WPS: Autenticando Usuarios - Configurando um LDAP Federado

Vamos configurar a consulta a um diretório LDAP ao repositório federado, para armazenar informações sobre as contas de usuários.

'''Obs. 1:''' Verifique que os servidores server1 e WebSphere_Portal estejam executando antes de iniciar está tarefa.

'''Obs. 2:''' Veja exemplos em /opt/IBM/WebSphere/wp_profile/ConfigEngine/config/helpers

Seguimos o procedimento em

http://publib.boulder.ibm.com/infocenter/wcmdoc/v6r0/topic/com.ibm.lotus.wcm.doc/install/stdaln_linux_add_ldap_ureg.html

Passos:

1. Backup dos arquivos de configuração
Vá para o diretório

/opt/IBM/WebSphere/wp_profile/ConfigEngine/properties

faça um backup dos arquivos wkplc.properties

cp wkplc.properties wkplc.properties_antesLDAP cp wkplc_comp.properties wkplc_comp.properties_antesLDAP

2. Definições no arquivo wkplc.properties
Edite o arquivo wkplc.properties e defina o seguinte:

Na seção "VMM Federated LDAP Properties"
federated.ldap.id=ldap1EmpresaX federated.ldap.host=ldapserver.empresax.com.br federated.ldap.port=389 federated.ldap.bindDN=cn=wpsbind,o=empresax federated.ldap.bindPassword=ReplaceWithYourPwd DOMINO65,DOMINO7,NDS,SUNONE,AD2000,AD2003,ADAM,CUSTOM federated.ldap.ldapServerType=DOMINO7 federated.ldap.baseDN=o=empresax
 * 1) The id specifies a unique identifier for the repository within the cell
 * 2) Characters that are not allowed in normal XML strings ( &  <   >  "   '   ) cannot be used in the repository ID.
 * 1) Specifies the host name of the primary LDAP server. This host name is either an IP address or a domain name service (DNS) name.
 * 1) Specifies the LDAP server port.
 * 1) Specifies the distinguished name for the application server to use when binding to the LDAP repository.
 * 1) Specifies the password for the application server to use when binding to the LDAP repository.
 * 1) Specifies the type of LDAP server to which you connect
 * 2) This must be one of the following values: SECUREWAY,IDS4,IDS51,IDS52,IDS6,ZOSDS,DOMINO5,DOMINO6,
 * 1) The LDAP base entry.

Na seção "LDAP entity types" - item "Entity type Group"
federated.ldap.et.group.searchFilter= federated.ldap.et.group.objectClasses=dominoGroup federated.ldap.et.group.objectClassesForCreate= federated.ldap.et.group.searchBases=
 * 1) Entity type Group
 * 1) The search filter that you want to use to search the entity type.
 * 2) VMM uses this filter as an addition during search requests in your environment
 * 3) The syntax is like a standard LDAP searchfilter like (objectclass=dominoGroup)
 * 4) In general this value can be left blank
 * 1) One or more object classes for the entity type.
 * 1) The object class to use when an entity type is created. If the value of this parameter is the same as the objectClass parameter, you do not need to specify this parameter.
 * 1) The search base or bases to use while searching the entity type.

Na seção "LDAP entity types" - item "Entity type PersonAccount"
federated.ldap.et.personaccount.searchFilter= federated.ldap.et.personaccount.objectClasses=dominoPerson federated.ldap.et.personaccount.objectClassesForCreate= federated.ldap.et.personaccount.searchBases=
 * 1) Entity type PersonAccount
 * 1) The search filter that you want to use to search the entity type.
 * 2) VMM uses this filter as an addition during search requests in your environment
 * 3) The syntax is like a standard LDAP searchfilter like (objectclass=dominoPerson)
 * 4) In general this value can be left blank
 * 1) One or more object classes for the entity type.
 * 1) The object class to use when an entity type is created. If the value of this parameter is the same as the objectClass parameter, you do not need to specify this parameter.
 * 1) The search base or bases to use while searching the entity type.

Na seção "Group member attributes"
federated.ldap.gm.groupMemberName=member federated.ldap.gm.objectClass=dominoGroup federated.ldap.gm.scope=direct federated.ldap.gm.dummyMember=uid=dummy
 * 1) The name of the LDAP attribute that is used as the group member attribute. For example, member or uniqueMember.
 * 1) The group object class that contains the member attribute. For example, groupOfNames or groupOfUnqiueNames.
 * 2) If you do not define this parameter, the member attribute applies to all group object classes.
 * 1) The scope of the member attribute. The valid values for this parameter include the following:
 * 2) direct - The member attribute only contains direct members.
 * 3) nested - The member attribute that contains the direct members and the nested members.
 * 1) If you create a group without specifying a member, a dummy member will be filled in to avoid creating an exception about missing a mandatory attribute.

