdmin.sh -user -userid LDAP_user -admin -checkid
Where:
- LDAP_user
- The LDAP user that you want to be the administrator user name.
This user name must be specified according to the value of the LDAP
attribute that you configured for the
userFilter
in
the server.xml file. In the example above, the userFilter
is
set to (&(emailAddress=%v)(objectclass=person))
,
which means that the LDAP user must be specified as an email address.
- -checkid
- This option is used to verify that the provided user is a valid
user, and details about the user will be displayed in the output.
What to do next
After you change the user registry, you can use the administrator
user to log into the IBM
InfoSphere Information Server Web console and
assign roles to other LDAP users and groups.