Integrate TDS LDAP with Websphere Applicaiton Server

Security is a critical aspect of any distributed application model. Most of the firms have a centralized repository of the users in LDAP servers like Active Directory, TDS, Open DJ etc.

Activity :
To Integrate Tivoli Directory Server LDAP with Websphere Application Server as Federated Repository

Assumptions : 
a) Tivoli Directory server is allready Installed and users are avaliable in it ( Note Any LDAP ie Active Directory , TDS , OpenDj , Sun Directory Server etc can be used )

b) Websphere Application Server is installed and profiles and servers created and running .
c) The TDS Ldap server should be reachable from the DMGR and the Nodes .. so you can test it using telnet command
From Dmgr and Node check telnet to LDAP at Port 389 ( or which ever port its is running)

Eg : telnet <Ldap IP> 389

d) In this example I have a Dmgr , Nodeagent and a server and will be integrating the Dmgr with TDS LDap

 

Steps to Integrate LDAP with WAS

Step 1: Details from the LDAP Team.
Before beginning the Ldap Integrating there are a few information  which are needed from the LDAP team ( If its not managed by you )

Basic Details needed :

Hostname/IP address of TDS Server : 10.0.0.15
Port No : 386  ( non SSL)
Bind DN : cn =root
Bind Password : password
Base Dn: dc=ibm,dc=com

Additional properties may be needed depending on your env like
User Filter:
Group filter:
User ID map:
Group ID map:  etc..

But in my case its not needed as most are default

NOTE : Ensure that the WAS admin user which we logged in the WAS console with ie wasadmin is unique in both the Filebased and in LDAP  ie the user wasadmin should not be avaliable in the LDAP  as its allready there in the FileBased Registry

And If “wasadmin” is also there in LDAP , then there will be conflict and we will be prevented to login to the admin console as “wasadmin” post the Integration with TDS.

As a best practice , keep wasadmin intact but create another user in the LDAP and later add this use to the admin group from the was console .

For eg  I have created “webadmin” as an user in the LDAP which I will add to the was administration group after the WAS integration wth LDAP in this article

This is applicable for all the users in the WAS and LDAP. It should be unique in the repositories

 

Step 2: Validating using LDAP Browsers

a) Downlaod the Ldap Browser and extract it . Then Launch the “lbe.jar”

lbe

lbe1

b) Go File >> New

lbe2

c) Give a name to the connections for recognition . I have entered TDSLDAP

lbe3

d) Go to “Connections” tab

LdapBrowser1
             1) Enter the IP Address(10.0.0.15) Port No (389) and click Fetch DN .
             2) Select dc=ibm,dc=com
            3) Uncheck  “Anonymous bind”
            4) Enter username “cn=root” and password = password
            5) Click Save and then Connect

e) We will see all the users which are there in the Ldap in the Ldap Browser console

LdapBrowser2

Step 3: Once all the information is available and validated, we can proceed with the integration of Ldap with WAS


Step 4: 
Login to the WAS Admin console with wasadmin user

url :https://10.0.0.15:9043/ibm/console 

Just to check the list of users Navigate to Users and Group >> Manage Users
We  see the List of users before the integration . Only “wasadmin” as File Based Realm

FederatedRepos0

Step 5: To Integrate Ldap .. Click  “Global Security “

FederatedRepos

Then Click “Configure” on the Federated Repositories


Step 6:
 Click on “Manage Repositories” as per the screenshot

FederatedRepos1


Step 7:
 Click  “ADD” and  , Select “LDAP repository” from the dropdown

FederatedRepos3


Step 8:
 This page we need to enter the details of the LDAP ( shared by Ldap team )
      a ) Enter the LDAP Name  (  Can be any name which will identify it . I have named it TDSLDAP )
     b )  In the Drop Down Select “IBM Tivoli Directory Server “
     c ) Enter the Bind Distintguised Name : cn=root
    d )   Enter the Bind Password : password
    e )  Here the Federated Repository properties for login is “uid” it might differ based on your              environment it could be “cn” “email id ” etc
    f )  Primary Host Name : connections.ibm.com ( you could provide the ip too )
    g )  Port No : 389
    i )  Click Apply and Save

