ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/sec/seccltpa.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">

<title>Adding users to the LDAP user registry</title>
</head>

<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>

<h6><a name="seccltpa"></a>Adding users to the LDAP user registry</h6>

<p>You can use the Lightweight Directory Access Protocol (LDAP) directory services on the iSeries server to store user registry information. Therefore, it is necessary to add into the LDAP directory the users that you want to authorize to WebSphere resources.</p>

<p>You can use a variety of ways to add users, but the easiest is to create an LDAP Data Interchange Format (LDIF) file. The file contains the set of users to be added into the directory. The file is used by LDAP utilities, such as ldapModify. These utilities can be run from i5/OS or from a workstation. If you run these LDAP utilities from the i5/OS, your LDIF must reside in the iSeries integrated file system.</p>

<p><strong>Note:</strong> This information is specific to the iSeries Directory Services product.</p>

<p>Perform the following steps:</p>

<ol>
<li><p>Create an LDIF file. Use the iSeries Edit File (EDTF) utility, or you can use your workstation text editor to create the file and save it in the iSeries integrated file system either through a mapped (mounted) drive or by using file transfer protocol (FTP).</p>

<p>For WebSphere Application Server - Express and iSeries LDAP directory services, create entries in the directory that correspond to the ePerson schema definition.</p>

<p>A simple ePerson LDIF entry resembles the following example:</p>
<pre>  dn: cn=John Doe, ou=Rochester, o=IBM, c=US
  objectclass: person
  objectclass: inetOrgPerson
  objectclass: top
  objectclass: organizationalPerson
  objectclass: ePerson
  cn: John Doe
  sn: Doe
  uid: jdoe
  userpassword: secretpass</pre>
  
<p>This LDIF entry defines an ePerson for user John Doe. John's user identification (uid) has been set to <tt>jdoe</tt> and his password to <tt>secretpass</tt>. This entry resides within the Rochester organizational unit, in the IBM organization in the United States. Each of the containing entries (<tt>ou</tt>, <tt>o</tt> and <tt>c</tt>) were previously defined before this ePerson entry was defined. You may define a series of LDIF entries in the same file to define LTPA users for WebSphere Application Server - Express.</p>

<p>If you do not specify a value for the <strong>userpassword</strong> attribute, the i5/OS LDAP server attempts to authenticate LTPA users with the local i5/OS user profile that is identified by the the <strong>uid</strong> attribute value. This action may be desirable if users have i5/OS user profiles and do not want to manage passwords in both the i5/OS user registry and the LDAP directory.</p>

<p>When you create an ePerson entry, make sure that the <strong>cn</strong> and <strong>uid</strong> attributes each have a unique value. That is, you should not create two entries that have the same value for the <strong>cn</strong> and <strong>uid</strong> attributes.</p>

<p><strong>Note:</strong> If you have a large user registry, login performance may be severely impacted if the Group Member ID Map property is left at its default value, which is both <tt>groupOfNames:member</tt> and <tt>groupOfUniqueNames:uniqueMember</tt>.</p>

<p>To address this performance problem, specify one of these object classes--not both. You must then exclusively use the selected object class to implement groups in the user registry.</p></li>

<li><p>Import the LDIF file entries into your directory on the iSeries server. Use then LDAP <tt>ldapadd</tt> utility in Qshell Interpreter (QSH) or from a workstation.</p>

<p>For more information on importing LDIF entries, see the Directory Services documentation in the iSeries Information Center:</p>
    <ul>
	<li><a href="../../../rzahy/rzahyrzahywelpo.htm">For V5R4</a></li>
    <li><a href="../../../icbase/rzahy/v5r3rzahyrzahywelpo.htm" target="_blank">For V5R3</a></li>
    <li><a href="../../../icbase/rzahy/v5r2rzahyrzahywelpo.htm" target="_blank">For V5R2</a></li>
    </ul></li>
</ol>

</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">`
			`<html>`
			`<head>`
			`<META http-equiv="Content-Type" content="text/html; charset=utf-8">`
			`<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">`

