WebSphere Everyplace Access LDAP Configuration

Using DMT On AIX
Preparing To Use An Existing IBM Directory Server

After you have installed WEA, you can create additional users and export them for repopulating a LDAP directory.

1)  From a web browser, connect to your WEA machine for administration via the portal portlet (i.e. "http://wea2aix2.raleigh.ibm.com/wps/portal"), and login as the administrator (password is "wpsadmin").

2)  In the portlet group selection pulldown, select "Portal Administration".

3)  In the Portal Administration panel, slect the 'Users and Groups" tab.

4)  On the right side of the Users and Groups display click on "Create new user".

5)  Enter values for the "User ID", "Password", "Confirm Password", "First Name", "Last Name", "Email", and if desired "Preferred Language" and "Interests", then click "OK".

6)  Select the "Manage User Groups" tab, and in that display enter the name of a group in the "Group Name" field and click "Create Group".

7)  In the User Groups, select the group you just added and click "Membership".

8)  In the resulting "Search for user and add and remove users from group" display, enter the user id you wish to search for (with or without the wild card), and click "Go".

9)  When the results are displayed (using "*" as the only search criteria), a list of users is displayed in the "Search Results" section of the display.  Select one of the users and click on "Add to group", then click "Cancel".

(add several groups and users and add users to group)

10) Back in the "Add and delete groups and manage group membership" panel, select another User Group and click "Membership".

11) Add a second user to the second group. Perform a search for users by searching using the wildcard ("*").

12)  Select a user and click "Add to group".

13)  At this point you have at least one user and a group with the user belonging to that group.

Exporting from LDAP

1)  Using the browser of your choice, connect to the LDAP Administration web page (i.e. "http://wea2aix2.raleigh.ibm.com/ldap/")

2)  Enter your LDAP Administrator ID and Password (i.e. "cn=wpsadmin" and "wpsadmin"), and click "Logon".

3)  In the "Directory Server" frame, scope down from "Database" and select "Export LDIF").

4)  In the "Export LDIF" frame, in the "Path and file name" field, either accept the default or enter a path and file name you wish to use for your export, then click "Export".

Using DMT On AIX

1)  From AIX machine your LDAP server is on, change to "/usr/ldap", and run the program "dmt".

(You should be connected to the correct server, however, you can (also) connect to another server by clicking "Add server" on the bottom of the left frame of the panel. In the "Add Server" panel, enter the fully qualified name of the ldap server machine (i.e. "wea2aix2.raleigh.ibm.com"), for the Authentification type, select "Simple", for the "User DN" (i.e. "cn=wpsadmin"), the User Password (i.e. "wpsadmin"), then click "OK".

2)  Once you are connected to the server, scope down from "Directory tree" and click on "Browse tree".  The right panel should display your LDAP configuration. Scope down to Users. (i.e "dc=rushmore", "cn=users").

3)  From this window you can administer users (i.e delete, add, edit, etc.)

Preparing To Use An Existing IBM Directory Server

(From Ken Hoopes, with minor modifications by Steve Hayden)

When installing over an existing WebSphere Portal, you must use the existing IBM Directory server that is used by WebSphere Portal. In order to use this existing LDAP server, you must add an LDAP suffix, and an LDAP object for INS (Intelligent Notification Services.)

Follow the steps below to prepare the portal system for the WEA install:

Add a suffix to LDAP for Intelligent Notification Services

1) Go to the log-in URL for your SecureWay Directory server, (i.e."http://server.location.company.com/ldap). Once you are logged on, the IBM Directory Serverlog-in page appears.

   b. Enter your administrative user ID and password for LDAP, for example,             cn=wpsadmin/wpadmin.

   c. Click Logon. This will cause the LDAP services panels to appear.

   d. In the left-hand frame, click Settings. This will cause the services list
      panel to appear on the right.

   e. Click on suffix choice line. This will bring up the suffix input panel.

   f. In the suffix DN field, enter:


   g. Click update

   h. Stop and Start the LDAP server

2. Add an LDAP object.
   a. (Windows) From the Windows 'Start', programs pulldown list, select 'IBM Directory Server',
      then the 'Directory management tool.'

       (AIX) From the AIX command prompt, change directories to "/usr/ldap/bin", and type "./dmt&" to invoke the DMT GUI.

   b. From the select list from the left hand frame, under "Server", click on "Rebind". This will bring up the rebind panel. (On AIX you will get a "Directory Message Panel" popup "Warning: Entry dc=ins,dc=ibm,dc=com" does not contain any data), click "OK")

   c. Click the 'Authenticated' radio button. This will enable the user DN and password entry fields.

   c. Enter your userid (prefaced with 'cn=') into the user DN field, and enter
      your password into the user password field (for example 'cn=wpsadmin/wpsadmin'.)

   d. From the left frame, select the 'Browse tree' entry under 'Directory tree.'

   e. Select the Add button from the toolbar. The add an LDAP entry panel appears.

   f. Select an entry type of Domain.

   g. Enter 'dc=ins,dc=ibm,dc=com' in the 'Entry RDN' field. Click 'OK.'

   On AIX you will get an additional dialog box "Add an LDAP Entry", click "ADD".

   h. Click on new entry (i.e. 'dc=ins,dc=ibm,dc=com'.) This will enable the 'ACL' button.

   i. Click on the 'ACL' button to bring up the permissions panel.

   j. On the permissions panel, give grant permissions to everything. Click "OK" to leave permissions panel, then click 'EXIT' at the bottom of the left
      hand panel.

