This follows on from some earlier posts: -
and focuses on the use of Microsoft Active Directory 2008, whereas most of my prior experience ( recently, at least ) has been with IBM Tivoli Directory Server and CA Directory.
So here's the process I followed: -
Start WSAdmin Client
Note - in this scenario, we only have the Deployment Manager and Node Agent running
/opt/ibm/WebSphereProfiles/Dmgr01/bin/wsadmin.sh -lang jython -host `hostname`.uk.ibm.com -port 8879 -user wasadmin -password p455w0rd
Add SSL Signer Certificate for AD to Cell Default Trust Store
cellID=AdminControl.getCell()
AdminTask.retrieveSignerFromPort('[-keyStoreName CellDefaultTrustStore -keyStoreScope (cell):'+cellID+' -host ad_ldap.uk.ibm.com -port 636 -certificateAlias ad_ldap.uk.ibm.com -sslConfigName CellDefaultSSLSettings -sslConfigScopeName (cell):'+cellID+' ]')
Save and Synchronise
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
Create LDAP Repository
AdminTask.createIdMgrLDAPRepository('[-default true -id ad_ldap.uk.ibm.com -adapterClassName com.ibm.ws.wim.adapter.ldap.LdapAdapter -ldapServerType AD -sslConfiguration -certificateMapMode exactdn -supportChangeLog none -certificateFilter -loginProperties uid]')
Add LDAP Server
AdminTask.addIdMgrLDAPServer('[-id ad_ldap.uk.ibm.com -host ad_ldap.uk.ibm.com -bindDN ad_ldap_bin -bindPassword p455w0rd -referal ignore -sslEnabled true -ldapServerType AD -sslConfiguration -certificateMapMode exactdn -certificateFilter -authentication simple -port 636]')
Add Base Entry
AdminTask.addIdMgrRepositoryBaseEntry('[-id ad_ldap.uk.ibm.com -name dc=uk,dc=ibm,dc=com -nameInRepository dc=uk,dc=ibm,dc=com]')
AdminTask.addIdMgrRealmBaseEntry('[-name defaultWIMFileBasedRealm -baseEntry dc=uk,dc=ibm,dc=com]')
Enable/validate Global Security
AdminTask.setAdminActiveSecuritySettings('[-activeUserRegistry WIMUserRegistry -enableGlobalSecurity true]')
Set User Search Base and Search Filter
Note - your environment WILL almost certainly be different, in terms of object classes, filters etc.
AdminTask.updateIdMgrLDAPEntityType('[-id ad_ldap.uk.ibm.com -name PersonAccount -objectClasses organizationalPerson -searchBases "ou=users,dc=uk,dc=ibm,dc=com" -searchFilter (objectclass=person)]')
Set Group Search Base and Search Filter
Note - your environment WILL almost certainly be different, in terms of object classes, filters etc.
AdminTask.updateIdMgrLDAPEntityType('[-id ad_ldap.uk.ibm.com -name Group -objectClasses group -searchBases "ou=groups,dc=uk,dc=ibm,dc=com" -searchFilter (ObjectCategory=Group)]')
Enable Login if AD is down
AdminTask.updateIdMgrRealm('[-name defaultWIMFileBasedRealm -allowOperationIfReposDown true]')
Save and Synchronise
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
Restart Deployment Manager and Node Agent
/home/wasadmin/stopManager_PC.sh
/home/wasadmin/stopNode_PC.sh
/home/wasadmin/startManager_PC.sh
/home/wasadmin/startNode_PC.sh
Validate Users/Groups
/opt/ibm/WebSphereProfiles/Dmgr01/bin/wsadmin.sh -lang jython -host `hostname`.uk.ibm.com -port 8879 -user wasadmin -password p455w0rd
print AdminTask.searchGroups(["-cn *"])
cn=developers,o=defaultWIMFileBasedRealm
cn=administrators,o=defaultWIMFileBasedRealm
cn=wasadministrators,ou=groups,dc=uk,dc=ibm,dc=com
print AdminTask.searchUsers(["-cn *"])
cn=ad_ldap_bin,ou=users,dc=uk,dc=ibm,dc=com
cn=wasuser1,ou=users,dc=uk,dc=ibm,dc=com
cn=wasuser2,ou=users,dc=uk,dc=ibm,dc=com
uid=deAdmin,o=defaultWIMFileBasedRealm
uid=wasadmin,o=defaultWIMFileBasedRealm
Note - entries highlighted in bold are from AD, rest are from WAS File-Based Registry
The job, as Andy Garratt would say, is a good 'un.