Scenario: Copy users from an HTTP server validation list to the Directory Server

Situation and overview

You currently have an application running in the HTTP Server (powered by Apache) using Internet users in the validation list MYLIB/HTTPVLDL. You would like use these same Internet users with the WebSphere Application Server (WAS) with LDAP authentication. To avoid duplicate maintenance of user information in the validation list and LDAP, you will also configure the HTTP server application to use LDAP authentication.

To accomplish this, these are the steps you need to take:

1. Copy the existing validation list users to the local directory server.
2. Configure the WAS server to use LDAP authentication.
3. Reconfigure the HTTP server to use LDAP authentication instead of the validation list.

Step 1: Copy the existing validation list users to the local directory server

It is assumed that the directory server has previously been configured with the suffix "o=my company" and is running. LDAP users are to be stored in the directory subtree "cn=users,o=my company". The directory server administrator DN is "cn=administrator" and the administrator password is "secret".

Call the API from the command line as follows:

CALL PGM(QSYS/QGLDCPYVL) PARM('HTTPVLDL MYLIB ' 'cn=administrator' X'00000000' 'secret' X'00000000' 'cn=users,o=my company' X'00000000' '' X'00000000' X'00000000')

When completed, the directory server will contain inetorgperson entries base on the validation list entries. For example, the validation list user:

User name:	jsmith
Description:	John Smith
Password:	******

will result in the following directory entry:

dn: uid=jsmith,cn=users,o=my company
objectclass: top
objectclass: person
objectclass: organizationalperson
objectclass: inetorgperson
uid: jsmith
sn: jsmith
cn: jsmith
description: John Smith
userpassword: ******

This entry can now be used to authenticate to the directory server. For example, performing this QSH ldapsearch will read the root DSE entry of the server:

> ldapsearch -D "uid=jsmith,cn=users,o=my company" -w ****** -s base "(objectclass=*)"

Once created, you can edit the directory entries to contain further information. For example, you might want to change the cn and sn values to reflect the user's full name and last name, respectively, or add a telephone number and e-mail address.

Step 2: Configure the WAS server to use LDAP authentication

The WAS LDAP security needs to be configured to look for entries under the dn "cn=users,o=my company", using a search filter that maps the entered user name to inetOrgPerson entries containing that uid attribute value. For example, authenticating to WAS using the user name jsmith will result in a search for entries matching the search filter "(uid=jsmith)". For more information, see Configure LDAP search filters in the Websphere Application Server for iSeries Information Center.

Reconfigure the HTTP server to use LDAP authentication instead of the validation list

The procedure described below is intended to help illustrate the examples in this scenario by presenting a high-level overview of configuring the HTTP server to use LDAP authentication. You may need more detailed information found in the IBM Redbook Implementation and Practical Use of LDAP on the IBM eServer iSeries Server, SG24-6193 Section 6.3.2 "Setting up LDAP authentication for the powered by Apache server" as well as Set up password protection on HTTP Server (powered by Apache).

1. Click Basic Authentication on the Configuration tab for your HTTP server in the HTTP Administration tool.
2. Under User authentication method, changeUse Internet users in validation lists to Use user entries in LDAP server and click OK.
3. Return to the Configuration tab and click Control Access. Configure this as described in the Redbook linked to above and click OK.
4. On the Configuration tab click LDAP Authentication.
   1. Enter the LDAP server host name and port. For the User search base DN, enter cn=users,o=my company.
   2. Under Create a unique LDAP DN for user authentication, enter the filter (&objectclass=person)(uid=%v1)).
   3. Enter group information and click OK.
5. Configure the connection to the LDAP server as described in the Redbook linked to above.