I had a requirement to quickly add an LDAP into an IBM BPM Advanced 8.5.5 environment, hosted on WebSphere Application Server 8.5.5.4, and thought .. hey, why don't I use openLDAP ?
Given that I'm running my servers on a pair of Macs, I wondered whether I could also host my LDAP server natively, rather than needing to build out another VM.
Lo and behold, OS X includes openLDAP, with which I have some experience.
This document was of immense use: -
from which I did the following: -
Configure SLAPD configuration file
/etc/openldap/slapd.conf
include /private/etc/openldap/schema/core.schema
include /private/etc/openldap/schema/cosine.schema
include /private/etc/openldap/schema/inetorgperson.schema
pidfile /private/var/db/openldap/run/slapd.pid
argsfile /private/var/db/openldap/run/slapd.args
database bdb
suffix "dc=uk,dc=ibm,dc=com"
rootdn "cn=root,dc=uk,dc=ibm,dc=com"
# password is 'root'
rootpw {SSHA}ih08rDcGRC+S5ol888SZG5YUjOX1oVVK
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /private/var/db/openldap/openldap-data
# Indices to maintain
index objectClass eq
Create an LDIF file in order to provision groups and users
sample.ldif
version: 1
dn: dc=uk,dc=ibm,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
dc: uk
o: Some Org
description: A sample domain
dn: ou=people,dc=uk,dc=ibm,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people
dn: cn=WebSphereAdmin,ou=people,dc=uk,dc=ibm,dc=com
objectClass: inetOrgPerson
cn: WebSphereAdmin
sn: Admin
givenname: WebSphere
uid: WebSphereAdmin
# the userpassword is set to the SHA1 of 'root'
userPassword: {SSHA}ih08rDcGRC+S5ol888SZG5YUjOX1oVVK
description: WebSphere Admin
dn: cn=BPMAdmin,ou=people,dc=uk,dc=ibm,dc=com
objectClass: inetOrgPerson
cn: BPMAdmin
sn: Admin
givenname: BPM
uid: BPMAdmin
# the userpassword is set to the SHA1 of 'root'
userPassword: {SSHA}ih08rDcGRC+S5ol888SZG5YUjOX1oVVK
mail: BPMAdmin@uk.ibm.com
description: BPM Admin
Start LDAP
sudo /usr/libexec/slapd -d 127
Add entries via LDIF
ldapadd -x -D cn=root,dc=uk,dc=ibm,dc=com -w root -f ~/sample.ldif
Validate by querying LDAP
ldapsearch -x -h ldap.uk.ibm.com -p 389 -b dc=uk,dc=ibm,dc=com -D cn=root,dc=uk,dc=ibm,dc=com -w root "(ObjectClass=inetOrgPerson)"
# extended LDIF
#
# LDAPv3
# base <dc=uk,dc=ibm,dc=com> with scope subtree
# filter: (ObjectClass=inetOrgPerson)
# requesting: ALL
#
# WebSphereAdmin, people, uk.ibm.com
dn: cn=WebSphereAdmin,ou=people,dc=uk,dc=ibm,dc=com
objectClass: inetOrgPerson
cn: WebSphereAdmin
sn: Admin
givenName: WebSphere
uid: WebSphereAdmin
userPassword:: e1NTSEF9aWgwOHJEY0dSQytTNW9sODg4U1pHNVlVak9YMW9WVks=
description: WebSphere Admin
# BPMAdmin, people, uk.ibm.com
dn: cn=BPMAdmin,ou=people,dc=uk,dc=ibm,dc=com
objectClass: inetOrgPerson
cn: BPMAdmin
sn: Admin
givenName: BPM
uid: BPMAdmin
userPassword:: e1NTSEF9aWgwOHJEY0dSQytTNW9sODg4U1pHNVlVak9YMW9WVks=
mail: BPMAdmin@uk.ibm.com
description: BPM Admin
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
