Enabling security with an LDAP user registry

AIXSun Solaris Operating EnvironmentLinux To enable WebSphere Application Server security when you are using LDAP as the WebSphere Application Server user registry, log into the system as the wasuser ID and perform the following steps.

i5/OSiSeries To enable WebSphere Application Server security when you are using LDAP as the WebSphere Application Server user registry, log into the system, and perform the following steps.

Windows To enable WebSphere Application Server security when you are using LDAP as the WebSphere Application Server user registry, log into the system as as a user with administrative authority, and perform the following steps.

  1. Start WebSphere Application Server and open the WebSphere Application Server Administration Console.
  2. In the Administration Console, modify the global security settings as follows:
    1. Under Security, expand User Registries and click LDAP. Fill in the fields in the Configuration tab as follows, depending on the type of directory server you are using:
      IBM Directory Server users AIXi5/OSiSeriesLinuxSun Solaris Operating EnvironmentWindows
      Field Name Definition Sample Values Notes
      Server User ID User ID user_ID
      • This must not be the LDAP administrator.
      • Do not use a user that has been specified as cn=xxx.
      • Ensure that the object class of this user is compatible with the object class specified in the User Filter field of the LDAP Advanced Properties window.
      Server User password User Password password
      Type Type of LDAP server SecureWay
      Host Host name of the LDAP server hostname.domain.com
      Port Port that the LDAP server is using This field is not required
      Base Distinguished Name Distinguished Name under which searching occurs o=ibm,c=us
      Bind Distinguished Name Distinguished Name for binding to the directory when searching This field is not required
      Bind Password Password for the Bind Distinguished Name This field is not required
      Sun ONE users Sun Solaris Operating Environment
      Field Name Definition Sample Values Notes
      Server User ID User ID user_ID
      • This must not be the LDAP administrator.
      • Do not use a user that has been specified as cn=xxx.
      • Ensure that the object class of this user is compatible with the object class specified in the User Filter field of the LDAP Advanced Properties window.
      Server User Password User Password password
      Type Type of LDAP server iPlanet
      Host Host name of the LDAP server hostname.domain.com
      Port Port that the LDAP server is using This field is not required
      Base Distinguished Name Distinguished Name under which searching occurs o=ibm
      Bind Distinguished Name Distinguished Name for binding to the directory when searching This field is not required
      Bind Password Password for the Bind Distinguished Name This field is not required
      Lotus Domino users AIXWindows
      Field Name Definition Sample Values Notes
      Server User ID Short Name/User ID user_ID Ensure that the object class of this user is compatible with the object class specified in the User Filter field of the LDAP Advanced Properties window.
      Server User Password User Password password
      Type Type of LDAP server Domino 5.0
      Host Host name of the LDAP server hostname.domain.com
      Port Port that the LDAP server is using This field is not required
      Base Distinguished Name Distinguished Name under which searching occurs This field is not required
      Bind Distinguished Name Distinguished Name for binding to the directory when searching This field is not required
      Bind Password Password for the Bind Distinguished Name This field is not required
      Active Directory users Windows
      Field Name Definition Sample Values Notes
      Server User ID sAMAccountName user_ID
      • User Logon Name of any ordinary user.
      • Do not use a user that has been specified as cn=xxx.
      • Ensure that the object class of this user is compatible with the object class specified in the User Filter field of the LDAP Advanced Properties window.
      Server User Password User Password password
      Type Type of LDAP server Active Directory
      Host Host name of the LDAP server hostname.domain.com
      Port Port that the LDAP server is using This field is not required
      Base Distinguished Name Distinguished Name under which searching occurs CN=users,DC=domain1,DC=domain2,DC=com
      Bind Distinguished Name Distinguished Name for binding to the directory when searching CN=user_ID,CN=users,DC=domain1,DC=domain2,DC=com The user_ID value is the Display Name. This is not necessarily the same as the User Logon Name.
      Bind Password Password for the Bind Distinguished Name bind_password This should be the same as the Security Server Password.
      Click Apply.
    2. In the Administration Console, expand Security, then expand Authentication Mechanisms and click LTPA.
      1. In the LPTA Configuration tab, fill in the LTPA settings as required and click Apply.
      2. Under Additional Properties, click Single Signon (SSO) and clear the Enabled check box if you do not want to use this functionality.
      3. Click Apply.
    3. In the Administration Console, expand Security and click Global Security.
      1. In the Global Security Configuration tab, select Enabled and clear Enforce Java 2 Security. Note: WebSphere Commerce 5.6 does not support Java 2 security.
      2. In the Active Authentication Mechanism field, select Lightweight Third Party Authentication (LTPA).
      3. In the Active User Registry field, select LDAP.
      4. Click Apply.
    4. In the Administration Console, expand Applications, then click Enterprise Applications.
      1. In the Enterprise Applications window, click your Commerce application, WC_instance_name (for example, WC_demo).
      2. Under Additional Properties, click Map security roles to users/groups.
      3. Select WCSecurityRole using the check box at the left and click Lookup users. Locate the user whose role you wish to map. The following are example steps to look up an LDAP user and map the WCSecurityRole role to that user. These steps are specific to WebSphere Application Server Network Deployment for an LDAP user named myuser. The steps on your system should be similar but could vary slightly:
        1. Using a search string of "*", click Search.
        2. In the Available panel, the myuser distinguished name (for example, uid=myuser,cn=users,dc=ibm,dc=com) should be retrieved from the LDAP server. Select it and click the >> button to move it into the Selected panel.
        3. Click OK.
        4. Click OK again in the "Mapping Users to Roles" panel.
        5. If the Dynamic Cache Monitor is installed, repeat this process to also assign the Administrator role to the myuser user.
        6. Click Save.
        7. If you are using WebSphere Application Server Network Deployment, select the Synchronize changes with Nodes check box.
        8. Click Save again to apply the changes to the master configuration.
  3. Close the Administration Console, and stop and restart the WebSphere Application Server Administration Console. From now on, when you open the WebSphere Application Server Administration Console, you will be prompted for the Security Server ID and password. Do not restart the WebSphere Commerce server yet, since you still need to configure security in the WebSphere Commerce Configuration Manager. If you are running WebSphere Application Server Network Deployment, then you must also stop the node agents, and the deployment manager.
  4. Open the WebSphere Commerce Configuration Manager and select Commerce > Instance List > instance_name > Instance Properties > Security and click the Enable Security check box. Select LDAP User Registry for the Authentication Mode. You are prompted to enter the user name and password that you entered in step 2diii. Click Apply then exit Configuration Manager.
  5. Restart all application servers.

Feedback