FederatedRepos4

 

FederatedRepos5


Step 9:
 Click on Global security > Federated repositories

FederatedRepos6

Click on “Add Repositories ( LDAP custom etc )


Step 10:
 From the drop Down Select “TDSLDAP”

FederatedRepos7

Enter the Base DN in our case : dc=ibm,dc=com


Step 11:
 Click Apply and Save

FederatedRepos8


Step 12:
 Check “Allow operations if some of the repositories are down”

FederatedRepos9

This will enable us to login as wasadmin to the admin console even if the LDAP id down .


Step 13: 
Click Apply and Save

FederatedRepos10

Step 14: Do full Synchronise


Step 15:
 Stop the Servers, Nodeagent and the Dmgr

Stop Servers
/opt/IBM/WebSphere/AppServer/profiles/Custom01/bin/stopServer.sh server1

Stop Nodeagent
/opt/IBM/WebSphere/AppServer/profiles/Custom01/bin/stopNode.sh server1

Stop Dmgr
/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/stopManager.sh

 

Step 16: Start the Dmgr , Nodeagent and Servers
Start Dmgr :
/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/startManager.sh

Start Nodeagent :
/opt/IBM/WebSphere/AppServer/profiles/Custom01/bin/startNode.sh

Start Server :
/opt/IBM/WebSphere/AppServer/profiles/Custom01/bin/startServer.sh server1

Check for any errors for LDAP etc in the SystemOut logs


Step 17:
 Validation : Now login with the file based registry user ie “wasadmin”

We can see the users from the LDAP and also  wasadmin user from file based repository


tds1

 

 

Testing

Test 1: We will add user “santosh”  from the LDAP as a monitor role in WAS  and test it

           a ) Click User and Groups >> Administrative user Roles
Currently only “wasadmin” is available

FederatedRepos32

b )
 Click Add ,

FederatedRepos32

          c ) Select “monitor” Role
Search the users using the Search button , We will be able to see the users from the ldap
Select “santosh” and drag it to the other side

FederatedRepos33
Select OK and Save the configurations

FederatedRepos34
The user “santosh “ is added to the Administrative role as a “monitor” Role

FederatedRepos35Apply and Sync with the nodes

         d )  Now Logout

         e )  Try login with user Santosh and password: password (As mentioned in the LDAP ) 
         f )  We are able to login properly if all the setting are done correctly

FederatedRepos36
           g )  Navigate to other options and you will not see lots of options which were visible in the                            wasadmin login

FederatedRepos37
for eg under Nodes we dont see the options like Full Syncronise , Add etc


Test 2 :
 We will add webadmin this user is from the LDPA we will add it to the admin group

               a)  Click User and Groups >> Administrative user Roles
Currently only “wasadmin” is there
              b )  Click Add ,

              c )  Select “administrator” Role
Search the users using the Search button , We will be able to see the users there
Select “webadmin” and drag it to the other side

FederatedRepos38

Click OK and Save the changes

FederatedRepos39
Apply and Sync with the nodes

          d ) Now Logout

         e )  Try login with user webadmin and password: password (Password from the Ldap) 

FederatedRepos40
         f ) We will see all the options which were available for wasadmin is also available for                     “webadmin“.

 

This is how we integrate TDS LDAP with Websphere Application Server . Similarly we can integrate any LDAP like Active Directory  etc in a federated Repository .

 

 

To get regular mail updates on my Posts..
Please subscribe to the site http://webspherepundit.com
And also like the Facebook Page
https://www.facebook.com/webspherepundit

 

Leave a Reply

Your email address will not be published. Required fields are marked *