Configuring the LDAP User Registry
How to configure the LDAP user registry.
About this task
In this procedure, <installdir>
is the directory where Predictive Insights is installed. The default installation
directory is /opt/IBM/scanalytics.
Procedure
- Log in to the server where the Predictive Insights UI component is installed.
- Go to the <installdir>/UI/wlp/usr/servers/piserver directory.
-
Create a new file called ldapRegistry.xml and add the appropriate content
to the file for the LDAP server that you are using:
If you are using a Tivoli Directory server, add the following:
<server> <ldapRegistry id="ldap" realm="defaultWIMFileBasedRealm" baseDN="ou=people,ou=internal,O=IBM,C=US" host="ldap1.ibm.com" port="389" ignoreCase="true" bindDN="cn=NetcoolReadOnly,cn=ReadOnlyUsers,O=IBM,C=US" bindPassword="***" ldapType="IBM Tivoli Directory Server" sslEnabled="false" ><idsFilters userFilter="(&(uid=%v)(objectclass=ePerson))" groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames) objectclass=groupOfURLs)))" userIdMap="*:uid" groupIdMap="*:cn" groupMemberIdMap="mycompany-allGroups:member;mycompany-allGroups:uniqueMember; groupOfNames:member;groupOfUniqueNames:uniqueMember"></idsFilters></ldapRegistry> </server>
If you are using a Microsoft Active Directory server, add the following:
<server> <ldapRegistry id="ldap" realm="defaultWIMFileBasedRealm" host="DC1.ibm.com" port="389" baseDN="CN=Users,DC=webguil3,DC=ldap,DC=com" bindDN="cn=manitou,CN=Users,DC=webguil3,DC=ldap,DC=com" bindPassword="*****" ldapType="Microsoft Active Directory" sslEnabled="false" ><activedFilters userFilter="(&(sAMAccountName=%v)(objectcategory=user))" groupFilter="(&(cn=%v)(objectcategory=group))" userIdMap="user:sAMAccountName" groupIdMap="*:cn" groupMemberIdMap="memberOf:member"></activedFilters> </ldapRegistry></server>
-
Edit the values in the text you add to the ldapRegistry.xml file to match
your LDAP settings. In particular:
- The
realm
specified in the ldapRegistry.xml file must match the realm name specified in the WebSphere Administrative Console. If they do not match, single-sign-on will not work. The default realm is:defaultWIMFileBasedRealm
- Ensure that the values in the
userIdMap
andgroupIdMap
fields are correct. Otherwise, log in will fail. - Ensure that the
ldapRegistry
tag is on a single continuous line. Otherwise, the liberty server may fail parsing it.
- Go the following URL to launch the Webshere Administrative console: https://<hostname>:16316/ibm/console
-
Log in as the
scadmin
user. - Click Security > Global Security.
- Click Configure.
- Locate the LDAP repository in the table and click Base Entry link to verify the base DN.
- Click the Repository Identifier and verify the bindDN, host and port.
- The
- Make a backup copy of the <installdir>/UI/wlp/usr/servers/piserver/server.xml file.
-
Edit the <installdir>/UI/wlp/usr/servers/piserver/server.xml file and
make the following changes:
- Comment out or remove the following lines:
<feature>usr:omnibusUserRegistry-1.0.0</feature> <include optional="true" location="${server.config.dir}/omnibusConfig.xml"/>
- Add the following feature as a sub element of the <featureManager>
tag:
<feature>ldapRegistry-3.0</feature>
After you add the feature, this section of the file should look similar to the following:
<!-- Enable features --> <featureManager> <feature>jsp-2.2</feature> <feature>jaxrs-1.1</feature> <feature>servlet-3.0</feature> <feature>appSecurity-2.0</feature> <feature>jndi-1.0</feature> <feature>jdbc-4.0</feature> <!--<feature>usr:omnibusUserRegistry-1.0.0</feature> --> <feature>ldapRegistry-3.0</feature> </featureManager>
- Locate and Remove the comment from the following
line:
<!-- <include optional="true" location="${server.config.dir}/ldapRegistry.xml"/> -->
After you remove the comment, the line should look as follows:<include optional="true" location="${server.config.dir}/ldapRegistry.xml"/>
- Save the file.
- Comment out or remove the following lines:
-
If the Predictive Insights UI was installed into a
Jazz for Service Management instance that has a non-default cookie name configured, update the
cookie name in the
/opt/IBM/scanalytics/UI/wlp/usr/servers/piserver/ssoConfig.xml file:
- Locate the line:
<webAppSecurity ssoDomainNames=".<domain name>" />
- Update the line to
read:
<webAppSecurity ssoDomainNames=".<domain name>" ssoCookieName=”<cookie name>” />
where <cookie name> is the customized name of the Jazz for Service Management cookie.
- Locate the line:
-
Enter the following command to restart the Predictive Insights UI server:
<installdir>/UI/bin/pi.sh –restart