Date Created: Tue 12-Jul-2011

Get my WebSphere Application Server course here >> http://www.themiddlewareshop.com/products/





    Configuring ApacheDS with WebSphere Application Server 8

    ApacheDS is an extensible directory server entirely written in Java, which has been certified LDAPv3 compatible by the Open Group. Since ApacheDS is a Java based solution, you will find it easy to administer and configure, and it works well with WebSphere with minimal configuration out of the box.

    Configuring ApacheDS

    You can acquire the Apache DS download and installation instructions from http://directory.apache.org/. There are versions available or all major platforms and the documentation is very good. For my installation I have used version 1.5, which is the latest version available at the time of writing.

    Once you have downloaded and installed ApacheDS we will need to make some configuration changes for use in our example. To do so, we now need to download and install an LDAP client so we can administer our ApacheDS LDAP sever. To do this, we will use the ApacheDS Eclipse-based admin tool called Apache Directory Studio (ADS), which can be downloaded here: http://directory.apache.org/studio.

    I will be using ADS for Windows. Once you have downloaded and installed ADS, start the application.

    Connecting to ApacheDS using ADS

    Once the ADS client application has started, we will need to create a connection to our LDAP server. Select File-New and then select LDAP Connection from the LDAP Browser category as seen in the image below.


    You will then be presented with the Network Parameter screen as seen in the following image. In the Connection name field, type myLDAP. In the Hostname field enter the hostname or ip-address name of your server where you have installed ApacheDS. In my case ApacheDS is installed on the same server as my WebSphere server. You will also need to confirm the LDAP port. Apache will be set to use 10398 by default, however, if you have made changes to the server.conf file, then edit the port accordingly to match.


    Click Next to continue, and in the Authentication screen, enter the value uid=admin,ou=system in the Bind DN or user field, and the current password (default is "secret") into the Bind password field shown in the image below.



    Click Finish to establish the connection. After we have successfully logged in, we will modify the value of the userPassword attribute of the entry uid=admin,ou=system to override the default password, we will need to remember this password later when we try to connect to the LDAP server from WebSphere. Navigate to the entry in the DIT (LDAP Browser view) located in the left-hand navigation panel, and then double click the userPassword attribute in the Entry Editor view as shown in the image below.


    The Password Editor dialog shows up; enter the password ldapadmin. You can optionally select a hash algorithm to secure the password. Pressing OK stores the new value. Close the connection and restart the ApacheDS server.

    Verifying the password change

    Verify that you can login as admin with the new password. With Apache Directory Studio, you can change the properties of the existing connection profile via a right click in the Connections view and a selection of the Properties menu item. Enter the new password and press OK. You should now be able to establish a connection.

    Adding a user

    In LDAP, an object class defines the collection of attributes that can be used to define an entry. The LDAP standard provides these basic types of object classes:

    Groups in the directory, including unordered lists of individual objects
    or groups of objects

    Locations, such as the country name and description

    Organizations in the directory

    People in the directory

    For instance, the commonName, or cn, attribute is used to store a person's name.
    A person named Bob Jackson can be represented in the directory as:

    Cn=Bob Jackson or cn=Bob, sn=Jackson or commonname

    We are going to create some users.. Ensure you are logged in to ApacheDS using ADS. To create a new user, right-click on the ou=users node in the DIT tree located within the left-hand side navigation panel and then click on the New Entry menu item as shown immediately below.





    On the Entry Creation Method screen, choose Create entry from scratch, and then click Next to continue.

    In the Object Classes screen you will need to select two object classes from the left-hand-side list of object classes. Scroll or search for person and uidObject and click the Add button to populate the right-hand Selected object classes list as show below. Essentially we are defining a schema of required attributes needed to define users.



    Click Next to progress to the Distinguished Name screen. In this screen you will fill in attribute details required to populate a new user entry. In the RDN section, we can now add entries for the cn, sn and uid attributes, then populate these attributes accordingly. We are going to create a user names Bob Jackson. For the cn attribute enter Bob, for the sn attribute enter Jackson and for the uid attribute enter bobjackson. You are free to use these fields to define any part of a persons name.

