115 lines
7.5 KiB
HTML
115 lines
7.5 KiB
HTML
|
<?xml version="1.0" encoding="utf-8"?>
|
||
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="dc.language" scheme="rfc1766" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow"/>
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<title>Directory Server (LDAP) - Scenario: Copy users from an HTTP server validation list to the Directory
|
||
|
Server</title>
|
||
|
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="ic.css" />
|
||
|
</head>
|
||
|
<body>
|
||
|
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
|
||
|
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
|
||
|
|
||
|
<img src="delta.gif" alt="Start of change" /><img src="delta.gif" alt="Start of change" /><img src="delta.gif" alt="Start of change" />
|
||
|
<a name="rzahyvldltoldapscenario"></a>
|
||
|
<h4 id="rzahyvldltoldapscenario">Scenario: Copy users from an HTTP server validation list to the Directory
|
||
|
Server</h4>
|
||
|
<p class="sectionscenariobar"><span class="bold">Situation and overview</span></p>
|
||
|
<p>You currently have an application running in the HTTP Server (powered by
|
||
|
Apache) using Internet users in the validation list MYLIB/HTTPVLDL. You would
|
||
|
like use these same Internet users with the WebSphere Application Server (WAS)
|
||
|
with LDAP authentication. To avoid duplicate maintenance of user information
|
||
|
in the validation list and LDAP, you will also configure the HTTP server application
|
||
|
to use LDAP authentication.</p>
|
||
|
<p>To accomplish this, these are the steps you need to take:</p>
|
||
|
<ol type="1">
|
||
|
<li>Copy the existing validation list users to the local directory server.</li>
|
||
|
<li>Configure the WAS server to use LDAP authentication.</li>
|
||
|
<li>Reconfigure the HTTP server to use LDAP authentication instead of the
|
||
|
validation list.</li></ol>
|
||
|
<p class="sectionscenariobar"><span class="bold">Step 1: Copy the existing validation
|
||
|
list users to the local directory server</span></p>
|
||
|
<p>It is assumed that the directory server has previously been configured
|
||
|
with the suffix "o=my company" and is running. LDAP users are to be stored
|
||
|
in the directory subtree "cn=users,o=my company". The directory server administrator
|
||
|
DN is "cn=administrator" and the administrator password is "secret".</p>
|
||
|
<p>Call the API from the command line as follows:</p>
|
||
|
<p><tt class="xph">CALL PGM(QSYS/QGLDCPYVL) PARM('HTTPVLDL MYLIB ' 'cn=administrator'
|
||
|
X'00000000' 'secret' X'00000000' 'cn=users,o=my company' X'00000000' '' X'00000000'
|
||
|
X'00000000')</tt></p>
|
||
|
<p>When completed, the directory server will contain inetorgperson entries
|
||
|
base on the validation list entries. For example, the validation list user:</p>
|
||
|
<pre class="xmp">User name: jsmith
|
||
|
Description: John Smith
|
||
|
Password: ******</pre>
|
||
|
<p>will result in the following directory entry:</p>
|
||
|
<pre class="xmp">dn: uid=jsmith,cn=users,o=my company
|
||
|
objectclass: top
|
||
|
objectclass: person
|
||
|
objectclass: organizationalperson
|
||
|
objectclass: inetorgperson
|
||
|
uid: jsmith
|
||
|
sn: jsmith
|
||
|
cn: jsmith
|
||
|
description: John Smith
|
||
|
userpassword: ******</pre>
|
||
|
<p>This entry can now be used to authenticate to the directory server. For
|
||
|
example, performing this QSH ldapsearch will read the root DSE entry of the
|
||
|
server:</p>
|
||
|
<pre class="xmp">> ldapsearch -D "uid=jsmith,cn=users,o=my company" -w ****** -s base "(objectclass=*)"</pre>
|
||
|
<p>Once created, you can edit the directory entries to contain further information.
|
||
|
For example, you might want to change the cn and sn values to reflect the
|
||
|
user's full name and last name, respectively, or add a telephone number and
|
||
|
e-mail address.</p>
|
||
|
<p class="sectionscenariobar"><span class="bold">Step 2: Configure the WAS
|
||
|
server to use LDAP authentication</span></p>
|
||
|
<p>The WAS LDAP security needs to be configured to look for entries under
|
||
|
the dn "cn=users,o=my company", using a search filter that maps the entered
|
||
|
user name to inetOrgPerson entries containing that uid attribute value. For
|
||
|
example, authenticating to WAS using the user name jsmith will result in a
|
||
|
search for entries matching the search filter "(uid=jsmith)". For more information,
|
||
|
see <a href="http://publib.boulder.ibm.com/was400/51/english/info/rzaiz/51/sec/seccldfi.htm">Configure LDAP search filters</a> in the Websphere
|
||
|
Application Server for iSeries Information Center.</p>
|
||
|
<p class="sectionscenariobar"><span class="bold">Reconfigure the HTTP server
|
||
|
to use LDAP authentication instead of the validation list</span></p>
|
||
|
<p></p>
|
||
|
<a name="wq102"></a>
|
||
|
<div class="notetitle" id="wq102">Note:</div>
|
||
|
<div class="notebody">The procedure described below is intended to help illustrate
|
||
|
the examples in this scenario by presenting a high-level overview of configuring
|
||
|
the HTTP server to use LDAP authentication. You may need more detailed information
|
||
|
found in the IBM Redbook <a href="http://www.redbooks.ibm.com/redbooks.nsf/0/219b250894a046e285256b11006da9d9?OpenDocument" target="_blank">Implementation
|
||
|
and Practical Use of LDAP on the IBM eServer iSeries Server</a>, SG24-6193
|
||
|
<img src="rbpdf.gif" alt="Link outside Information Center" /> Section 6.3.2 "Setting up LDAP authentication for the powered
|
||
|
by Apache server" as well as <a href="../rzaie/rzaieconfigpwdprotection.htm">Set up password protection
|
||
|
on HTTP Server (powered by Apache)</a>.</div>
|
||
|
<p></p>
|
||
|
<ol type="1">
|
||
|
<li>Click <span class="bold">Basic Authentication</span> on the <span class="bold">Configuration</span> tab for your HTTP server in the HTTP Administration tool.</li>
|
||
|
<li>Under <span class="bold">User authentication method</span>, change<span class="bold">Use Internet users in validation lists</span> to <span class="bold">Use user entries in LDAP server</span> and click <span class="bold">OK</span>.</li>
|
||
|
<li>Return to the <span class="bold">Configuration</span> tab and click <span class="bold">Control Access</span>. Configure this as described in
|
||
|
the Redbook linked to above and click <span class="bold">OK</span>.</li>
|
||
|
<li>On the <span class="bold">Configuration</span> tab click <span class="bold">LDAP Authentication</span>.
|
||
|
<ol type="a">
|
||
|
<li>Enter the LDAP server host name and port. For the <span class="bold">User search base DN</span>, enter <tt class="xph">cn=users,o=my company</tt>.</li>
|
||
|
<li>Under <span class="bold">Create a unique LDAP DN for user authentication</span>, enter the filter <tt class="xph">(&objectclass=person)(uid=%v1))</tt>.</li>
|
||
|
<li>Enter group information and click <span class="bold">OK</span>.</li></ol></li>
|
||
|
<li>Configure the connection to the LDAP server as described in the Redbook
|
||
|
linked to above.</li></ol><img src="deltaend.gif" alt="End of change" /><img src="deltaend.gif" alt="End of change" /><img src="deltaend.gif" alt="End of change" />
|
||
|
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
|
||
|
</body>
|
||
|
</html>
|