Saturday, August 15, 2009

Restricting authentication based on group membership when configured for standalone LDAP

How do you configure IBM WebSphere Portal so that only members of a specific group can log in if WebSphere Portal security is configured to use a standalone LDAP?



The same general steps will be taken for each supported LDAP although the specific userFilter will differ depending on the LDAP brand and/or version.

First, check with your LDAP administrator to confirm that your LDAP implements an attribute whereby group membership is specified within each user record. The IBM® Redbooks® publication, "IBM WebSphere Portal V6 Self Help Guide", lists the default attributes used for memberOfAttributeName support in several supported LDAPs in table 5-15 on page 155.

If your LDAP implements one of these attributes, verify that it can be used to properly identify the subset of users who should be allowed to authenticate to the Portal server. Check the userFilter in the wkplc.properties file: (This assumes the userFilter in wkplc.properties was not edited since originally enabling security. You can likewise refer to the ConfigEngine helper files for your LDAP to help construct your userFilter.)

standalone.ldap.userFilter=(&(cn=%v)(objectclass=inetOrgPerson))

Test the search filter using ldapsearch prior to making any changes to the WebSphere Portal configuration. Your ldapsearch might look something like:

ldapsearch -x -v -D -w -h -p -b (&(objectclass=inetOrgPerson)(groupMembership=))

(This example uses Novell eDirectory's groupMembership attribute.)

If the search succeeds, add the (cn=%v) back to the userFilter, then back up and update wkplc.properties as follows:

standalone.ldap.userFilter=(&(cn=%v)(objectclass=inetOrgPerson)(groupMembership=))

( is a distinguished name and might be something like cn=portalgroup,o=yourOrganization.)

Update the WebSphere Portal and WebSphere Application Server security configurations by running wp-modify-ldap-security as described in the Information Center v6.1:

WebSphere Portal > Installing WebSphere Portal > Setting up WebSphere Portal > Setting up a (standalone/clustered) production server > Configuring WebSphere Portal to use a user registry > Configuring WebSphere Portal to use a user registry on (your OS) > Choosing your user registry model on (your OS) > Configuring a stand-alone LDAP user registry on (your OS)

Users should now be authenticated only if they belong to the group identified by above.