Salve e Feche o arquivo.

3. Definições no arquivo wkplc_comp.properties
Edite o arquivo wkplc_comp.properties e defina o seguinte:

WcmContentAuthorsGroupId=cn=wcmContentAuthors WcmContentAuthorsGroupCN=contentAuthors
 * 1) WcmContentAuthorsGroupId: The group ID for the WCM Administrator group
 * 2) DEV (No security):  WcmContentAuthorsGroupId= ,o=default organization
 * 3) See LDAP examples below:
 * 4) IBM Directory Server: { cn= ,cn=groups,dc=yourco,dc=com }
 * 5) Domino:               { cn= }
 * 6) Active Directory:     { cn= ,cn=groups,dc=yourco,dc=com }
 * 7) Active Directory AM:  { cn= ,cn=groups,dc=yourco,dc=com }
 * 8) SunOne:               { cn= ,ou=groups,o=yourco.com }
 * 9) Novell eDirectory     { cn= ,ou=groups,o=yourco.com }
 * 1) WcmAdminGroupCN: The WCM admin group ID

Salve e Feche o arquivo.

4. Validando a configuração
Vá para o diretório

/opt/IBM/WebSphere/wp_profile/ConfigEngine

e execute o seguinte comando


 * 1) ./ConfigEngine.sh validate-federated-ldap -DWasPassword=

Se no final do processo aparecer

BUILD SUCCESSFUL Total time: NN seconds

A configuração ocorreu corretamente

5. Realizando a configuração
Vá para o diretório

/opt/IBM/WebSphere/wp_profile/ConfigEngine

e execute o seguinte comando


 * 1) ./ConfigEngine.sh wp-create-ldap -DWasPassword=

Se no final do processo aparecer

BUILD SUCCESSFUL Total time: NN minutes and NN seconds

A configuração ocorreu corretamente

6. Pare e reinicie os servidores
Vá para o diretório

cd /opt/IBM/WebSphere/AppServer/bin

e execute os seguintes comandos:


 * 1)  ./stopServer.sh WebSphere_Portal -user wpsadmin -password was_admin_password

aguarde ...


 * 1)  ./stopServer.sh server1 -user wpsadmin -password was_admin_password

aguarde ...


 * 1)  ./startServer.sh server1 -user wpsadmin -password was_admin_password

aguarde ...


 * 1)  ./startServer.sh WebSphere_Portal -user wpsadmin -password was_admin_password

aguarde ...

(Opcional) 7. Criando entradas adicionais
Perform the following steps to create additional base entries within the LDAP user registry; repeat these steps for each base entry that you want to create for multiple realm support:

1. Use a text editor to open the wkplc.properties file, located in the wp_profile_root/ConfigEngine/properties directory. 2. Enter a value for the following required parameters in the wkplc.properties file under the VMM repository base entry configuration heading to create additional base entries within the LDAP user registry to use when creating realms: * id * baseDN * nameInRepository 3. Save your changes to the wkplc.properties file. 4. Run the ./ConfigEngine.sh wp-create-base-entry -DWasPassword=password task, from the wp_profile_root/ConfigEngine directory, to create a base entry in a repository. 5. Stop and restart the deployment manager, the node agent(s), server1, and the WebSphere_Portal servers.

(Opcional) 8. Listando os Repositórios de Usuários
Vá para o diretório

/opt/IBM/WebSphere/wp_profile/ConfigEngine

e execute o seguinte comando


 * 1) ./ConfigEngine.sh wp-query-repository -DWasPassword=

9. Validando os atributos Repositórios de Usuários
Vá para o diretório

/opt/IBM/WebSphere/wp_profile/ConfigEngine

e execute o seguinte comando


 * 1) ./ConfigEngine.sh wp-validate-federated-ldap-attribute-config -DWasPassword=

10. Atualizando o Registro de usuários

 * 1) Perform the following steps to update the user registry where new users and groups are stored:

Vá para o diretório

cd /opt/IBM/WebSphere/wp_profile/ConfigEngine/properties

Edite o arquivo wkplc.properties e na seção "VMM supported entity types" entre com o seguintes valores:

personAccountParent=o=empresax groupParent= personAccountRdnProperties=cn groupRdnProperties=cn
 * 1) wp-update-entitytypes - updates the defaultParent of the entity types Group and PersonAccount
 * 2)                         and adds the RDN attributes
 * 1)                         and adds the RDN attributes
 * 1) The default parents of the entity types PersonAccount and Group
 * 1) The RDN attribute names for the entity types PersonAccount and Group
 * 2) To reset all the values of the rdnProperties parameter, specify a blank string ("").

Salve e feche o arquivo e vá para o diretório

cd /opt/IBM/WebSphere/wp_profile/ConfigEngine/

e execute o seguinte comando


 * 1) ./ConfigEngine.sh wp-update-entitytypes -DWasPassword=password

Reinicie os servidores server1 e WebSphere_Portal.