    What we have just done is create a user (person object) called Bob Jackson with a uid attribute with the value of bobjackson which we will use as a Bob’s username in WebSphere.



    Click Next to be presented with a final summary screen. Review the information, and once you are happy click Finish to save the record. ADS will validate the entries you have made against the schema we created in the first Object Classes screen a few steps earlier. Once you have saved the record, we need to ensure that a password is assigned. Double-click the Bob Jackson user entry from the DIT tree list and a form will appear much like the summary screen we saw earlier. This form allows the editing and adding of attributes. By clicking on the New Attribute icon as seen below, we can add new attribute.


    When the Attribute dialog pops up, select the userPassword attribute click Finish. Next the New Password dialog will appear, type bobjackson as the password and click OK.

    We also need to create another user called wasadmin which will be our primary WebSphere administration user. Following the same process as above, create a new person entry for wasadmin. Set cn to the value of WebSphere, sn to the value of Administrator, uid to the value of wasadmin and add a userPassword attribute with the password wasadmin.

    We have essentially created two new users which will be given two different roles—one being an administrator (wasadmin), the other being an operator user (bobjackson) who can only do basic administration functions in the administrative console. We now have what we need to demonstrate using LDAP-based users to administer WebSphere.

    LDAP security settings

    Navigate to the Security section of the left-hand side panel in the administrative console and click on Global security. In the Security page, under the User account repository section, select Standalone LDAP registry from the Available realm definitions list, and click Configure to enter the General Properties page. Here you can configure all the appropriate settings for WAS to use an LDAP repository. As shown below, type wasadmin in the Primary administrative user name field. This is the primary user WebSphere will use for the server identity.


    In the LDAP server section, choose Custom from the Type of LDAP server list. There are several pre-configured LDAP server types which are tuned for common LDAP servers. Pre-tuned settings can be access by editing additional properties. To do this, click the Advanced Lightweight Directory Access Protocol (LDAP) user registry settings link located at the bottom of the LDAP server section. We need to specify the hostname and port of the LDAP server and a Base Distinguished Name (DN). The Base distinguished name (DN) indicates the starting point for LDAP searches of the directory service. For example, for a user with a DN of cn=Bob Jackson , ou=Users, o=Packt Publishing, c=UK, specify the Base DN as any of the following options: ou=Users, o= Packt Publising, c=UK or o= Packt Publising, c=UK or c=UK.


    As shown in the previous screenshot, fill in these fields with the values as shown in the following table:
    Field nameValue entered
    Hostlocalhost

    (We can use localhost because the LDAP server is installed in the same machine as WebSphere. If this is not the case in your setup, then change accordingly.)

    Port10339

    (Default LDAP port for ApacheDS)

    Base distinguished Name (DN)ou=users,ou=system

    (The base DN is where the LDAP bind will start searches.)

    Next we have to complete the Security section located on the right-hand side of the page. In this section we have two fields to fill in. Bind distinguished name (DN) is the name which WebSphere will use to connect to LDAP for name searches. The Bind password is the password for this user. Fill in these fields with the values below, which we configured in Apache DS earlier.

    In production systems, you would use a non LDAP administration user as your bind username. Normally, a separate LDAP user is used for WebSphere connection binding.

    Field nameValue entered
    Bind distinguished name (DN)uid=wasadmin,ou=system
    Bind passwordldapadmin

    If no name is specified for the
    Bind distinguished name (DN), the application server binds anonymously. The LDAP server must be setup to allow anonymous binding. Once you have completed filling in the required fields, click Apply and you will then be prompted with the following message:

Get my WebSphere Application Server course here >> http://www.themiddlewareshop.com/products/

Steve Robinson - IBM Champion 2013

About Me

Steve Robinson has been working in IT for over 20 years and has provided solutions for many large-enterprise corporate companies across the world. Steve specialises in Java and Middleware.

In January 2013, I was awarded the prestigous 'IBM Champion' accolade.


Read my books?

IBM WebSphere Application Server 8.0 Administration Guide

IBM WebSphere Application Server 8.0 Administration Guide

WebSphere Application Server 7.0 Administration Guide

WebSphere Application Server 7.0 Administration Guide

WebSphere Categories

Other Categories