Services: Training Services | Consulting Services
ApacheDS is an extensible directory server entirely written in Java, which has been certified LDAPv3 compatible by the Open Group. Since ApacheDS is a Java based solution, you will find it easy to administer and configure, and it works well with WebSphere with minimal configuration out of the box.
Configuring ApacheDS
You can acquire the Apache DS download and installation instructions from http://directory.apache.org/. There are versions available or all major platforms and the documentation is very good. For my installation I have used version 1.5, which is the latest version available at the time of writing.
Once you have downloaded and installed ApacheDS we will need to make some configuration changes for use in our example. To do so, we now need to download and install an LDAP client so we can administer our ApacheDS LDAP sever. To do this, we will use the ApacheDS Eclipse-based admin tool called Apache Directory Studio (ADS), which can be downloaded here: http://directory.apache.org/studio.
I will be using ADS for Windows. Once you have downloaded and installed ADS, start the application.
Connecting to ApacheDS using ADS
Once the ADS client application has started, we will need to create a connection to our LDAP server. Select File-New and then select LDAP Connection from the LDAP Browser category as seen in the image below.
You will then be presented with the Network Parameter screen as seen in the following image. In the Connection name field, type myLDAP. In the Hostname field enter the hostname or ip-address name of your server where you have installed ApacheDS. In my case ApacheDS is installed on the same server as my WebSphere server. You will also need to confirm the LDAP port. Apache will be set to use 10398 by default, however, if you have made changes to the server.conf file, then edit the port accordingly to match.
Click Next to continue, and in the Authentication screen, enter the value uid=admin,ou=system in the Bind DN or user field, and the current password (default is "secret") into the Bind password field shown in the image below.
Click Finish to establish the connection. After we have successfully logged in, we will modify the value of the userPassword attribute of the entry uid=admin,ou=system to override the default password, we will need to remember this password later when we try to connect to the LDAP server from WebSphere. Navigate to the entry in the DIT (LDAP Browser view) located in the left-hand navigation panel, and then double click the userPassword attribute in the Entry Editor view as shown in the image below.
The Password Editor dialog shows up; enter the password ldapadmin. You can optionally select a hash algorithm to secure the password. Pressing OK stores the new value. Close the connection and restart the ApacheDS server.
Verifying the password change
Verify that you can login as admin with the new password. With Apache Directory Studio, you can change the properties of the existing connection profile via a right click in the Connections view and a selection of the Properties menu item. Enter the new password and press OK. You should now be able to establish a connection.
Adding a user
In LDAP, an object class defines the collection of attributes that can be used to define an entry. The LDAP standard provides these basic types of object classes:
· Groups in the directory, including unordered lists of individual objects or groups of objects
· Locations, such as the country name and description
· Organizations in the directory
· People in the directory
For instance, the commonName, or cn, attribute is used to store a person's name. A person named Bob Jackson can be represented in the directory as:
Cn=Bob Jackson or cn=Bob, sn=Jackson or commonname
We are going to create some users.. Ensure you are logged in to ApacheDS using ADS. To create a new user, right-click on the ou=users node in the DIT tree located within the left-hand side navigation panel and then click on the New Entry menu item as shown immediately below.
On the Entry Creation Method screen, choose Create entry from scratch, and then click Next to continue. In the Object Classes screen you will need to select two object classes from the left-hand-side list of object classes. Scroll or search for person and uidObject and click the Add button to populate the right-hand Selected object classes list as show below. Essentially we are defining a schema of required attributes needed to define users. Click Next to progress to the Distinguished Name screen. In this screen you will fill in attribute details required to populate a new user entry. In the RDN section, we can now add entries for the cn, sn and uid attributes, then populate these attributes accordingly. We are going to create a user names Bob Jackson. For the cn attribute enter Bob, for the sn attribute enter Jackson and for the uid attribute enter bobjackson. You are free to use these fields to define any part of a persons name. What we have just done is create a user (person object) called Bob Jackson with a uid attribute with the value of bobjackson which we will use as a Bob’s username in WebSphere. Click Next to be presented with a final summary screen. Review the information, and once you are happy click Finish to save the record. ADS will validate the entries you have made against the schema we created in the first Object Classes screen a few steps earlier. Once you have saved the record, we need to ensure that a password is assigned. Double-click the Bob Jackson user entry from the DIT tree list and a form will appear much like the summary screen we saw earlier. This form allows the editing and adding of attributes. By clicking on the New Attribute icon as seen below, we can add new attribute. When the Attribute dialog pops up, select the userPassword attribute click Finish. Next the New Password dialog will appear, type bobjackson as the password and click OK. We also need to create another user called wasadmin which will be our primary WebSphere administration user. Following the same process as above, create a new person entry for wasadmin. Set cn to the value of WebSphere, sn to the value of Administrator, uid to the value of wasadmin and add a userPassword attribute with the password wasadmin. We have essentially created two new users which will be given two different roles—one being an administrator (wasadmin), the other being an operator user (bobjackson) who can only do basic administration functions in the administrative console. We now have what we need to demonstrate using LDAP-based users to administer WebSphere.
LDAP security settings
Navigate to the Security section of the left-hand side panel in the administrative console and click on Global security. In the Security page, under the User account repository section, select Standalone LDAP registry from the Available realm definitions list, and click Configure to enter the General Properties page. Here you can configure all the appropriate settings for WAS to use an LDAP repository. As shown below, type wasadmin in the Primary administrative user name field. This is the primary user WebSphere will use for the server identity. In the LDAP server section, choose Custom from the Type of LDAP server list. There are several pre-configured LDAP server types which are tuned for common LDAP servers. Pre-tuned settings can be access by editing additional properties. To do this, click the Advanced Lightweight Directory Access Protocol (LDAP) user registry settings link located at the bottom of the LDAP server section. We need to specify the hostname and port of the LDAP server and a Base Distinguished Name (DN). The Base distinguished name (DN) indicates the starting point for LDAP searches of the directory service. For example, for a user with a DN of cn=Bob Jackson , ou=Users, o=Packt Publishing, c=UK, specify the Base DN as any of the following options: ou=Users, o= Packt Publising, c=UK or o= Packt Publising, c=UK or c=UK. As shown in the previous screenshot, fill in these fields with the values as shown in the following table:
(We can use localhost because the LDAP server is installed in the same machine as WebSphere. If this is not the case in your setup, then change accordingly.)
(Default LDAP port for ApacheDS)
(The base DN is where the LDAP bind will start searches.)
In production systems, you would use a non LDAP administration user as your bind username. Normally, a separate LDAP user is used for WebSphere connection binding.
Steve Robinson has been working in IT for over 20 years and has provided solutions for many large-enterprise corporate companies across the world. Steve specialises in Java and Middleware.
In January 2013, I was awarded the prestigous 'IBM Champion' accolade.
IBM WebSphere Application Server 8.0 Administration Guide
WebSphere Application Server 7.0 Administration Guide