ldapsearch -x -h ldap.uk.ibm.com -p 389 -b dc=uk,dc=ibm,dc=com -D cn=root,dc=uk,dc=ibm,dc=com -w root "(ObjectClass=organizationalUnit)"
# extended LDIF
#
# LDAPv3
# base <dc=uk,dc=ibm,dc=com> with scope subtree
# filter: (ObjectClass=organizationalUnit)
# requesting: ALL
#
# people, uk.ibm.com
dn: ou=people,dc=uk,dc=ibm,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
WAS Configuration
Start WAS admin client
/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -host `hostname` -port 8879 -lang jython -user wasadmin -password passw0rd
Create LDAP Repository
AdminTask.createIdMgrLDAPRepository('[-default true -id ldap.uk.ibm.com -adapterClassName com.ibm.ws.wim.adapter.ldap.LdapAdapter -ldapServerType CUSTOM -sslConfiguration -certificateMapMode exactdn -supportChangeLog none -certificateFilter -loginProperties uid]')
Add LDAP Server
AdminTask.addIdMgrLDAPServer('[-id ldap.uk.ibm.com -host ldap.uk.ibm.com -bindDN cn=root,dc=uk,dc=ibm,dc=com -bindPassword root -referal ignore -sslEnabled false -ldapServerType CUSTOM -sslConfiguration -certificateMapMode exactdn -certificateFilter -authentication simple -port 389]')
Add Base Entry
AdminTask.addIdMgrRepositoryBaseEntry('[-id ldap.uk.ibm.com -name ou=people,dc=uk,dc=ibm,dc=com -nameInRepository ou=people,dc=uk,dc=ibm,dc=com]')
Add Realm Base Entry
AdminTask.addIdMgrRealmBaseEntry('[-name defaultWIMFileBasedRealm -baseEntry ou=people,dc=uk,dc=ibm,dc=com]')
Add User Object Classes and Search Base
AdminTask.addIdMgrLDAPEntityType('[-id ldap.uk.ibm.com -name PersonAccount -objectClasses inetOrgPerson;person -searchBases ou=people,dc=uk,dc=ibm,dc=com -searchFilter (ObjectClass=inetOrgPerson)]')
Add Group Object Class and Search Base
AdminTask.addIdMgrLDAPEntityType('[-id ldap.uk.ibm.com -name Group -objectClasses organizationalUnit -searchBases ou=people,dc=uk,dc=ibm,dc=com -searchFilter (ObjectClass=organizationalUnit)]')
Enable Allow Operation If Repository Down
AdminTask.updateIdMgrRealm('[-name defaultWIMFileBasedRealm -allowOperationIfReposDown true]')
Save and Sync
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
quit
Once WAS has been restarted, the users in the Federated Repository can be validated: -
print AdminTask.listRegistryUsers(['-securityRealmName', 'defaultWIMFileBasedRealm', '-displayAccessIds', 'true'])
[[accessId user:defaultWIMFileBasedRealm/uid=wasadmin,o=defaultWIMFileBasedRealm] [name wasadmin@defaultWIMFileBasedRealm] ]
[[accessId user:defaultWIMFileBasedRealm/uid=deAdmin,o=defaultWIMFileBasedRealm] [name deAdmin@defaultWIMFileBasedRealm] ]
[[accessId user:defaultWIMFileBasedRealm/cn=BPMAdmin,ou=people,dc=uk,dc=ibm,dc=com] [name BPMAdmin@defaultWIMFileBasedRealm] ]
[[accessId user:defaultWIMFileBasedRealm/cn=WebSphereAdmin,ou=people,dc=uk,dc=ibm,dc=com] [name WebSphereAdmin@defaultWIMFileBasedRealm] ]
print AdminTask.listRegistryUsers(['-securityRealmName', 'defaultWIMFileBasedRealm'])
wasadmin@defaultWIMFileBasedRealm
deAdmin@defaultWIMFileBasedRealm
BPMAdmin@defaultWIMFileBasedRealm
WebSphereAdmin@defaultWIMFileBasedRealm