ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahy_5.4.0.1/rzahyvldltoldapscenario.htm

115 lines
7.5 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Directory Server (LDAP) - Scenario: Copy users from an HTTP server validation list to the Directory
Server</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<img src="delta.gif" alt="Start of change" /><img src="delta.gif" alt="Start of change" /><img src="delta.gif" alt="Start of change" />
<a name="rzahyvldltoldapscenario"></a>
<h4 id="rzahyvldltoldapscenario">Scenario: Copy users from an HTTP server validation list to the Directory
Server</h4>
<p class="sectionscenariobar"><span class="bold">Situation and overview</span></p>
<p>You currently have an application running in the HTTP Server (powered by
Apache) using Internet users in the validation list MYLIB/HTTPVLDL. You would
like use these same Internet users with the WebSphere Application Server (WAS)
with LDAP authentication. To avoid duplicate maintenance of user information
in the validation list and LDAP, you will also configure the HTTP server application
to use LDAP authentication.</p>
<p>To accomplish this, these are the steps you need to take:</p>
<ol type="1">
<li>Copy the existing validation list users to the local directory server.</li>
<li>Configure the WAS server to use LDAP authentication.</li>
<li>Reconfigure the HTTP server to use LDAP authentication instead of the
validation list.</li></ol>
<p class="sectionscenariobar"><span class="bold">Step 1: Copy the existing validation
list users to the local directory server</span></p>
<p>It is assumed that the directory server has previously been configured
with the suffix "o=my company" and is running. LDAP users are to be stored
in the directory subtree "cn=users,o=my company". The directory server administrator
DN is "cn=administrator" and the administrator password is "secret".</p>
<p>Call the API from the command line as follows:</p>
<p><tt class="xph">CALL PGM(QSYS/QGLDCPYVL) PARM('HTTPVLDL MYLIB ' 'cn=administrator'
X'00000000' 'secret' X'00000000' 'cn=users,o=my company' X'00000000' '' X'00000000'
X'00000000')</tt></p>
<p>When completed, the directory server will contain inetorgperson entries
base on the validation list entries. For example, the validation list user:</p>
<pre class="xmp">User name: jsmith
Description: John Smith
Password: ******</pre>
<p>will result in the following directory entry:</p>
<pre class="xmp">dn: uid=jsmith,cn=users,o=my company
objectclass: top
objectclass: person
objectclass: organizationalperson
objectclass: inetorgperson
uid: jsmith
sn: jsmith
cn: jsmith
description: John Smith
userpassword: ******</pre>
<p>This entry can now be used to authenticate to the directory server. For
example, performing this QSH ldapsearch will read the root DSE entry of the
server:</p>
<pre class="xmp">> ldapsearch -D "uid=jsmith,cn=users,o=my company" -w ****** -s base "(objectclass=*)"</pre>
<p>Once created, you can edit the directory entries to contain further information.
For example, you might want to change the cn and sn values to reflect the
user's full name and last name, respectively, or add a telephone number and
e-mail address.</p>
<p class="sectionscenariobar"><span class="bold">Step 2: Configure the WAS
server to use LDAP authentication</span></p>
<p>The WAS LDAP security needs to be configured to look for entries under
the dn "cn=users,o=my company", using a search filter that maps the entered
user name to inetOrgPerson entries containing that uid attribute value. For
example, authenticating to WAS using the user name jsmith will result in a
search for entries matching the search filter "(uid=jsmith)". For more information,
see <a href="http://publib.boulder.ibm.com/was400/51/english/info/rzaiz/51/sec/seccldfi.htm">Configure LDAP search filters</a> in the Websphere
Application Server for iSeries Information Center.</p>
<p class="sectionscenariobar"><span class="bold">Reconfigure the HTTP server
to use LDAP authentication instead of the validation list</span></p>
<p></p>
<a name="wq102"></a>
<div class="notetitle" id="wq102">Note:</div>
<div class="notebody">The procedure described below is intended to help illustrate
the examples in this scenario by presenting a high-level overview of configuring
the HTTP server to use LDAP authentication. You may need more detailed information
found in the IBM Redbook <a href="http://www.redbooks.ibm.com/redbooks.nsf/0/219b250894a046e285256b11006da9d9?OpenDocument" target="_blank">Implementation
and Practical Use of LDAP on the IBM eServer iSeries Server</a>, SG24-6193
<img src="rbpdf.gif" alt="Link outside Information Center" /> Section 6.3.2 "Setting up LDAP authentication for the powered
by Apache server" as well as <a href="../rzaie/rzaieconfigpwdprotection.htm">Set up password protection
on HTTP Server (powered by Apache)</a>.</div>
<p></p>
<ol type="1">
<li>Click <span class="bold">Basic Authentication</span> on the <span class="bold">Configuration</span> tab for your HTTP server in the HTTP Administration tool.</li>
<li>Under <span class="bold">User authentication method</span>, change<span class="bold">Use Internet users in validation lists</span> to <span class="bold">Use user entries in LDAP server</span> and click <span class="bold">OK</span>.</li>
<li>Return to the <span class="bold">Configuration</span> tab and click <span class="bold">Control Access</span>. Configure this as described in
the Redbook linked to above and click <span class="bold">OK</span>.</li>
<li>On the <span class="bold">Configuration</span> tab click <span class="bold">LDAP Authentication</span>.
<ol type="a">
<li>Enter the LDAP server host name and port. For the <span class="bold">User search base DN</span>, enter <tt class="xph">cn=users,o=my company</tt>.</li>
<li>Under <span class="bold">Create a unique LDAP DN for user authentication</span>, enter the filter <tt class="xph">(&amp;objectclass=person)(uid=%v1))</tt>.</li>
<li>Enter group information and click <span class="bold">OK</span>.</li></ol></li>
<li>Configure the connection to the LDAP server as described in the Redbook
linked to above.</li></ol><img src="deltaend.gif" alt="End of change" /><img src="deltaend.gif" alt="End of change" /><img src="deltaend.gif" alt="End of change" />
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>