You can use the Lightweight Directory Access Protocol (LDAP)
user registry with any of the authentication mechanisms supported
by WebSphere® Application Server. Therefore,
it is necessary to add users into the LDAP directory that you want
to have authorization to access Application Server resources.
About this task
This information is specific to the iSeries Directory
Services product.
A variety of methods are available to add
users. However, the easiest way is to create an LDAP Data Interchange
Format (LDIF) file. The file contains the set of users to add into
the directory. The file is used by the LDAP utilities, such as idsldapmodify.
You can run these utilities from either the operating system or from
a workstation. If you run these LDAP utilities from the operating
system, your LDIF file must reside in the integrated file system.
Complete
the following steps to add users to the LDAP user registry:
Procedure
- Create an LDIF file and save it in the integrated file
system. Use either the Edit File (EDTF) utility or your
workstation text editor to create the file. Save the file in the integrated
file system either by mapping a drive or using the file transfer protocol
(FTP).
For WebSphere Application Server and LDAP directory
services, create entries in the directory that correspond to the ePerson
schema definition.
A simple ePerson LDIF entry resembles the
following example:
dn: cn=John Doe, ou=Rochester, o=IBM, c=US
objectclass: person
objectclass: inetOrgPerson
objectclass: top
objectclass: organizationalPerson
objectclass: ePerson
cn: John Doe
sn: Doe
uid: jdoe
userpassword: secretpass
This LDIF
entry defines an ePerson for user John Doe. The user identification
(uid) for John is set to jdoe and his password is set to secretpass.
This entry resides within the Rochester organizational unit, which
is within the IBM® organization in the United States. Each of
the ou, o, and c containing entries are
defined before this ePerson entry is defined. You can define a series
of LDIF entries in the same file to define Lightweight Third Party
Authentication (LTPA) users for WebSphere Application
Server.
If you do not specify a value for the userpassword attribute,
the LDAP server attempts to authenticate LTPA users with the user
profile for the local operating system that is identified by the uid
attribute value. This action might be desirable if users have user
profiles for the operating system and do not want to manage passwords
in both the operating system user registry and the LDAP directory.
When
you create an ePerson entry, make sure that the cn and uid attributes
each have a unique value. Do not create two entries that have the
same value for the cn and uid attributes.
Important: If you have a large user registry, login performance
might be severely impacted if the Group Member ID Map property is
left at its default value, which is both groupOfNames:member and groupOfUniqueNames:uniqueMember.
To
address this performance problem, specify one of these object classes
and not both. You must then exclusively use the selected object class
to implement groups in the user registry.
- Import the LDIF file entries into your directory on the
server. Use the LDAP ldapadd utility in Qshell Interpreter
(QSH) or from a workstation.
What to do next
For more information on importing LDIF entries, see the
Directory Services documentation in the Information Centers for IBM i
6.1 and 7.1.