How to configure LDAP with RTC 6.0.1 on linux using WebSphere Liberty?
4 answers
https://jazz.net/wiki/bin/view/Deployment/ConfigureLDAPforLibertyProfile
Comments
This answer would have saved me some time had I found it sooner.
- the bindPassword was not set correctly
- the filters seemed to be set mainly in idsFilters with some malformed entries in customFilters.
Hi Robin, not quite sure why your configuration uses both "idsFilters" and "customFilters", since "idsFilters" should be used for Tivoli Active Directory only, and "customFilters" can actually be used with all LDAP servers.
No instructions can give exact steps for custom LDAP servers, as they are "customized", and can be completely different.
Administrators have to be quite familiar with LDAP to complete this task with ease and confidence.
Comments
Donald, it would be great if we could publish examples in the deployment Wiki, once we have collected a few.
That's for sure. We definitely need to publish something, regardless the format.
Would it be possible for you to translate our tomcat server.xml Realm line to what we need to enter into the new ldapUserRegistry.xml ? We are using Microsoft Active Directory.
Comments
LDAP is enabled in the RTC 6.0.1 liberty server.xml file. The problem we are having is that the LDAP configuration parameters that worked in the RTC 5.0.2 tomcat server.xml file do not seem to translate nicely to the format of the ldapUserRegistry.xml file used by RTC 6.0.1 WebSphere Liberty. I did see the following entry in the help page you sent, and clearly there is some problem aligning our organization's LDAP configuration that worked with tomcat to the structure of the ldapUserRegistry.xml file. I have followed examples of how to set up this file when using Microsoft Active Directory, but I am still seeing LDAP login errors on startup and no one is able to login to our upgraded RTC 6.0.1 right now.
Regarding the help page entry: Go to JazzInstallDir/server/liberty/servers/clm/conf, open the ldapUserRegistry.xml file and examine the values in the groupFilter and userFilter entries. If the values are not aligned with your organization's particular LDAP configuration, modify them before restarting the server. [The question is how to do this, and how to easily borrow from the tomcat server.xml ldap configuration that worked with RTC 5.0.2]
The Realm line that allows our Microsoft Active Directory LDAP to work in the tomcat server.xml file from RTC 5.0.2 is as follows:
1 vote
Thanks for sharing Christopher!
Ralph, would it be possible for you to translate our tomcat server.xml Realm line to what we need to enter into the new ldapUserRegistry.xml ?
To configure LDAP on RTC 6.0.1 with Liberty, I had to manually edit ldapUserRegistry.xml to change idsFilter based on information provided at :
https://www-01.ibm.com/support/knowledgecenter/was_beta_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_sec_ldap.html
<ldapRegistry id="ldap" realm="SampleLdapIDSRealm"
host="ldapserver.mycity.mycompany.com" port="389" ignoreCase="true"
baseDN="o=mycompany,c=us"
ldapType="IBM Tivoli Directory Server"
sslEnabled="true"
sslRef="LDAPSSLSettings">
<idsFilters
userFilter="(&(uid=%v)(objectclass=ePerson))"
groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)
(objectclass=groupOfUniqueNames)
(objectclass=groupOfURLs)))"
userIdMap="*:uid"
groupIdMap="*:cn"
groupMemberIdMap="mycompany-allGroups:member;mycompany-allGroups:uniqueMember;
groupOfNames:member;groupOfUniqueNames:uniqueMember">
</idsFilters>
</ldapRegistry>
Comments
Could you translate our tomcat server.xml Realm line to what we need to enter into the new ldapUserRegistry.xml ?
Hello Christopher,
Have you succeeded to translate tomcat server.xml Realm line to ldapUserRegistry.xml ?
In fact, I have the same problem ...
I would like to translate the attribute roleBase (on tomcat) to liberty but I don't find the best method.
Without this configuration, my user can log on Jazz but no group and role are mapped to LDAP ...
Thanks for your feeback
Mathieu
Comments
Donald Nong
Feb 05 '16, 4:35 a.m.Hi Christopher, have you been able to migrate the LDAP configuration from Tomcat to Liberty?