Monday, August 24, 2009

Configuring WebSphere Portal 6.1 Security using Sun One LDAP

Scenario: Sun One LDAP Version 5.2 is installed on the same machine as WebSphere Portal 6.1. To use a custom LDAP schema as I extended the inetOrgPerson object and created a vPerson Object.

Once the LDAP Server is installed, I created a suffix called dc=mycompany,dc=com and initialized this suffix. All these steps can be done using Sun One Administration Console.

After the LDAP installation, I created the following groups and users.
groups are created under ou=Groups,dc=mycompany,dc=com and
users are created under ou=People,dc=mycompany,dc=com branch.

  • cn=wpsadmins,ou=groups,dc=mycompany,dc=com
  • cn=wcmadmins,ou=groups,dc=mycompany,dc=com
  • cn=wpsContentAdminstrators,ou=groups,dc=mycompany,dc=com
  • uid=wpsadmin,ou=people,dc=mycompany,dc=com
  • uid=wcmadmin,ou=people,dc=mycompany,dc=com

You can also use the PortalUsers.ldif and ContentUsers.ldif files from Portal Installation setup. Modify these files and import into LDAP.Once the Sun one LDAP is setup properly, using an LDAP client I did test to bind as wpsadmin making sure it works.

With the portal 6.1 version, the security is enabled by default with file system Realm. Using the ConfigEngine the security can be switched to LDAP.

I did enable the Sun one LDAP in a VMM Stand Alone configuration.

Step 1: Edit the file.
The above file is in \ConfigEngine\config\helpers

I did modified the following properties.
standalone.ldap.bindDN=cn=Directory Manager
standalone.ldap.bindPassword=my secret can't guess
standalone.ldap.serverPassword=another secret
standalone.ldap.primaryAdminPassword=another secret
standalone.ldap.primaryPortalAdminPassword=another secret


The last property actually specifies the dynamic group attribute. That means user entries in LDAP will contain multiple values for vPortalGroup, depending on what groups you want to place that user in.

If you are using the dynamic groups, make sure wpsadmin is part of wpsadmins group. I actually added the following attributes to uid=wpsadmin,ou=people,dc=mycompany,dc=com in LDAP:
vPortalGroup =cn=wpsadmins,ou=groups,dc=mycompany,dc=com
vPortalGroup =cn=wcmadmins,ou=groups,dc=mycompany,dc=com

I have not changed any of the other properties.

Step 2: Validate the values entered in Step 1.
Open a cmd console
cd to \ConfigEngine
Run ConfigEngine.bat validate-standalone-ldap -DWasPassword=secret -DparentProperties=/ConfigEngine/config/helpers/

If the LDAP validation is successfull, the helper file values can be propagated to the file, this can be done easily by running the above command with -DsaveParentProperties=true.

Run ConfigEngine.bat validate-standalone-ldap -DWasPassword=secret -DparentProperties=/ConfigEngine/config/helpers/ -DsaveParentProperties=true

Then apply the changes to Portal.
ConfigEngine.bat wp-modify-ldap-security -DWasPassword=secret

Stop and restart the server1 and WebSphere_Portal.

With this configuration I was able to login using wpsadmin and create a test user and login as that user. Checked the LDAP to see if the test user is added to the people branch, yes it is.

In the next article I will list down the steps to configure custom attributes and to map Portal and LDAP attributes.