CONFIGURING OPENLDAP AS USER REGISTRY FOR WEBSPHERE APPLICATION SERVER.

 

 

WebSphere Application Server (WAS) 5.0.x , 5.1.x versions uses different registries

for authentication purposes.

 

The different user registries for use with WAS are

 

1) Local OS

2) LDAP (LightWeight Directory Access Protocol)

3) Custom Registry

 

This article specifically address how to configure WebSphere Application Server

(5.x.x) versions with OpenLDAP server (ver 2.2.13) on a Linux environment (specifically

Redhat 9 Kernel 2.4.20-6). [Although, the procedure should be fairly similar to other

Linux flavours]

 

Also, note that the WebSphere Application server can be on any of the supported

Operating Systems, only the LDAP servers needs to be on a Linux machine for this

setup.

 

 

OpenLDAP offers the following benefits:

 

1) Cost effectiveness.

For a minimal testing of Secure Web-Applications to be deployed on WebSphere Application Server,

it will be costly decision for a development house/service provider to acquire a vendor specific LDAP server

 

2) Minimal configuration required

Except for those complexities involved in the build of OpenLDAP which those article should address

 

3) Runs on wide variety of platforms

 

 

/////// B U I L D I N G O P E N L D A P S E R V E R //////

 

Installation of OpenLDAP consists of the building the following

pre-requisite components

 

1) Cyrus SASL (ver 2.1.19)

2) Berkeley db (4.2.52)

 

 

Building Cyrus SASL2 Libraries

 

1) Extract the contents of cyrus-sasl-2.1.19.tar.gz

by doing , gunzip <filename.gz> , then followed by tar -xvf <filename.tar>

 

Installables can be obtained from

ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.19.tar.gz.

(you can also follow the link in openldap site for obtaining the same)

 

2) Goto the directory cyrus-sasl-2.1.19 directory

issue the following commands

./configure

make (builds the sources)

make install (install the libraries)

 

 

Building the Berkeley DB (this will be used as repository for LDAP entries)

 

1) Extract the contents of db-4.2.52.tar.gz

by doing , gunzip <filename.gz> , then followed by tar -xvf <filename.tar>

 

Installables can be obtained from

http://www.sleepycat.com/update/snapshot/db-4.2.52.tar.gz

Also, download the patch files patch.4.2.52.1.txt,patch.4.2.52.2.txt

Invoke the patch utility in db-4.2.52.NC (after copying the above patch

files in this directory) by

 

patch -p0 < patch.4.2.52.1.txt

patch -p0 < patch.4.2.52.2.txt

 

2) Goto db-4.2.52.NC directory

Issue

./configure

make

make install

 

Building the OpenLDAP server

 

1) Extract the contents of openldap-2.2.13.tgz

by gunzip -c openldap-VERSION.tgz | tar xvfB -

From ftp://ftp.openldap.org/pub/openldap/openldap-release/

 

2) cd openldap-RELEASE

3) Run the following command by directly copying this text (without line breaks)

 

env CPPFLAGS="-I/usr/local/BerkeleyDB.4.2/include -L/usr/local/include/sasll" LDFLAGS="-L/usr/local/BerkeleyDB.4.2/lib -L/usr/local/lib/sasl2" ./configure --with-wrappers

 

4) Above step creates a Makefile

5) Do make depend

6) make

7) Create a symbolic link in /usr/lib folder by

ln -s /usr/local/lib/libsasl2.so.2.0.19 libsasl2.so.2 in /usr/lib

7) make test

(The above step 7 should check the executable slapd executes all the test cases successfully

Note: This might take couple of minutes)

8) If the above step completes successfully , then issue

make install

 

you can also follow instructions given at

http://www.openldap.org/doc/admin22/quickstart.html

 

 

 

 

CONFIGURATION OF OPENLDAP SERVER WITH WEBSPHERE APPLICATION SERVER 5.X.X

 

slapd.conf is the main configuration file for the OpenLDAP server

It can be located under

<opendlap-RELEASE>/servers/slapd

 

