Switching to an LDAP user registry when using WebSphere Application Server Liberty Profile

When you install IBM® InfoSphere® Information Server, users are set up to use the internal registry. If your organization uses Lightweight Directory Access Protocol (LDAP) for authentication, you can choose to configure IBM InfoSphere Information Server to use LDAP as well, after installation.

Before you begin

The InfoSphere Information Server engine performs user authentication separately from other InfoSphere Information Server components. You can configure the engine to share the LDAP user registry as well; however, it requires that you configure Pluggable Authentication Module (PAM) support. Configuring PAM for the engine must be done before switching InfoSphere Information Server to use the LDAP user registry. See Configuring the engine to use PAM.

About this task

InfoSphere Information Server supports any LDAP-compliant user registry that IBM WebSphere® Application Server Liberty Profile supports. For more information about supported LDAP servers, see the WebSphere Application Server Liberty Profile system requirements:

Procedure

  1. Stop the application server:
    Linux cue graphicUNIX cue graphic
    IS_install_path/ASBServer/bin/MetadataServer.sh stop
    Windows cue graphic
    net stop InfoSvr
  2. Remove the default built-in user registry from the WebSphere Application Server Liberty Profile configuration by commenting out the following line in the IS_install_path/wlp/usr/servers/iis/server.xml file:
    <usr_iisRegistry dataSourceRef="DataSource_ASBDataSource"/>
  3. Add the LDAP configuration in the IS_install_path/wlp/usr/servers/iis/server.xml file, anywhere before the closing server element, as documented in Configuring LDAP user registries with the Liberty profile.

    If you have a large LDAP server, such as when it has more than 10,000 users, it is strongly recommended to use the optional ldapCache configuration, such as in the following example.

    <ldapRegistry
      id="BluePages" realm="ldap" ignoreCase="true"
      host="bluepages.ibm.com" port="389"
      baseDN="o=ibm.com"
      ldapType="IBM Tivoli Directory Server">
      <idsFilters
        userFilter="(&amp;(emailAddress=%v)(objectclass=person))"
        groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))"
        userIdMap="*:emailAddress"
        groupIdMap="*:cn"
        groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniquemember"/>
      <ldapCache>
        <attributesCache size="4000" timeout="300000" enabled="true" sizeLimit="2000"/>
        <searchResultsCache size="2000" timeout="300000" enabled="true" resultsSizeLimit="1000"/>
      </ldapCache>
    </ldapRegistry>
  4. Start the application server:
    Linux cue graphicUNIX cue graphic
    IS_install_path/ASBServer/bin/MetadataServer.sh run
    Windows cue graphic
    net start InfoSvr
  5. If you are switching the user registry for a system that has been used for a while by multiple users, clean up the users and groups that are related to the security configuration. See Switching the user registry configuration for a system in use.
  6. Manually configure one LDAP user as an administrator user to be able to login to the IBM InfoSphere Information Server Web console and further assign roles to LDAP users and groups:
    cd IS_install_path/ASBServer/bin
    ./DirectoryAdmin.sh -user -userid LDAP_user -admin -checkid

    Where:

    LDAP_user
    The LDAP user that you want to be the administrator user name. This user name must be specified according to the value of the LDAP attribute that you configured for the userFilter in the server.xml file. In the example above, the userFilter is set to (&amp;(emailAddress=%v)(objectclass=person)), which means that the LDAP user must be specified as an email address.
    -checkid
    This option is used to verify that the provided user is a valid user, and details about the user will be displayed in the output.

What to do next

After you change the user registry, you can use the administrator user to log into the IBM InfoSphere Information Server Web console and assign roles to other LDAP users and groups.