Tag Archive | federated repository

Integrate TDS LDAP with Websphere Applicaiton Server

Security is a critical aspect of any distributed application model. Most of the firms have a centralized repository of the users in LDAP servers like Active Directory, TDS, Open DJ etc.

Activity :
To Integrate Tivoli Directory Server LDAP with Websphere Application Server as Federated Repository

Assumptions : 
a) Tivoli Directory server is allready Installed and users are avaliable in it ( Note Any LDAP ie Active Directory , TDS , OpenDj , Sun Directory Server etc can be used )

b) Websphere Application Server is installed and profiles and servers created and running .
c) The TDS Ldap server should be reachable from the DMGR and the Nodes .. so you can test it using telnet command
From Dmgr and Node check telnet to LDAP at Port 389 ( or which ever port its is running)

Eg : telnet <Ldap IP> 389

d) In this example I have a Dmgr , Nodeagent and a server and will be integrating the Dmgr with TDS LDap


Steps to Integrate LDAP with WAS

Step 1: Details from the LDAP Team.
Before beginning the Ldap Integrating there are a few information  which are needed from the LDAP team ( If its not managed by you )

Basic Details needed :

Hostname/IP address of TDS Server :
Port No : 386  ( non SSL)
Bind DN : cn =root
Bind Password : password
Base Dn: dc=ibm,dc=com

Additional properties may be needed depending on your env like
User Filter:
Group filter:
User ID map:
Group ID map:  etc..

But in my case its not needed as most are default

NOTE : Ensure that the WAS admin user which we logged in the WAS console with ie wasadmin is unique in both the Filebased and in LDAP  ie the user wasadmin should not be avaliable in the LDAP  as its allready there in the FileBased Registry

And If “wasadmin” is also there in LDAP , then there will be conflict and we will be prevented to login to the admin console as “wasadmin” post the Integration with TDS.

As a best practice , keep wasadmin intact but create another user in the LDAP and later add this use to the admin group from the was console .

For eg  I have created “webadmin” as an user in the LDAP which I will add to the was administration group after the WAS integration wth LDAP in this article

This is applicable for all the users in the WAS and LDAP. It should be unique in the repositories


Step 2: Validating using LDAP Browsers

a) Downlaod the Ldap Browser and extract it . Then Launch the “lbe.jar”



b) Go File >> New


c) Give a name to the connections for recognition . I have entered TDSLDAP


d) Go to “Connections” tab

             1) Enter the IP Address( Port No (389) and click Fetch DN .
             2) Select dc=ibm,dc=com
            3) Uncheck  “Anonymous bind”
            4) Enter username “cn=root” and password = password
            5) Click Save and then Connect

e) We will see all the users which are there in the Ldap in the Ldap Browser console


Step 3: Once all the information is available and validated, we can proceed with the integration of Ldap with WAS

Step 4: 
Login to the WAS Admin console with wasadmin user

url : 

Just to check the list of users Navigate to Users and Group >> Manage Users
We  see the List of users before the integration . Only “wasadmin” as File Based Realm


Step 5: To Integrate Ldap .. Click  “Global Security “


Then Click “Configure” on the Federated Repositories

Step 6:
 Click on “Manage Repositories” as per the screenshot


Step 7:
 Click  “ADD” and  , Select “LDAP repository” from the dropdown


Step 8:
 This page we need to enter the details of the LDAP ( shared by Ldap team )
      a ) Enter the LDAP Name  (  Can be any name which will identify it . I have named it TDSLDAP )
     b )  In the Drop Down Select “IBM Tivoli Directory Server “
     c ) Enter the Bind Distintguised Name : cn=root
    d )   Enter the Bind Password : password
    e )  Here the Federated Repository properties for login is “uid” it might differ based on your              environment it could be “cn” “email id ” etc
    f )  Primary Host Name : connections.ibm.com ( you could provide the ip too )
    g )  Port No : 389
    i )  Click Apply and Save




Step 9:
 Click on Global security > Federated repositories


Click on “Add Repositories ( LDAP custom etc )

Step 10:
 From the drop Down Select “TDSLDAP”


Enter the Base DN in our case : dc=ibm,dc=com

Step 11:
 Click Apply and Save


Step 12:
 Check “Allow operations if some of the repositories are down”


This will enable us to login as wasadmin to the admin console even if the LDAP id down .

Step 13: 
Click Apply and Save


Step 14: Do full Synchronise

Step 15:
 Stop the Servers, Nodeagent and the Dmgr

Stop Servers
/opt/IBM/WebSphere/AppServer/profiles/Custom01/bin/stopServer.sh server1

Stop Nodeagent
/opt/IBM/WebSphere/AppServer/profiles/Custom01/bin/stopNode.sh server1

Stop Dmgr


Step 16: Start the Dmgr , Nodeagent and Servers
Start Dmgr :

Start Nodeagent :

Start Server :
/opt/IBM/WebSphere/AppServer/profiles/Custom01/bin/startServer.sh server1

Check for any errors for LDAP etc in the SystemOut logs

Step 17:
 Validation : Now login with the file based registry user ie “wasadmin”

We can see the users from the LDAP and also  wasadmin user from file based repository





Test 1: We will add user “santosh”  from the LDAP as a monitor role in WAS  and test it

           a ) Click User and Groups >> Administrative user Roles
Currently only “wasadmin” is available


b )
 Click Add ,


          c ) Select “monitor” Role
Search the users using the Search button , We will be able to see the users from the ldap
Select “santosh” and drag it to the other side

Select OK and Save the configurations

The user “santosh “ is added to the Administrative role as a “monitor” Role

FederatedRepos35Apply and Sync with the nodes

         d )  Now Logout

         e )  Try login with user Santosh and password: password (As mentioned in the LDAP ) 
         f )  We are able to login properly if all the setting are done correctly

           g )  Navigate to other options and you will not see lots of options which were visible in the                            wasadmin login

for eg under Nodes we dont see the options like Full Syncronise , Add etc

Test 2 :
 We will add webadmin this user is from the LDPA we will add it to the admin group

               a)  Click User and Groups >> Administrative user Roles
Currently only “wasadmin” is there
              b )  Click Add ,

              c )  Select “administrator” Role
Search the users using the Search button , We will be able to see the users there
Select “webadmin” and drag it to the other side


Click OK and Save the changes

Apply and Sync with the nodes

          d ) Now Logout

         e )  Try login with user webadmin and password: password (Password from the Ldap) 

         f ) We will see all the options which were available for wasadmin is also available for                     “webadmin“.


This is how we integrate TDS LDAP with Websphere Application Server . Similarly we can integrate any LDAP like Active Directory  etc in a federated Repository .



To get regular mail updates on my Posts..
Please subscribe to the site http://webspherepundit.com
And also like the Facebook Page