Configuring the LDAP User Registry

How to configure the LDAP user registry.

About this task

In this procedure, <installdir> is the directory where Predictive Insights is installed. The default installation directory is /opt/IBM/scanalytics.

Procedure

  1. Log in to the server where the Predictive Insights UI component is installed.
  2. Go to the <installdir>/UI/wlp/usr/servers/piserver directory.
  3. Create a new file called ldapRegistry.xml and add the appropriate content to the file for the LDAP server that you are using:

    If you are using a Tivoli Directory server, add the following:

    <server>
<ldapRegistry id="ldap"
realm="defaultWIMFileBasedRealm" baseDN="ou=people,ou=internal,O=IBM,C=US"
host="ldap1.ibm.com" port="389" ignoreCase="true"
bindDN="cn=NetcoolReadOnly,cn=ReadOnlyUsers,O=IBM,C=US" bindPassword="***"
ldapType="IBM Tivoli Directory Server" sslEnabled="false" ><idsFilters
userFilter="(&amp;(uid=%v)(objectclass=ePerson))"
groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)
objectclass=groupOfURLs)))" userIdMap="*:uid"
groupIdMap="*:cn"
groupMemberIdMap="mycompany-allGroups:member;mycompany-allGroups:uniqueMember;
groupOfNames:member;groupOfUniqueNames:uniqueMember"></idsFilters></ldapRegistry> 
</server>

    If you are using a Microsoft Active Directory server, add the following:

    <server>
<ldapRegistry id="ldap"
realm="defaultWIMFileBasedRealm" host="DC1.ibm.com" port="389"
baseDN="CN=Users,DC=webguil3,DC=ldap,DC=com"
bindDN="cn=manitou,CN=Users,DC=webguil3,DC=ldap,DC=com" bindPassword="*****"
ldapType="Microsoft Active Directory" sslEnabled="false" ><activedFilters
userFilter="(&amp;(sAMAccountName=%v)(objectcategory=user))" 
groupFilter="(&amp;(cn=%v)(objectcategory=group))"
userIdMap="user:sAMAccountName" groupIdMap="*:cn" groupMemberIdMap="memberOf:member"></activedFilters>
</ldapRegistry></server>
  4. Edit the values in the text you add to the ldapRegistry.xml file to match your LDAP settings. In particular:
    • The realm specified in the ldapRegistry.xml file must match the realm name specified in the WebSphere Administrative Console. If they do not match, single-sign-on will not work. The default realm is: defaultWIMFileBasedRealm
    • Ensure that the values in the userIdMap and groupIdMap fields are correct. Otherwise, log in will fail.
    • Ensure that the ldapRegistry tag is on a single continuous line. Otherwise, the liberty server may fail parsing it.
    Also, ensure that the values you specify match the settings for Dashboard Application Services Hub. To check the settings in Dashboard Application Services Hub
    1. Go the following URL to launch the Webshere Administrative console: https://<hostname>:16316/ibm/console
    2. Log in as the scadmin user.
    3. Click Security > Global Security.
    4. Click Configure.
    5. Locate the LDAP repository in the table and click Base Entry link to verify the base DN.
    6. Click the Repository Identifier and verify the bindDN, host and port.
  5. Make a backup copy of the <installdir>/UI/wlp/usr/servers/piserver/server.xml file.
  6. Edit the <installdir>/UI/wlp/usr/servers/piserver/server.xml file and make the following changes:
    1. Comment out or remove the following lines: 
      <feature>usr:omnibusUserRegistry-1.0.0</feature>
<include optional="true" location="${server.config.dir}/omnibusConfig.xml"/>
    2. Add the following feature as a sub element of the <featureManager> tag:
      <feature>ldapRegistry-3.0</feature>

      After you add the feature, this section of the file should look similar to the following:

      <!-- Enable features -->    
<featureManager>  
  <feature>jsp-2.2</feature>        
  <feature>jaxrs-1.1</feature>
  <feature>servlet-3.0</feature>        
  <feature>appSecurity-2.0</feature>
  <feature>jndi-1.0</feature>        
  <feature>jdbc-4.0</feature>        
  <!--<feature>usr:omnibusUserRegistry-1.0.0</feature> -->
  <feature>ldapRegistry-3.0</feature>    
</featureManager>
    3. Locate and Remove the comment from the following line:
      <!-- <include optional="true" location="${server.config.dir}/ldapRegistry.xml"/> -->
      After you remove the comment, the line should look as follows:
      <include optional="true" location="${server.config.dir}/ldapRegistry.xml"/>
    4. Save the file.
  7. If the Predictive Insights UI was installed into a Jazz for Service Management instance that has a non-default cookie name configured, update the cookie name in the /opt/IBM/scanalytics/UI/wlp/usr/servers/piserver/ssoConfig.xml file:
    1. Locate the line:
      <webAppSecurity ssoDomainNames=".<domain name>" />
    2. Update the line to read:
      <webAppSecurity ssoDomainNames=".<domain name>" ssoCookieName=”<cookie name>” />

      where <cookie name> is the customized name of the Jazz for Service Management cookie.

  8. Enter the following command to restart the Predictive Insights UI server: 
    <installdir>/UI/bin/pi.sh –restart