Enabling LDAP authentication of ObjectServer users

You can enable users that are stored in an ObjectServer repository to be authenticated against an LDAP registry.

Before you begin

  • Define the ObjectServer in the federated repository as a user repository.
  • Make a backup copy of the JazzSM_WAS_Profile/config/cells/JazzSMNode01Cell/wim/config/wimconfig.xml file.

Procedure

  1. Open the JazzSM_WAS_Profile/config/cells/JazzSMNode01Cell/wim/config/wimconfig.xml file editing.
  2. Locate the <config:repositories> element that has an id attribute with the value of netcoolObjectServerRepository.
    For example:
    <config:repositories 
        adapterClassName="com.ibm.tivoli.tip.vmm4ncos.ObjectServerAdaptor"
        id="netcoolObjectServer" supportPaging="False">
        <config:baseEntries name="o=netcoolObjectServerRepository" />
        <config:CustomProperties name="password"
            value="{AES}F3A75EB49DC87013C11C6B021BA6B33" />
        <config:CustomProperties name="username" value="root" />
        <config:CustomProperties name="host1" value="localhost" />
        <config:CustomProperties name="port1" value="4100" />
    </config:repositories>
  3. Add the following <config:CustomProperties> elements to this element:
    <config:CustomProperties name="LDAP.host" value="ldap-host" />
    <config:CustomProperties name="LDAP.port" value="ldap-port" />
    <config:CustomProperties name="LDAP.distinguishedName" 
        value="user-dn-format" />
    <config:CustomProperties name="LDAP.sslEnabled" value="ssl-enabled" />
    1. Replace ldap-host with the full name of the LDAP host server.
    2. Replace ldap-port with the port number that the LDAP server uses. If the connection to the LDAP server uses SSL, specify the SSL port of the LDAP server. (for example, 636).
    3. Replace user-dn-format with the LDAP attributes that make up a user entry in the LDAP server.
      Depending on the LDAP implementation, a user entry consists of the string uid=%username,, or the string gid=%username,, followed by the LDAP attributes that identify the user.
      For example:
      <config:CustomProperties name="LDAP.distinguishedName" 
          value="uid=%username,cn=u50000g3000,cn=test,cn=ncw,o=ibm,c=uk" />
      
      <config:CustomProperties name="LDAP.distinguishedName" 
          value="gid=%username,cn=u50000g3000,cn=test,cn=ncw,o=ibm,c=uk" />
      Important: Ensure that you use the %username syntax. When a user logs in to the Web GUI, that syntax is replaced with the actual user name that is in the authentication request to the LDAP directory.
      For example:
      <config:repositories 
          adapterClassName="com.ibm.tivoli.tip.vmm4ncos.ObjectServerAdaptor"
          id="netcoolObjectServer" supportPaging="False">
          <config:baseEntries name="o=netcoolObjectServerRepository" />
          <config:CustomProperties name="password"
              value="{AES}F3A75EB49DC87013C11C6B021BA6B33" />
          <config:CustomProperties name="username" value="root" />
          <config:CustomProperties name="host1" value="localhost" />
          <config:CustomProperties name="port1" value="4100" />
          <config:CustomProperties name="LDAP.host" value="ldapserver.host.com" />
          <config:CustomProperties name="LDAP.port" value= "636" />
          <config:CustomProperties name="LDAP.distinguishedName" 
              value="uid=%username,cn=u50000g3000,cn=test,cn=ncw,o=ibm,c=uk" />
          <config:CustomProperties name="LDAP.sslEnabled" value="true" />
      </config:repositories>
    4. Replace ssl-enabled with true if the connection to the LDAP server uses SSL, otherwise use false.
  4. Carefully check the syntax of all the elements that you edited.
    Important: If the syntax of the wimconfig.xml file is incorrect, you might not be able to log in to the Web GUI, or stop the server by using the stopServer command. In that case, you must manually terminate the Dashboard Application Services Hub process.
  5. Restart the server.

Results

Users can log in using their ObjectServer user IDs and their LDAP passwords. They can no longer use their ObjectServer passwords.

What to do next

If the connection to the LDAP server uses SSL, configure that connection.