This is an update to my previous post, and follows an interaction with an IBM colleague, who wasn't able to get this working, at least initially.
wsadmin>AdminConfig.save()
---------------------------------------------------------------
AdminNodeManagement: Synchronize the active nodes
Usage: AdminNodeManagement.syncActiveNodes()
Return: If the command is successfully invoked, a value of 1 is returned.
---------------------------------------------------------------
1
When I looked back at my steps, I'm not sure how I got it working - perhaps I made some changes that didn't make it into the original blog post :-(
Ah well, c'est la vie.
Anyway, here's an up-to-date set of instructions: -
Change to the WAS profile's binary directory
$ cd /opt/IBM/WebSphere80/AppServer/profiles/E1PCDMProfile/bin/
Start the wsadmin client
$ ./wsadmin.sh -lang jython -user e1wasadmin -password passw0rd
WASX7209I: Connected to process "dmgr" on node E1PCDMNODENode using SOAP connector; The type of process is: DeploymentManager
WASX7031I: For help, enter: "print Help.help()"
List the existing repositories - to start with, we only have one - fileRegistry.xml
wsadmin>AdminTask.listIdMgrRepositories()
'{InternalFileRepository={repositoryType=File, host=LocalHost}}'
Start the process of configuring the WIM user registry
wsadmin>AdminTask.configureAdminWIMUserRegistry('[-realmName defaultWIMFileBasedRealm -verifyRegistry false ]')
''
Create a new LDAP repository
wsadmin>AdminTask.createIdMgrLDAPRepository('[-default true -id LDAP1 -adapterClassName com.ibm.ws.wim.adapter.ldap.LdapAdapter -ldapServerType IDS -sslConfiguration -certificateMapMode exactdn -supportChangeLog none -certificateFilter -loginProperties uid]')
'CWWIM5046W Each configured repository must contain at least one base entry. Add a base entry before saving the configuration. For LDAP repository, add the LDAP server before adding the base entry.'
Now we have TWO repositories
wsadmin>AdminTask.listIdMgrRepositories()
'{InternalFileRepository={repositoryType=File, host=LocalHost}, LDAP1={repositoryType=LDAP, specificRepositoryType=IDS}}'
Add an LDAP server to the new repository
wsadmin>AdminTask.addIdMgrLDAPServer('[-id LDAP1 -host bluepages.ibm.com -port 389 -bindDN uid=7712663228,c=gb,ou=bluepages,o=ibm.com -bindPassword passw0rd! -referal ignore -sslEnabled false -ldapServerType IDS -sslConfiguration -certificateMapMode exactdn -certificateFilter]')
'CWWIM5027W The configuration is not complete. Saving an incomplete configuration can cause startup problems.'
Set the login properties
wsadmin>AdminTask.updateIdMgrLDAPRepository('[-id LDAP1 -adapterClassName com.ibm.ws.wim.adapter.ldap.LdapAdapter -ldapServerType IDS -sslConfiguration -certificateMapMode exactdn -certificateFilter -supportChangeLog none -loginProperties uid]')
'CWWIM5027W The configuration is not complete. Saving an incomplete configuration can cause startup problems.'
Set the base entry
wsadmin>AdminTask.addIdMgrRepositoryBaseEntry('[-id LDAP1 -name o=ibm.com -nameInRepository o=ibm.com]')
'CWWIM5028I The configuration is saved in a temporary workspace. You must use the "$AdminConfig save" command to save it in the master repository.'
wsadmin>AdminTask.addIdMgrRealmBaseEntry('[-name defaultWIMFileBasedRealm -baseEntry o=ibm.com]')
'CWWIM5028I The configuration is saved in a temporary workspace. You must use the "$AdminConfig save" command to save it in the master repository.'
Validate the admin user - which remains in the fileRegistry repository, rather than in LDAP
wsadmin>AdminTask.validateAdminName('[-registryType WIMUserRegistry -adminUser e1wasadmin ]')
'true'
Enable global security - this allows us to secure the admin console by default
wsadmin>AdminTask.setAdminActiveSecuritySettings('[-activeUserRegistry WIMUserRegistry -enableGlobalSecurity true]')
''
Set the user search base
wsadmin>AdminTask.updateIdMgrLDAPEntityType('[-id LDAP1 -name PersonAccount -objectClasses ibmPerson;inetorgperson -searchBases c=us,ou=bluepages,o=ibm.com -searchFilter ]')
'CWWIM5028I The configuration is saved in a temporary workspace. You must use the "$AdminConfig save" command to save it in the master repository.'
Set the group search base
wsadmin>AdminTask.updateIdMgrLDAPEntityType('[-id LDAP1 -name Group -objectClasses groupOfNames -searchBases ou=memberlist,ou=ibmgroups,o=ibm.com -searchFilter ]')
'CWWIM5028I The configuration is saved in a temporary workspace. You must use the "$AdminConfig save" command to save it in the master repository.'
Save the configuration
''
Sync the nodes
wsadmin>AdminNodeManagement.syncActiveNodes()
AdminNodeManagement: Synchronize the active nodes
Usage: AdminNodeManagement.syncActiveNodes()
Return: If the command is successfully invoked, a value of 1 is returned.
---------------------------------------------------------------
1
List the repositories ( again )
wsadmin>AdminTask.listIdMgrRepositories()
'{InternalFileRepository={repositoryType=File, host=LocalHost}, LDAP1={repositoryType=LDAP, specificRepositoryType=IDS, host=bluepages.ibm.com}}'
List the base entry for the newly added LDAP repository
wsadmin>AdminTask.listIdMgrRepositoryBaseEntries('[-id LDAP1]')
'{o=ibm.com=o=ibm.com}'
We're finished
wsadmin> quit
That's it, that's the lot.
This time, after restarting the WAS server ( in my case, it's a Deployment Manager ), I can search for, and find, "real" users and groups from LDAP.
Sweet .....
PS For the record, this time around, I'm using WebSphere Application Server 8.0.0.3