3. Set DB2 for 20 concurrently active databases:
   a. Goto start, programs, IBM DB2, DB2 command line processor.

   b. Enter the following command:

     'update dbm cfg using NUMDB 20'

At this point the Portal 4.2 system is now ready for the WEA 4.3 install.

LDAP Command-Line Tools


LDAP protocol operations are divided into three categories: authentication, interrogation, and update and control. The LDAP C-API provides a number of simple command-line tools that together cover all three categories.

The appendix covers the following topics:
LDAP Command-Line Tools
Optional Arguments for Command-Line Tools
LDAP Command-Line Tools
This section introduces six popular command-line tools. The section "Optional Arguments for Command-Line Tools", immediately following, defines the optional arguments used in the command descriptions and examples.

These are the six commands:

     Commonly Used Command-Line Options


Use the command-line tool ldapbind to authenticate to a directory server. You can also use ldapbind to find out if the server is running.
ldapbind [options]

ldapbind -h myhost -p 389 -D "cn=orcladmin" -w welcome

This command authenticates user orcladmin to the directory server myhost located at port 389, using the password welcome.


Use the command-line tool ldapsearch to search for specific entries in a directory. ldapsearch opens a connection to a directory, authenticates the user performing the operation, searches for the specified entry, and prints the result in a format that the user specifies.

ldapsearch  [options]  filter [attributes]

ldapsearch -h myhost -p 389 -s base -b "ou=people,dc=acme,dc=com" \

This command searches the directory server myhost, located at port 389. The scope of the search (-s) is base, and the part of the directory searched is the base DN (-b) designated. The search filter "objectclass=*" means that values for all of the entry's object classes are returned. No attributes are returned because they have not been requested. The example assumes anonymous authentication because authentication options are not specified.


Use the command-line tool ldapadd to add entries to the directory. ldapadd opens a connection to the directory and authenticates the user. Then it opens the LDIF file supplied as an argument and adds, in succession, each entry in the file.

ldapadd [options] [-f LDIF-filename]

ldapadd -h myhost -p 389 -D "cn=orcladmin" -w welcome -f jhay.ldif

Using this command, user orcladmin authenticates to the directory myhost, located at port 389. The command then opens the file jhay.ldif and adds its contents to the directory. The file might, for example, add the entry uid=jhay,cn=Human Resources,cn=acme,dc=com and its object classes and attributes.
See Also:
"LDIF" for details about LDIF file syntax


Use the command-line tool ldapdelete to remove leaf entries from a directory. ldapdelete opens a connection to a directory server and authenticates the user. Then it deletes specified entries.

ldapdelete [options] "entry DN"

ldapdelete -h myhost -p 389 -D "cn=orcladmin" -w welcome \

This command authenticates user orcladmin to the directory myhost, using the password welcome. Then it deletes the entry uid=hricard,ou=sales,ou=people,dc=acme,dc=com.


Use the command-line tool ldapmodify to modify existing entries. ldapmodify opens a connection to the directory and authenticates the user. Then it opens the LDIF file supplied as an argument and modifies the LDAP entries specified by the file.
ldapmodify uses a modified form of an LDIF file. Within the file itself, you use the attribute changetype to specify the type of change. An example is changetype: add.
Four types of changes are possible:
add--adds a new entry
modify--changes an existing entry, that is, it adds, deletes, or replaces attributes of the entry
delete--deletes an existing entry
modrdn--modifies the RDN of an existing entry

ldapmodify [options] [-f LDIF-filename]

ldapmodify -h myhost -p 389 -D "cn=orcladmin" -w welcome -f hricard.ldif

Using this command, user orcladmin authenticates to the directory myhost, located at port 389. The command then opens the file hricard.ldif and modifies the directory entries specified by the file. The file might, for example, change the telephone number attribute of entry uid=hricard,cn=sales,cn=acme,dc=com.
You can use ldapmodify instead of ldapadd and ldapdelete to add or delete entries.


Use the command-line tool ldapmoddn to:
change the RDN of an entry
move an entry or subtree to another location in the directory

ldapmoddn [options] -b "current DN" -R "new RDN" -N "new Parent"

ldapmoddn -h myhost -p 389 -D "cn=orcladmin" -w welcome \
-b "uid=oball,ou=sales,ou=people,dc=acme,dc=com" \
-N "ou=marketing,ou=people,dc=acme,dc=com"

This command authenticates user orcladmin to the directory myhost, using the password welcome. Then it assigns to the entry uid=oball,ou=sales,ou=people,dc=acme,dc=com a new parent entry, ou=marketing,ou=people,dc=acme,dc=com.
Optional Arguments for Command-Line Tools

Commonly Used Command-Line Options

Option Description
-h The host name of the directory server
-p The port number of the directory server
-D The bind DN--that is, the user authenticating to the directory
-w The bind password in simple authentication
-W Wallet location for one- or two-way SSL authentication
-P Wallet password
-U SSL authentication mode:
 1 for no authentication
 2 for one-way authentication
 3 for two-way authentication
-bFoot 1 The base DN for a search:
-sFoot 2 Search scope:
 base--the entry requested
 one--the entries just below the requested entry
 sub--the entire subtree
-f The LDIF file containing additions, deletions, or modifications
-R New RDN
-N New parent for an entry or subtree that is moved