1)

Add the following line in slapd.conf for schema definition

 

include ./schema/cosine.schema

 

(Just before the following comment

 

#######################################################################

# ldbm database definitions

#######################################################################

)

 

2)

 

Add the following objectclass definition in cosine.schema

(located under <opendlap-RELEASE>/servers/slapd/schema/ directory)

 

objectclass ( 9299.5.6.6 NAME 'user'

DESC 'RFC2256: a user'

SUP top STRUCTURAL

MUST ( sn $ cn $ uid)

MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )

 

3) Change the suffix in slapd.conf like

 

suffix "dc=thunderbird,dc=org"

rootdn "cn=manager,dc=thunderbird,dc=org"

 

4) Start the server by

cd <opendlap-RELEASE>/servers/slapd/

./slapd -f slapd.conf (slapd.conf is located in same directory as slapd daemon)

 

5) ps -ef | grep slapd should give the pid of the ldap server daemon

 

6) Populate the LDAP entries in by the following commands

 

Create a ldif file like populate.ldif with the following contents

 

## Build the root node

dn: dc=thunderbird,dc=org

dc: thunderbird

objectClass: dcObject

objectClass: organizationalUnit

ou: thunderbird.org

 

## Build the people ou

dn: ou=people,dc=thunderbird,dc=org

ou: people

objectClass: organizationalUnit

 

Note : No spaces/tab char should be at the end of each line in .ldif file

 

This will create the root node of our database (thunderbird.org) and one organizational unit (ou).

 

7) Issue the following command

ldapadd -x -D "cn=manager,dc=thunderbird,dc=org" -W -f populate.ldif

-W will prompt for the LDAP administrator password (default password : secret)

 

8) To add a user named 'user1' in LDAP registry , create a ldif file users.ldif like

 

dn: uid=user1,ou=people,dc=thunderbird,dc=org

cn: Test user

sn: User

uid: user1

userPassword: password

objectclass: user

 

 

9) Issue

ldapadd -x -D "cn=manager,dc=thunderbird,dc=org" -W -f users.ldif

 

10) To change the default password of user1 , you can use

 

ldappasswd -x -D "cn=manager,dc=thunderbird,dc=org" -W -S "uid=user1,ou=people,dc=thunderbird,dc=org"

 

 

WebSphere Application Server Specific Settings :

 

Start the Deployment Manager / AppServer

 

Open the Admin console application on browser

 

1) Navigate to Security -> User Registries -> LDAP

 

field name

value

Server User ID

user1

Server User Password

password

Type

CUSTOM

Host

IP address / hostname

Port

389 (Default Port)

Base Distinguished Name

ou=people,dc=thunderbird,dc=org

Ignore case

True

 

 

 

2) Navigate to Security -> User Registries -> LDAP -> Advanced LDAP Settings

field name

value

User Filter

(&(uid=%v)(objectclass=user))

Group Filter

(&(cn=%v)(objectclass=group))

User ID Map

user:sAMAccountName

Group ID Map

*:cn

Group Member ID Map

memberof:member

Certificate Map mode

EXACT_DN

 

3) Navigate to Security -> Authentication Mechanisms

Give the password,confirm password (you can default this to 'password')

 

4) Navigate to Security

Check the Enabled checkbox

Uncheck the Enforce Java 2 Security

Change Active User Registry to LDAP

Press Apply, OK

 

5) If the Admin Console validates the LDAP user successfully, you can

save the configuration and restart the appserver/deployment manager

 

After, the next start of appserver / deployment manager, you have to

give the username as user1 and password as password for entering

admin console.

 

Additional Links :

 

OpenLDAP's official site : http://www.openldap.org

Quick Start : http://www.openldap.org/doc/admin22/quickstart.html

 

Want to know how to compile Xine (Free Video Player for Linux) ?

Back to my home page


Counter