Integrating LDAP with Product Master

The following sections describe the configurations that are involved in LDAP integration with Product Master.

Before you begin

WebSphere® Global Security is required for Product Master application if you are enabling LDAP configuration over Secure Sockets Layer (SSL).

Ensure that you are aware of the case sensitivity as LDAP server attribute values are case-sensitive.

Procedure

Enable LDAP authentication.
To enable LDAP authentication, you must set the wpcOnlyAuthentication flag in the Login.wpcs file to false in case LDAP authentication is required. The Login.wpcs file identifies the authentication mechanism.
1. Click Data Model Manager > Scripting > Scripts Console.
2. Select Login Script from the drop-down list.
3. Click Edit for the Login.wpcs script.
4. Find and set the wpcOnlyAuthentication flag to false.

Enable the logger.

To enable the logger, you must add a logger and appender for this ldap logger in the $TOP/etc/default/log4j2.xml. In the Login.wpcs script, the default logger is ldap. For example,

Definition Script

Category definition

Definition	Script
Category definition	`<Logger name="com.ibm.ccd.wpc_user_scripting.ldap" level="info" additivity="false"> <AppenderRef ref="LDAPLOGGER" /> </Logger>`
Appender definition	`<RollingFile name="LDAPLOGGER" fileName="%LOG_DIR%/${svc_name}/ldap.log" append="true" filePattern="%LOG_DIR%/${svc_name}/ldap-%d{MM-dd-yyyy}-%i.log"> <PatternLayout> <Pattern>%d [%t] %-5p %c %x- %m%n</Pattern> </PatternLayout> <Policies> <TimeBasedTriggeringPolicy /> <SizeBasedTriggeringPolicy size="10 MB" /> </Policies> <DefaultRolloverStrategy max="2" /> </RollingFile>`

<Logger name="com.ibm.ccd.wpc_user_scripting.ldap" level="info" additivity="false">
<AppenderRef ref="LDAPLOGGER" />
</Logger>

Appender definition

<RollingFile name="LDAPLOGGER" fileName="%LOG_DIR%/${svc_name}/ldap.log" append="true" 
filePattern="%LOG_DIR%/${svc_name}/ldap-%d{MM-dd-yyyy}-%i.log">
<PatternLayout>
<Pattern>%d [%t] %-5p %c %x- %m%n</Pattern> </PatternLayout> <Policies> <TimeBasedTriggeringPolicy /> 
<SizeBasedTriggeringPolicy size="10 MB" /> </Policies> <DefaultRolloverStrategy max="2" /> </RollingFile>

Configure an LDAP server.
Perform the following tasks, from the Novell iManager web console, to set up users and groups in the various LDAP servers that are supported.
1. Create an organization.
  1. Click eDirectory Administration > Create Object.
  2. Provide a name for the organization and context in which the organization should reside.
2. Create a user.
  1. Click Users > Create User.
  2. Select the newly created organization for this user.
  3. Set the NDS Password and Simple Password.
  Note: For more information, see LDAP User name.
3. Create a group.
  1. Click Groups > Create Group.
  2. Select the newly created organization for this group.
  3. Modify the group and associate the users to the groups.
Add a matching role in Product Master.
Before you can add a matching role, create a role in Product Master with the same name as the group configured in the LDAP server whose members are to be authenticated through this integration.

Populate the lookup table. Ensure that you provide the details about the LDAP configuration so that Product Master can use it for connectivity and authentication.

Click Product Manager > Lookup Tables > Lookup Table Console.
Click the magnifying icon besides the row for LDAP Properties.
Click + to add a row, enter the information as the LDAP configurations in step 3.

The following table describes each attribute for the LDAP server:

Table 1. LDAP server attributes
Attribute name	Description of attribute
Bind Type	The bind type can be one of the following `simple`, `sasl`, or `ssl`. This type is provided as an enum. Example `simple`
FAX Number Attribute	The user attribute, which represents the fax number in LDAP, for example, `facsimiletelephonenumber` in Tivoli®.
Full Name Attribute	The user attribute, which represents the full name in LDAP, for example, `cn` in Tivoli.
Given name Attribute	The user attribute, which represents the given name in LDAP, for example, the `givenname` in Tivoli.
groupClassNames	The groups class name in the LDAP server. Example `group`
Group Parent DNs	The Pipe (\|) delimited Parent DN where the groups are likely to be found. If you do not know the Parent DN, you can set to . Example `DC=ipm,DC=com`
Keystore	The location of the file that was imported in to the JVM.
LDAP Group Naming Attribute	The naming attribute for the groups in this LDAP server. Example `sAMAccountName`
LDAP URL	This attribute is the LDAP server URL. The primary key of the lookup table entry. The values are for the LDAP server. Example `<ldap-server-hostname>:<ssl_port>` For LDAP SSL - The URL is, `ldaps://<ldap-server-hostname>:<ssl_port>`
LDAP User Naming Attribute	The naming attribute for the users in this LDAP server. Example `sAMAccountName`
Mail ID Attribute	The user attribute, which represents the mail ID in LDAP, for example, `mail` in Tivoli.
personClassNames	The person class name in the LDAP server. Example `person`
Postal Address Attribute	The user attribute, which represents the postal address in LDAP, for example, `postaladdress` in Tivoli.
Root Entry DN	The root users’ Entry DN in this LDAP server. Example `CN=<username>,OU=Apple,DC=ipm,DC=com`
Root Password	The password of the root user. Example `<password of user>`
SSL Bind Type	The subtypes that are allowed in `ssl` bind. The `ssl` bind type can be one of the following: `simple` or `DIGEST-MD5`. This type is provided as an enum. Example `simple`
supportedSaslMechanisms	Subset of server-supported `sasl` mechanisms, which the customer wants to authenticate LDAP users whether the bind type is `sasl`. The list of mechanisms is delimited by a space character.
Surname Attribute	The user attribute, which represents the surname in LDAP, for example, `sn` in Tivoli.
Telephone Number Attribute	The user attribute, which represents the telephone number in LDAP, for example, `telephonenumber` in Tivoli.
Title Attribute	The user attribute, which represents the title in LDAP, for example, `title` in Tivoli.
User Parent DNs	The Pipe (\|) delimited Parent DNs where the users are likely to be found. If you do not know the Parent DN, you can set to . Example `DC=ipm,DC=com`

LDAP username

LDAP username can contain special characters, but some of the special characters need to be handled by an escape character. When you enter user details in the LDAP Properties table, make any one of the following changes to use special characters.

Append escape character - backslash (\) before the special character,
Enclose the username containing special characters within double quotation marks (“ ”)

Important: The following special characters can be used as LDAP username without escape character.

Colon (:)
Pound (£)
Exclamation mark (!)
Tilde (~)
At sign (@)
Dollar sign ($)
Percent sign (%)
Caret (^)
Ampersand (&)
Hyphen (-)
Underscore (_)

Note:

Escape character does not work for backward slash (\), double quotation marks (“ ”), asterisk (*), and parentheses () so do not use these special characters as LDAP username.
After LDAP user login, multiple log files get populated with “Unprocessed Continuation Reference” exception that is a child exception of “Partial Result Exception”. This exception is just a warning and can be ignored. You can avoid this exception and reduce space consumption. For more information, see Log files.

Important: After editing the First Name, Last Name, Title, Email Address, Telephone, Fax, and Address details of an LDAP user from the IBM® Product Master, you need to either log out and relogin or refresh your browser.