			`<title>Adding users to the LDAP user registry</title>`
			`</head>`

			`<BODY>`
			`<!-- Java sync-link -->`
			`<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>`

			`<h6><a name="seccltpa"></a>Adding users to the LDAP user registry</h6>`

			`<p>You can use the Lightweight Directory Access Protocol (LDAP) directory services on the iSeries server to store user registry information. Therefore, it is necessary to add into the LDAP directory the users that you want to authorize to WebSphere resources.</p>`

			`<p>You can use a variety of ways to add users, but the easiest is to create an LDAP Data Interchange Format (LDIF) file. The file contains the set of users to be added into the directory. The file is used by LDAP utilities, such as ldapModify. These utilities can be run from i5/OS or from a workstation. If you run these LDAP utilities from the i5/OS, your LDIF must reside in the iSeries integrated file system.</p>`

			`<p><strong>Note:</strong> This information is specific to the iSeries Directory Services product.</p>`

			`<p>Perform the following steps:</p>`

			`<ol>`
			`<li><p>Create an LDIF file. Use the iSeries Edit File (EDTF) utility, or you can use your workstation text editor to create the file and save it in the iSeries integrated file system either through a mapped (mounted) drive or by using file transfer protocol (FTP).</p>`

			`<p>For WebSphere Application Server - Express and iSeries LDAP directory services, create entries in the directory that correspond to the ePerson schema definition.</p>`

			`<p>A simple ePerson LDIF entry resembles the following example:</p>`
			`<pre> dn: cn=John Doe, ou=Rochester, o=IBM, c=US`
			`objectclass: person`
			`objectclass: inetOrgPerson`
			`objectclass: top`
			`objectclass: organizationalPerson`
			`objectclass: ePerson`
			`cn: John Doe`
			`sn: Doe`
			`uid: jdoe`
			`userpassword: secretpass</pre>`

			<p>This LDIF entry defines an ePerson for user John Doe. John's user identification (uid) has been set to <tt>jdoe</tt> and his password to <tt>secretpass</tt>. This entry resides within the Rochester organizational unit, in the IBM organization in the United States. Each of the containing entries (<tt>ou</tt>, <tt>o</tt> and <tt>c</tt>) were previously defined before this ePerson entry was defined. You may define a series of LDIF entries in the same file to define LTPA users for WebSphere Application Server - Express.</p>

			`<p>If you do not specify a value for the <strong>userpassword</strong> attribute, the i5/OS LDAP server attempts to authenticate LTPA users with the local i5/OS user profile that is identified by the the <strong>uid</strong> attribute value. This action may be desirable if users have i5/OS user profiles and do not want to manage passwords in both the i5/OS user registry and the LDAP directory.</p>`

			`<p>When you create an ePerson entry, make sure that the <strong>cn</strong> and <strong>uid</strong> attributes each have a unique value. That is, you should not create two entries that have the same value for the <strong>cn</strong> and <strong>uid</strong> attributes.</p>`

			`<p><strong>Note:</strong> If you have a large user registry, login performance may be severely impacted if the Group Member ID Map property is left at its default value, which is both <tt>groupOfNames:member</tt> and <tt>groupOfUniqueNames:uniqueMember</tt>.</p>`

			`<p>To address this performance problem, specify one of these object classes--not both. You must then exclusively use the selected object class to implement groups in the user registry.</p></li>`

			`<li><p>Import the LDIF file entries into your directory on the iSeries server. Use then LDAP <tt>ldapadd</tt> utility in Qshell Interpreter (QSH) or from a workstation.</p>`

			`<p>For more information on importing LDIF entries, see the Directory Services documentation in the iSeries Information Center:</p>`
			`<ul>`
			`<li><a href="../../../rzahy/rzahyrzahywelpo.htm">For V5R4</a></li>`
			`<li><a href="../../../icbase/rzahy/v5r3rzahyrzahywelpo.htm" target="_blank">For V5R3</a></li>`
			`<li><a href="../../../icbase/rzahy/v5r2rzahyrzahywelpo.htm" target="_blank">For V5R2</a></li>`
			`</ul></li>`
			`</ol>`

			`</body>`
			`</html>`