IBM InfoSphere Streams Version 4.1.1
Setting up an LDAP server for authenticating InfoSphere Streams users
The preferred authentication service
for user authentication in an InfoSphere®
Streams enterprise
domain is the Lightweight Directory Access Protocol (LDAP) authentication
service. If you are using LDAP for user authentication, it must be
installed and configured before you create an enterprise domain.
Procedure
Example
The following examples show how to use LDAP search commands
to validate the following options for the streamtool mkdomain command:
- --server-url: Specifies the URL for the LDAP server that the domain uses to authenticate users.
- --user-dn: Specifies the LDAP pattern that is used to create a DN when the user logs in. For example: "cn=*,ou=People,ou=streams,o=ibm.com". When the user logs in, their user ID is substituted for the asterisk (*) in the pattern.
- --user-secondary-lookup: Specifies an LDAP user secondary lookup query, which InfoSphere Streams uses to find the LDAP user name from the provided user name.
Note: Your values will be different in the following examples.
Your LDAP server administrator who controls and manages the LDAP schema
can provide the appropriate strings to use in the LDAP searches.
The
LDAP server in this example authenticates John Doe by using his uid,
which is the serial number plus the country code.
- John Doe
- serial number: 123456
- country code: 897
- uid: 123456897
- Notes® short name: jdoe
In the following LDAP search, John Doe's record is looked up by using objectclass=ibmperson and uid=123456897, which is a combination of the serial number and country code.
ldapsearch -xLLL -h bluepages.ibm.com:389 -b "c=us,ou=bluepages,o=ibm.com" "(&(objectclass=ibmperson)(uid=123456897))"Result:
dn: uid=123456897,c=us,ou=bluepages,o=ibm.com objectclass: person objectclass: organizationalPerson objectclass: ibmPerson objectclass: ePerson objectclass: top ou: bluepages o: ibm.com ibmserialnumber: 123456 employeecountrycode: 897 notesemail: CN=John Doe/OU=Rochester/O=IBM@IBMUS notesmaildomain: IBMUS notesmailfile: mail1\jdoe notesshortname: jdoe co: USA uid: 123456897
In the following LDAP search, the data is filtered by objectclass=ibmperson and notesshortname=jdoe, and the uid is returned.
ldapsearch -xLLL -h bluepages.ibm.com:389 -b "c=us,ou=bluepages,o=ibm.com" "(&(objectclass=ibmperson)(notesshortname=jdoe))" uidResult:
dn: uid=123456897,c=us,ou=bluepages,o=ibm.com uid: 123456897
Domain users know their notesshortname but might not know their uid, which is a combination of their serial number and country code. For users to log in with their notesshortname, the following streamtool mkdomain command can be used to create the enterprise domain. The previous ldapsearch example verified the value to use for the --user-secondary-lookup parameter.
streamtool mkdomain -d jhbMiniCluster --ldap --server-url "ldap://bluepages.ibm.com:389" --user-dn "uid=*,c=us,ou=bluepages,o=ibm.com" --user-secondary-lookup "(&(objectclass=ibmperson)(notesshortname=*)) uid" --owner jdoeResult
User jdoe LDAP password:********* CDISA0017I Creating the following domain: jhbMiniCluster. CDISA0018I The following domain was created successfully: jhbMiniCluster.