(Opcional) 11. Habilitando Login através do Full Distinguished Name
Perform the following steps to enable the full distinguished name login if the short names are not unique for the realm:

Vá para o diretório

cd /opt/IBM/WebSphere/wp_profile/ConfigEngine/properties

Edite o arquivo wkplc.properties e entre com o seguinte valor:

realmName

ou deixe em branco para o default realm.

Salve e feche o arquivo e vá para o diretório

cd /opt/IBM/WebSphere/wp_profile/ConfigEngine/

e execute o seguinte comando


 * 1) ./ConfigEngine.sh wp-modify-realm-enable-dn-login -DWasPassword=password

Reinicie os servidores server1 e WebSphere_Portal.

(Opcional) 12. Executando o Member Fixer Tool
Obs.: Este passo é somente necessário se você estiver utilizando o WCM e quiser utilizar os Templates de Intranet e Internet.

Execute o Member Fixer tool para atualizar o nome dos membros usados pelo WCM, passos:

Vá para o diretório

cd /opt/IBM/WebSphere/wp_profile/PortalServer/wcm/shared/app/config/wcmservices

Edite o arquivo MemberFixerModule.properties e defina o seguinte:

cn=contentauthors,o=defaultWIMFileBasedRealm -> cn=wcmContentAuthors uid=xyzadmin,o=defaultWIMFileBasedRealm -> cn=xyzadmin,o=empresax

Obs.:


 * Update the contentAuthors_new property with the group name you used for the content authors group during LDAP configuration.
 * Update the administrator_new property with the administrator user name you used for the administrator user during LDAP configuration. Note that the old administrator user value should be uid=xyzadmin,o=defaultWIMFileBasedRealm, which is the default administrator user used when the Intranet and Internet Site Templates are created.

Salve e feche o arquivo

Vá para o diretório

/opt/IBM/WebSphere/wp_profile/ConfigEngine

e execute o seguinte comando


 * 1) ./ConfigEngine.sh action-express-memberfixer -DmemberfixerRealm= -DPortalAdminPwd=

No nosso caso o realm_name indica o realm onde o usuário e grupo esta armazenado


 * 1) ./ConfigEngine.sh action-express-memberfixer -DmemberfixerRealm=defaultWIMFileBasedRealm -DPortalAdminPwd=

13. Removendo o Repositório Federado em Arquivo
Após a integração com o LDAP a segurança default pode ser removida, evitando conflitos por usuários com identidades duplicadas.

1. Vá no console administrativo do Servidor

https://wps1.empresax.com.br:10041/ibm/console

2. No Console Administrativo do WebSphere Application Server, selecione

Em Inglês: Security > Secure administration, applications, and infrastructure > User Registry > Custom > Custom Properties Em Português: Segurança > Segurança Global > Registro do Usuário > Customizar > Propriedades Customizadas

From the Deployment Manager or WebSphere Application Server administrative console, select Security > Secure administration, applications, and infrastructure. 2. In the User account repository section, make sure that Federated repositories is set in the Available realm definitions. 3. Clique em Configure. 4. In the list of Repositories in the realm, select the repository with the identifier InternalFileRepository. 5. Click Remove.

4. Salve suas alterações.

5. Sincronize todos os nós se você estiver em cluster

(Opcional) 14. Substituindo o Administrador do Portal LOCAL pelo do LDAP
Perform the following steps to replace the WebSphere Application Server and WebSphere Portal administrator user ID with users that exists in the LDAP user registry:

1. Run the ./ConfigEngine.sh wp-change-was-admin-user -DnewAdminId=newadminid –DnewAdminPw=newpassword task, from the wp_profile_root/ConfigEngine directory, to replace the old WebSphere Application Server administrative user with the new user. Note: This task verifies the user against a running server instance. If the server is stopped, add the -Dskip.ldap.validation=true parameter to the task to skip the validation. 2. Verify that the task completed successfully. In a clustered environment, restart the deployment manager, the node agent(s), server1, and WebSphere_Portal servers. In a stand-alone environment, restart the server1 and WebSphere_Portal servers. 3. Run the ./ConfigEngine.sh wp-change-portal-admin-user -DnewAdminId=newadminid –DnewAdminPw=newpassword -DnewAdminGroupId=newadmingroup task to replace the old WebSphere Portal administrative user with the new user. Note: This task verifies the user against a running LDAP server instance when LDAP security is enabled. If the LDAP server is stopped, add the -Dskip.ldap.validation=true parameter to the task to skip the validation. 4. Verify that the task completed successfully. In a clustered environment, restart the deployment manager, the node agent(s), server1, and WebSphere_Portal servers. In a stand-alone environment, restart the server1 and WebSphere_Portal servers.