I was pissed off by useless guidance documents scattered in the Internet. My RPM team spent near to 3 hours to get it right. You know what, the biggest portion of the time wasted was when we following the step-by-step instructions that supposed to guide you toward successfull integration between this 2 major components: Microsoft AD and IBM RPM.
com.ibm.rpm.auth.jndi.JNDIController.properties file is the key configuration element that you used for such integration, ONLY for IBM RPM prior to 7.1 version. If you happened to install IBM RPM 7.1 and you will bang your big head on the monitor to basically make it bigger for wondering why the configuration is not working at all.
We started to suspect the correctness of configuring such file when we are diagnosing System.out log file in IBM Websphere AS 6.1. I saw interesting JNDI lookup names such as useLdapAuthentication and ldapConfiguration. So I decided to google again and Taa Daa, found some useful materials from IBM RPM forum.
Apparently the new mechanism in IBM RPM7.1 is to use JNDI object for LDAP configuration lookup instead of previous property files.
The following steps outline this mechanism (I wish to have some screen shots, but not really have time for that):
1. Access IBM WAS Administrative Console
2. Access Resource Environment Entries, under Resources
Basically the entries you created here will be referred by the RPM WAR application using web.xml resource-env-ref. It is good to browse through the list of available resource-env-ref mappings in the web.xml.
3. Create appropriate Resource Environment Entries
a. useLdapConfiguration
This is a switch to enable LDAP integration. Valid value to turn on is only "true".
b. ldapConfiguration
This is where you define the LDAP "connection string".
It must be in one line and each key pair is separated by spaces.
java.naming.provider.url="ldap://your_domain_name.com:389" java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory" java.naming.ldap.version="3"
java.naming.security.protocol="simple"
com.ibm.rpm.auth.jndi.ldapsearchcontext="OU=Your AD OU,dc=your_domain_name, dc=com" com.ibm.rpm.auth.jndi.ldapuseridattr="sAMAccountName"
java.naming.security.principal="your_ad_username"
java.naming.security.credentials="your_ad_password"
Things to note when constructing this string:
- Make sure your testing machine can access Microsoft AD at the specified port. Confirm with the network administrator if necessaery.
- If you are using Non-AD LDAP directory, it is possible that you might need to use the vendor supplied LDAP Context factory and different security protocol.
- ldapsearchcontext is really company specific. You will need to make sure your search context is at the right location, as defined by domain administrators.
- ldapuseridattr is configurable to use different AD attribute to map with RPM user names. I guess it should be possible to use your domain email as RPM login.
- com.ibm.rpm.auth.jndi.ldapuseridattr and java.naming.security.principal must be compatible, meaning if you specify to use distinguishedName as the mapping attribute, make sure your principal string is correct.
It is helpful to use SofTerra LDAP tools to troubleshoot. Click here
No comments:
Post a Comment