IBM DataPower Operations Dashboard v1.0.8.5
Note: A more recent version of DPOD is available. See DPOD Documentation for the latest documentation.
LDAP Configuration Script
DPOD includes an LDAP configuration script for easy configuration of DPOD to use an LDAP user registry.
The script uses a user-provided parameters file with the desired configuration. It verifies the configuration, updates the configuration database and files and restarts the necessary services.
It can also disable the LDAP configuration in order to rollback to the internal database registry.
Please make sure to gather all the information listed in Planning LDAP Configuration, which includes detailed explanation on all the parameters.
Parameters File
A template of the LDAP parameters file is provided at /app/utils/LDAP_parameters.properties.
It is recommended to backup the file before modifying it:
cp /app/utils/LDAP_parameters.properties /app/utils/LDAP_parameters.properties.orig
Edit the parameters file and set the following parameters based on the information that was collected in Planning LDAP Configuration:
| Parameter | Description |
|---|---|
builtinRoleMethod | Should be "user_attribute" (for scenario A) or "group_attribute" (for scenario B). |
| testUserName | The user name of a user for testing e.g. adminford |
| testUserPassword | The password of a user for testing |
| connectionUrl | LDAP server URL including port. Use ldap:// prefix for non-SSL connection and ldaps:// prefix for SSL connection. e.g. ldap://192.168.110.15:389 |
| referrals | Whether LDAP referrals should be followed or ignored (follow/ignore) |
| connectionName | Query user distinguished name (DN) e.g. cn=LDAP Query User,ou=people,dc=example,dc=org |
| connectionPassword | Query user password Note: This password will be encrypted and stored in the configuration database and files e.g. pass123 |
userSearchBase | User search base entry e.g. ou=people,dc=example,dc=org |
| userSearchSubtree | User search sub-tree (true/false) e.g. true |
| userSearchFilter | User search filter |
| groupSearchBase | Group search base entry |
groupSearchSubtree | Group search sub-tree (true/false) e.g. true |
groupSearchFilter | Group search filter |
groupSearchNested | Group search nested (true/false) e.g. true |
groupRoleAttributeName | Group role attribute name |
| userRoleAttributeName | For scenario A only |
Testing LDAP Configuration
In order to test LDAP configuration, use the following command:
cd /app/utils/ /app/scripts/app_ldap_utilities.sh -f ./LDAP_parameters.properties
For a valid LDAP configuration the command's output should be:
28/06/2018 15:24:04,283- INFO Starting LDAP Utilities 28/06/2018 15:24:04,290- INFO Reading user parameters file, path=./LDAP_parameters.properties 28/06/2018 15:24:04,293- INFO This utility is about to connect to the LDAP registry to test the configuration. 28/06/2018 15:24:04,293- INFO Please confirm connecting to the LDAP registry (y,n): y 28/06/2018 15:24:05,310- INFO Connecting to the LDAP sever, connectionUrl=ldap://ldap-server:10389 28/06/2018 15:24:05,329- INFO Connected to LDAP server successfully 28/06/2018 15:24:05,330- INFO Searching for test user, testUserName=test 28/06/2018 15:24:05,336- INFO Test user found successfully, DN=cn=test,ou=people,dc=example,dc=org 28/06/2018 15:24:05,338- INFO Connecting to the LDAP sever using test user DN and password 28/06/2018 15:24:05,344- INFO Connected to LDAP server using test user DN and password successfully 28/06/2018 15:24:05,345- INFO Searching for test user groups 28/06/2018 15:24:05,365- INFO Found 3 test user groups with the group name attribute 28/06/2018 15:24:05,368- INFO Searching for a groups attribute since builtin role method is group_attribute 28/06/2018 15:24:05,476- INFO Tested LDAP configuration against LDAP registry successfully 28/06/2018 15:24:05,476- INFO The operation completed successfully
For an invalid LDAP configuration, the command's output might be:
28/06/2018 15:28:02,902- INFO Starting LDAP Utilities 28/06/2018 15:28:02,909- INFO Reading user parameters file, path=./LDAP_parameters.properties 28/06/2018 15:28:02,912- INFO This utility is about to connect to the LDAP registry to test the configuration. 28/06/2018 15:28:02,912- INFO Please confirm connecting to the LDAP registry (y,n): y 28/06/2018 15:28:03,638- INFO Connecting to the LDAP sever, connectionUrl=ldap://wrong-server:10389 28/06/2018 15:28:06,663- ERROR The operation failed. See log file for more details.
In case of failure, inspect the log file for detailed failure messages. The log file is located in /logs/ui/app_ldap_utilities.log.
Change the LDAP configuration parameters and rerun the script until tests are successful.
Updating LDAP Configuration
Once LDAP configuration has been tested and found valid, use the following command to perform the change in the configuration database and files:
cd /app/utils/ /app/scripts/app_ldap_utilities.sh -f ./LDAP_parameters.properties -u
Ensure DPOD's services are up and running before updating the LDAP configuration.
The command output should be:
28/06/2018 15:30:50,085- INFO Starting LDAP Utilities 28/06/2018 15:30:50,093- INFO Reading user parameters file, path=./LDAP_parameters.properties 28/06/2018 15:30:50,097- INFO This utility is about to connect to the LDAP registry to test the configuration. 28/06/2018 15:30:50,097- INFO Please confirm connecting to the LDAP registry (y,n): y 28/06/2018 15:30:51,915- INFO Connecting to the LDAP sever, connectionUrl=ldap://ldap-server:10389 28/06/2018 15:30:51,932- INFO Connected to LDAP server successfully 28/06/2018 15:30:51,933- INFO Searching for test user, testUserName=test 28/06/2018 15:30:51,938- INFO Test user found successfully, DN=cn=test,ou=people,dc=example,dc=org 28/06/2018 15:30:51,939- INFO Connecting to the LDAP sever using test user DN and password 28/06/2018 15:30:51,944- INFO Connected to LDAP server using test user DN and password successfully 28/06/2018 15:30:51,945- INFO Searching for test user groups 28/06/2018 15:30:51,955- INFO Found 3 test user groups with the group name attribute 28/06/2018 15:30:51,956- INFO Searching for a groups attribute since builtin role method is group_attribute 28/06/2018 15:30:52,006- INFO Tested LDAP configuration against LDAP registry successfully 28/06/2018 15:30:52,006- INFO This utility is about to update the UI service configuration to work with LDAP registry. 28/06/2018 15:30:52,007- INFO To apply the new configuration, the UI service will be restarted afterwards. 28/06/2018 15:30:52,008- INFO Please confirm the configuration update (y,n): y 28/06/2018 15:30:53,586- INFO Enabling LDAP configuration in database 28/06/2018 15:30:53,949- INFO Enabled LDAP configuration in database successfully 28/06/2018 15:30:53,951- INFO Creating a backup of UI server configuration file server.xml, backupFilePath=/app/ui/MonTier-UI/conf/server.xml.2018-06-28-153053 28/06/2018 15:30:53,957- INFO Created a backup of UI server configuration file server.xml successfully 28/06/2018 15:30:53,958- INFO Enabling LDAP configuration in UI server configuration file server.xml 28/06/2018 15:30:54,036- INFO Enabled LDAP configuration in UI server configuration file server.xml successfully 28/06/2018 15:30:54,037- INFO To apply the new configuration, the UI service needs to be restarted. 28/06/2018 15:30:54,037- INFO Please confirm the UI service restart (y,n): y 28/06/2018 15:30:56,345- INFO Restarting UI server 28/06/2018 15:30:56,630- INFO Restarted UI server successfully 28/06/2018 15:30:56,630- INFO The operation completed successfully
Disabling LDAP Configuration
Use the following command to disable LDAP configuration in System Parameters:
cd /app/utils/ /app/scripts/app_ldap_utilities.sh -d
Ensure DPOD's services are up and running before disabling the LDAP configuration.
The command output should be:
28/06/2018 15:36:08,878- INFO Starting LDAP Utilities 28/06/2018 15:36:08,897- INFO This utility is about to update the UI service configuration to work with its local user registry. 28/06/2018 15:36:08,897- INFO To apply the new configuration, the UI service will be restarted afterwards. 28/06/2018 15:36:08,897- INFO Please confirm the configuration update (y,n): y 28/06/2018 15:36:12,465- INFO Disabling LDAP configuration in database 28/06/2018 15:36:12,711- INFO Disabled LDAP configuration in database successfully 28/06/2018 15:36:12,713- INFO Creating a backup of UI server configuration file server.xml, backupFilePath=/app/ui/MonTier-UI/conf/server.xml.2018-06-28-153612 28/06/2018 15:36:12,725- INFO Created a backup of UI server configuration file server.xml successfully 28/06/2018 15:36:12,726- INFO Disabling LDAP configuration in UI server configuration file server.xml 28/06/2018 15:36:12,808- INFO Disabled LDAP configuration in UI server configuration file server.xml successfully 28/06/2018 15:36:12,808- INFO To apply the new configuration, the UI service needs to be restarted. 28/06/2018 15:36:12,810- INFO Please confirm the UI service restart (y,n): y 28/06/2018 15:36:13,625- INFO Restarting UI server 28/06/2018 15:36:16,792- INFO Restarted UI server successfully 28/06/2018 15:36:16,793- INFO The operation completed successfully
Manually Inspecting LDAP Configuration
Inspecting LDAP Configuration in Configuration File (server.xml)
Edit the server configuration file and look for the LDAPRealm element. This element contains all the configuration set automatically by the script.
vi /app/ui/MonTier-UI/conf/server.xml
Inspecting LDAP Configuration in System Parameters
Open the Web Console and navigate to System Parameters page [Manage→ System → System Parameters].
The LDAP configuration system parameters are listed under "LDAP" category.