Last time , we talked about installing and configuring Apache DS. Now, we will add users and groups to it. We need to create the following users:
wasadmin: This is the WebSphere 6.1 administrator user. Once security is configured, we will log into WAS admin console using this user
bob: This is a test application user. We will log into the 'security enabled' application using this test user
Users are typically placed in LDAP groups so that groups can be mapped to application roles as opposed to mapping individual users (users come and go, groups they belong to stay in the organization). We will create the following groups:
admins: This group will hold all administrators. For now, we have only one administrator - wasadmin
endusers: This group will hold all the application users. For now, we have only one end user - bob
Organizations typically organize their data in organizational units. A user could be part of multiple organizational units. For example, the user bob may be part of ou=HR as well as ou=people. We will create 2 organizational units:
groups: This organizational unit will hold ALL the groups in Apache DS
people: This organizational unit will hold ALL users. Both bob and wasadmin will be under this unit even though wasadmin is just a system user
As we will see shortly, a user may be part part of an organizational unit AND may belong to a group. Creating groups and users The high level steps to create users and groups are: - Create organizational units to hold users and groups
- Create wasadmin user
- Create application user
- Create groups
To create the above items, you can specify all the information in a text file, commonly known as ldif file and load the file in the ldap server. Create a file called organizational_units.ldif and put the following content in it. If you are completely unfamiliar with LDAP concepts, this article may be a good start. # An ldif file that creates people and groups organizational units
dn: ou=people,dc=example,dc=com
cn: people
description: An organizational unit to store all people/users including system users
objectClass: top
objectClass: organizationalUnit
dn: ou=groups,dc=example,dc=com
cn: groups
description: An organizational unit to store all people/users including system users
objectClass: top
objectClass: organizationalUnit | In JXplorer, select LDIF > Import File, select this file and click Open. This will result in two new organizational units, ou=people and ou=groups under dc=example,dc=com. We will put all users (including system users) in people ou and all groups in groups ou. Let's create users first. Create a file called users.ldif and put the following content in it. dn: uid=wasadmin,ou=people,dc=example,dc=com
cn: wasadmin
cn: WebSphere Administrator
cn: WAS administrator
sn: wasadmin
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: wasadmin
userpassword: wasadmin
dn: uid=bob,ou=people,dc=example,dc=com
cn: Bob
sn: User
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: bob
userpassword: password | Importing the file above creates 2 users under ou=people,dc=example,dc=com. For example, the dn of the wasadmin users becomes, uid=wasadmin,ou=people,dc=example,dc=com. We will use this dn to login to WAS admin console after we enable administrative security. To create groups, create a text file called groups.ldif and put the following content in it: dn: cn=admins,ou=groups,dc=example,dc=com
description: admins group, WebSphere administrator will be part of this group
cn: Administrators group
objectClass: top
objectClass: groupOfNames
member: uid=wasadmin,ou=people,dc=example,dc=com
dn: cn=endusers,ou=groups,dc=example,dc=com
description: application users group
cn: Users group
objectClass: top
objectClass: groupOfNames
member: uid=bob,ou=people,dc=example,dc=com |
Notice how both the groups use the member attribute and point to the dn of its members. This attribute is required because our groups use groupOfNames object class. Since the member attribute is required, we created users first and then the groups. At this point, your ldap settings in JXplorer should look like this: 
That's it! We are now ready to enable security in WebSphere 6.1. I will describe that process in the next entry.
|
