Switching to an LDAP user registry

You can authenticate users by using a Lightweight Directory Access Protocol (LDAP) user registry. You configure IBM® InfoSphere® Information Server to use LDAP authentication after installation finishes.

Before you begin

  • The InfoSphere Information Server engine performs user authentication separately from other InfoSphere Information Server components. You can configure the engine to use the LDAP user registry that you set up. For IBM AIX®, Solaris, HP-UX, and Linux platforms, you can optionally configure Pluggable Authentication Module (PAM) support before you switch the user registry. For more information, see Configuring IBM InfoSphere Information Server to use PAM (Linux, UNIX).
  • In an IBM WebSphere® Application Server stand-alone installation, WebSphere Application Server must be running.
  • In a clustered installation, the Deployment Manager and all node agents must be running.

About this task

InfoSphere Information Server supports any LDAP-compliant user registry that IBM WebSphere Application Server Network Deployment supports. For more information about supported LDAP servers, see the IBM WebSphere Application Server Network Deployment system requirements:

Procedure

  1. Do the procedures in the WebSphere Application Server documentation for configuring LDAP user registries.
    Procedures for configuring LDAP user registries within WebSphere Application Server can be found in the WebSphere Application Server information center:
  2. In a clustered installation, synchronize the configuration files on the nodes in the cluster:
    1. In the System administration > Nodes.
    2. Select the check boxes beside all nodes.
    3. Click Synchronize.
    4. Log out of the console.
  3. Stop WebSphere Application Server. In a clustered installation, stop the application servers and the node agents, and then stop the Deployment Manager.
    Important: When stopping the WebSphere Application Server processes, use the credentials of the WebSphere Application Server administrator from the previous user registry.
  4. Log in to the computer on which the AppServerAdmin tool is installed:
    • If you have implemented WebSphere Application Server clustering within your installation, log in to the computer that hosts the WebSphere Application Server Deployment Manager.
    • If you have not implemented clustering, log in to the services tier computer.
  5. From the command line, run the AppServerAdmin command. This command propagates the WebSphere Application Server administrator user name and password to WebSphere Application Server.
    Linux cue graphicUNIX cue graphic
    /opt/IBM/Information/server/ASBServer/bin/AppServerAdmin.sh -was 
       -user was_admin_user_id -password was_admin_password
    Windows cue graphic
    C:\IBM\InformationServer\ASBServer\bin\AppServerAdmin.bat -was 
       -user was_admin_user_id -password was_admin_password

    In the command, was_admin_user_id and was_admin_password must match the new WebSphere Application Server administrator credentials that you provided in the WebSphere Application Server administrative console.

    Tip: The -password parameter is optional. If not provided, you will be prompted for a password. If you do provide a password, it can be either plain text or an encrypted string that has been created with the encrypt command.
  6. If you are switching the user registry for a system that has been used for a while by multiple users, clean up the users and groups that are related to the security configuration. See Switching the user registry configuration for a system in use.
  7. Restart WebSphere Application Server. In a clustered installation, start the Deployment Manager, and then the node agents and application servers.

    After WebSphere Application Server is restarted, during the InfoSphere Information Server initialization, the WebSphere Application Server user registry configuration is checked and the InfoSphere Information Server user registry configuration is automatically adjusted if needed. The default WebSphere Application Server administrator user is also automatically configured as the initial new InfoSphere Information Server default administrator user.

  8. If one of the node agents was not running when you did the previous steps, the node agent cannot be restarted because the user registry configuration at the Deployment Manager and node levels do not match. To fix this problem, run the WebSphere Application Server syncNode command to synchronize the node with the Deployment manager. To run the syncNode command:
    1. Log in to the node.
    2. Run the syncNode command.
      • Linux cue graphicUNIX cue graphic
        /opt/IBM/WebSphere/AppServer/profiles/custom_profile/bin/syncNode.sh 
           dmgr_hostname dmgr_port -user was_admin_username -password 
           was_admin_password
      • Windows cue graphic
        C:\IBM\WebSphere\AppServer\profiles\custom_profile\bin\syncNode 
           dmgr_hostname dmgr_port -user was_admin_username -password 
           was_admin_password
      In the command:
      • dmgr_hostname is the host name of the computer where the Deployment Manager is running.
      • dmgr_port is the port number of the Deployment Manager (the default is 8879).
      • was_admin_username is the user name of the WebSphere Application Server administrator.
      • was_admin_password is the administrator password.
    3. Restart the node agent. See Starting IBM WebSphere Application Server (Windows) or Starting IBM WebSphere Application Server (Linux, UNIX).

What to do next

After you change the user registry, you can use theWebSphere Application Server administrator user name and password to log in to the InfoSphere Information Server Web console. In the console, grant suite administrator access to additional users as needed. The WebSphere Application Server administrator is granted InfoSphere Information Server administrator privileges by default.