Configuring WebSphere Portal 6.1 Security using Sun One LDAP

Scenario: Sun One LDAP Version 5.2 is installed on the same machine as WebSphere Portal 6.1. To use a custom LDAP schema as I extended the inetOrgPerson object and created a vPerson Object.

Once the LDAP Server is installed, I created a suffix called dc=mycompany,dc=com and initialized this suffix. All these steps can be done using Sun One Administration Console.

After the LDAP installation, I created the following groups and users.
groups are created under ou=Groups,dc=mycompany,dc=com and
users are created under ou=People,dc=mycompany,dc=com branch.

Groups:

• cn=wpsadmins,ou=groups,dc=mycompany,dc=com
• cn=wcmadmins,ou=groups,dc=mycompany,dc=com
• cn=wpsContentAdminstrators,ou=groups,dc=mycompany,dc=com

People:

• uid=wpsadmin,ou=people,dc=mycompany,dc=com
• uid=wcmadmin,ou=people,dc=mycompany,dc=com

You can also use the PortalUsers.ldif and ContentUsers.ldif files from Portal Installation setup. Modify these files and import into LDAP.Once the Sun one LDAP is setup properly, using an LDAP client I did test to bind as wpsadmin making sure it works.

With the portal 6.1 version, the security is enabled by default with file system Realm. Using the ConfigEngine the security can be switched to LDAP.

I did enable the Sun one LDAP in a VMM Stand Alone configuration.

Step 1: Edit the wp_security_sunone.properties file.
The above file is in \ConfigEngine\config\helpers

I did modified the following properties.

standalone.ldap.id=VIJAY
standalone.ldap.host=localhost
standalone.ldap.port=389
standalone.ldap.bindDN=cn=Directory Manager
standalone.ldap.bindPassword=my secret can't guess
standalone.ldap.serverId=uid=wpsadmin,ou=people,dc=mycompany,dc=com
standalone.ldap.serverPassword=another secret
standalone.ldap.realm=RLM_VK
standalone.ldap.primaryAdminId=uid=wpsadmin,ou=people,dc=mycompany,dc=com
standalone.ldap.primaryAdminPassword=another secret
standalone.ldap.primaryPortalAdminId=uid=wpsadmin,ou=people,dc=mycompany,dc=com
standalone.ldap.primaryPortalAdminPassword=another secret
standalone.ldap.primaryPortalAdminGroup=cn=wpsadmins,ou=groups,dc=mycompany,dc=com
standalone.ldap.baseDN=dc=mycompany,dc=com

standalone.ldap.personAccountParent=ou=people,dc=mycompany,dc=com
standalone.ldap.groupParent=ou=groups,dc=mycompany,dc=com

standalone.ldap.gc.name=vPortalGroup

The last property actually specifies the dynamic group attribute. That means user entries in LDAP will contain multiple values for vPortalGroup, depending on what groups you want to place that user in.

If you are using the dynamic groups, make sure wpsadmin is part of wpsadmins group. I actually added the following attributes to uid=wpsadmin,ou=people,dc=mycompany,dc=com in LDAP:
vPortalGroup =cn=wpsadmins,ou=groups,dc=mycompany,dc=com
vPortalGroup =cn=wcmadmins,ou=groups,dc=mycompany,dc=com

I have not changed any of the other properties.

Step 2: Validate the values entered in Step 1.
Open a cmd console
cd to \ConfigEngine
Run ConfigEngine.bat validate-standalone-ldap -DWasPassword=secret -DparentProperties=/ConfigEngine/config/helpers/wp_security_sunone.properties

If the LDAP validation is successfull, the helper file values can be propagated to the wkplc.properties file, this can be done easily by running the above command with -DsaveParentProperties=true.

Run ConfigEngine.bat validate-standalone-ldap -DWasPassword=secret -DparentProperties=/ConfigEngine/config/helpers/wp_security_sunone.properties -DsaveParentProperties=true

Then apply the changes to Portal.
ConfigEngine.bat wp-modify-ldap-security -DWasPassword=secret

Stop and restart the server1 and WebSphere_Portal.

With this configuration I was able to login using wpsadmin and create a test user and login as that user. Checked the LDAP to see if the test user is added to the people branch, yes it is.

In the next article I will list down the steps to configure custom attributes and to map Portal and LDAP attributes.