You can use the Lightweight Directory Access Protocol (LDAP) directory services on the iSeries server to store user registry information. Therefore, it is necessary to add into the LDAP directory the users that you want to authorize to WebSphere resources.
You can use a variety of ways to add users, but the easiest is to create an LDAP Data Interchange Format (LDIF) file. The file contains the set of users to be added into the directory. The file is used by LDAP utilities, such as ldapModify. These utilities can be run from i5/OS or from a workstation. If you run these LDAP utilities from the i5/OS, your LDIF must reside in the iSeries integrated file system.
Note: This information is specific to the iSeries Directory Services product.
Perform the following steps:
Create an LDIF file. Use the iSeries Edit File (EDTF) utility, or you can use your workstation text editor to create the file and save it in the iSeries integrated file system either through a mapped (mounted) drive or by using file transfer protocol (FTP).
For WebSphere Application Server - Express and iSeries LDAP directory services, create entries in the directory that correspond to the ePerson schema definition.
A simple ePerson LDIF entry resembles the following example:
dn: cn=John Doe, ou=Rochester, o=IBM, c=US objectclass: person objectclass: inetOrgPerson objectclass: top objectclass: organizationalPerson objectclass: ePerson cn: John Doe sn: Doe uid: jdoe userpassword: secretpass
This LDIF entry defines an ePerson for user John Doe. John's user identification (uid) has been set to jdoe and his password to secretpass. This entry resides within the Rochester organizational unit, in the IBM organization in the United States. Each of the containing entries (ou, o and c) were previously defined before this ePerson entry was defined. You may define a series of LDIF entries in the same file to define LTPA users for WebSphere Application Server - Express.
If you do not specify a value for the userpassword attribute, the i5/OS LDAP server attempts to authenticate LTPA users with the local i5/OS user profile that is identified by the the uid attribute value. This action may be desirable if users have i5/OS user profiles and do not want to manage passwords in both the i5/OS user registry and the LDAP directory.
When you create an ePerson entry, make sure that the cn and uid attributes each have a unique value. That is, you should not create two entries that have the same value for the cn and uid attributes.
Note: If you have a large user registry, login performance may be severely impacted if the Group Member ID Map property is left at its default value, which is both groupOfNames:member and groupOfUniqueNames:uniqueMember.
To address this performance problem, specify one of these object classes--not both. You must then exclusively use the selected object class to implement groups in the user registry.
Import the LDIF file entries into your directory on the iSeries server. Use then LDAP ldapadd utility in Qshell Interpreter (QSH) or from a workstation.
For more information on importing LDIF entries, see the Directory Services documentation in the iSeries Information Center: