/
LDAP Configuration Script

IBM DataPower Operations Dashboard v1.0.14.0

A newer version of this product documentation is available.

You are viewing an older version. View latest at IBM DPOD Documentation.

LDAP Configuration Script

Please make sure to gather all the information listed in Planning LDAP Configuration, which includes detailed explanation on all the parameters as well as the recommended configuration.


DPOD includes an LDAP configuration script for easy configuration of DPOD to use an LDAP registry.

The script uses a user-provided parameters file with the desired configuration. It verifies the configuration, updates the configuration database and files and restarts the necessary services.

It can also disable the LDAP configuration in order to rollback to using the internal database registry.

Parameters File

A template of the LDAP parameters file is provided at /app/utils/LDAP_parameters.properties.

It is recommended to backup the file before modifying it:

cp /app/utils/ldap/LDAP_parameters.properties /app/utils/ldap/LDAP_parameters.properties.orig


Edit the parameters file and set the following parameters based on the information that was collected in Planning LDAP Configuration:

ParameterDescription

builtinRoleMethod

Should be "group_attribute" or "user_attribute", according to the recommended or advanced configurations listed in Planning LDAP Configuration.

testUserNameThe user name of a real user defined in the LDAP registry who will be using DPOD - will be used to verify that the configuration is valid.
This user name is used only for testing and is not stored in the configuration database and files once configuration is complete.
You should remove it from the parameters file once configuration is complete.
testUserPassword

The password of a real user defined in the LDAP registry who will be using DPOD - will be used to verify that the configuration is valid.
This password is used only for testing and is not stored in the configuration database and files once configuration is complete.
You should remove it from the parameters file once configuration is complete.

connectionUrlsLDAP server address(es), separated by commas. Use ldap:// prefix for non-secure connection and ldaps:// prefix for Secure LDAP connection.
See "LDAP servers IP addresses" and "LDAP servers ports" in Planning LDAP Configuration.
enableLdapsHostNameVerificationSee "LDAPS host name verification" in Planning LDAP Configuration. Should be true or false.
referrals

See "Referrals" in Planning LDAP Configuration. Should be ignore or follow.

connectionNameThe DN of a user that is used to connect to the LDAP server and perform queries.
connectionPasswordThe password of a user that is used to connect to the LDAP server and perform queries.
This password will be encrypted and stored in the configuration database and files.
You should remove it from the parameters file once configuration is complete.

userSearchBase

See "User search base entry" in Planning LDAP Configuration.

userSearchFilter

See "User search filter" in Planning LDAP Configuration.

userNameAttributeNameSee "User name attribute" in Planning LDAP Configuration.
groupSearchBase

See "Group search base entry " in Planning LDAP Configuration.

groupMembershipSearchFilter

See "Group membership search filter" in Planning LDAP Configuration.

groupMembershipSearchNested

See "Group membership search nested" in Planning LDAP Configuration. Should be true or false.
groupNameSearchFilterSee "Group name search filter" in Planning LDAP Configuration.
groupNameAttributeNameSee "Group name attribute" in Planning LDAP Configuration.
roleAttributeValuesSeparatorIn case there are several values for each role mapping, a separator must be specified. By default, no separator is defined.
See "Mapping Built-in Roles" in Planning LDAP Configuration.

adminRoleAttributeValues
powerUserRoleAttributeValues
operatorRoleAttributeValues
investigatorRoleAttributeValues
appAdminRoleAttributeValues

See "Mapping Built-in Roles" in Planning LDAP Configuration.

groupRoleAttributeName

See "Recommended Configuration" and "Advanced Configuration - Scenario B" in Planning LDAP Configuration.

userRoleAttributeName

See "Advanced Configuration - Scenario A" in Planning LDAP Configuration.

Testing LDAP Configuration

In order to test LDAP configuration, use the following command:

cd /app/utils/ldap
/app/scripts/app_ldap_utilities.sh -f ./LDAP_parameters.properties

Note:

  • Add "-y" or "--assume-yes" to run the test without prompting for confirmation.
  • In case of failure, inspect the log file for detailed failure messages. The log file is located in /logs/ui/app_ldap_utilities.log.
  • Change the LDAP configuration parameters and rerun the script until tests are successful.

Updating LDAP Configuration

Ensure DPOD's services are up and running before updating the LDAP configuration.

Once LDAP configuration has been tested and found valid, use the following command to perform the change in the configuration database and files:

cd /app/utils/ldap
/app/scripts/app_ldap_utilities.sh -f ./LDAP_parameters.properties -u

Note:

  • Add "-y" or "--assume-yes" to run the update without prompting for confirmation.

Disabling LDAP Configuration

Ensure DPOD's services are up and running before disabling the LDAP configuration.

Use the following command to disable LDAP configuration in System Parameters:

cd /app/utils/ldap
/app/scripts/app_ldap_utilities.sh -d

Note:

  • Add "-y" or "--assume-yes" to run the update without prompting for confirmation.

LDAP Configuration Locations

LDAP configuration is stored in /app/ui/MonTier-UI/conf/server.xml, in /app/appadmin/MonTier-AppAdmin/conf/server.xml and in System Parameters page [Manage → Customize → System Parameters] under "LDAP" category.

Do not try to change these files or the system parameters manually. Instead, use the LDAP configuration script described above.



IBM DataPower Operations Dashboard (DPOD) v1.0.14.0