Changing the OU for LDAP Bind

What I would like to do now is take a walk through the Security – Users and Groups screens so we can see what they look like under Federated Repositories.

  • Navigate to Users and Groups and select Manage Users

We can see the following:

As we can see above, we have a complete listing of the virtual member managed realm ie a federated set of repositories. The wasadmin user exists in fileRegistry.xml and so you can see that it has a different DN. We cannot see the wasadmin user that we do know also exists in the LDAP directory.

Note: The entry highlighted in red, which is our LDAP bind user. We may not wish to see this user in the list of users. We may not want anyone to be able to assign this user to a WAS Role. To hide this user from WAS LDAP searches. Because our Base DN is dc=themiddlewareshop,dc=com we all the users in our directory underneath this bind context. What we can do is move the uid=wasladpabind into a different OU.

  • Create a new OU called security and move the wasldapbind entry to that OU
  • Select the uid=wasldapbind entry and right-mouse click and select Move Entry

Browse for the new destination OU as shown above.

Result:

We now need to change the Federated LDAP settings

  • Navigate to Global Security screen
  • Navigate to User account repository, the click on Configure to enter the Navigate to Global security > Federated repositories screen
  • Click on the Repository Identifier

 

Change the Bind distinguished name to uid=wasldapbind,ou=security,dc=themiddlewareshop,dc=com

 

Click OK and Save

Then click on the Base Entry

 

Change the Unique distinguished name of the base (or parent) entry in federated repositories field to the following:

ou=system,dc=themiddlewareshop,dc=com

When LDAP bind occurs, we will not see the security OU entries in any WAS LDAP searches

 

  • Click OK and Save, now restart WAS.

Next time we view Users and Groups > Manage Users, the result is as follows:

We no longer can see the wasldapbind user.

Using this technique you can now understand how to potentially design/re-design your LDAP directory structure as required for your WAS environment.

Looking a User Groups

We can also see the groups from our LDAP directory when we navigate to Users and Groups > Manage Groups

 

Result:

 

We can now use these users and groups for role-based management. We will cover application security in another guide.

Congratulations, you have now learned the core fundamentals of securing WAS using Federated Repositories. It is also possible to use a standalone LDAP server for both administrative users and application users, we cover this in the next section.

 


INTRODUCTION
JEE SECURITY
GLOBAL SECURITY
UNSECURE CONSOLE
TURNING ON GLOBAL SECURITY
Security Configuration Wizard
Virtual Member Manager
ROLE MANAGEMENT
Administrative roles
DISABLING GLOBAL SECURITY
SETTING THE INTERNAL REPOSITORY USING SCRIPTING
APACHEDS
Installing ApacheDS
Adding a new partition
ADDING LDAP TO A FEDERATED REPOSITORY
FEDERATED REPOSITORIES RECAP
Security settings
Wimconfig.xml

CHANGING THE OU FOR LDAP BIND
Looking at User Groups

STANDALONE LDAP
CONFIGURING THE STANDALONE LDAP SERVER
TESTING THE CONNECTION
REVIEW OF SECURITY.XML

SUMMARY

To learn more about the courses available from The Middleware Shop, please go to http://www.themiddlewareshop.com/products to see a full list of the current courses available.

Consulting

If you or your organization require support in architecture, performance tuning, automation or simply advice, then please contact me via my support site and request a conversation, where we can discuss your requirement.

About Steve

Steve is a seasoned passionate technology professional, strategist and leader.

An expert in technical communications, and adept in almost all forms of Internet and mobile related technology, Steve has time and time again proven his tenacity to improve systems around him and deliver.

Steve has worn many hats during his career such as Chief Technical Officer, Founding Member of several business ventures, Programmer, Systems Administrator, Architect, Blogger and Published Author to name a few.

Due to 20 years Industry experience in Middleware, Programming, Networks and Internet Technologies, He combines systems knowledge with efficient working methods and inter personal skills required to build effective relationship with clients and colleagues alike. Exceeding typical expectations in any role undertaken, Steve is certain to become a valuable asset within any organisation He joins.

Key Skills

• Leadership (Team, Project, Business, People).

• Architecture (Solutions, Information, Technical, Applications).

Simply, I help you deal with CANETI: Constant And Never Ending Technological Innovation

Specific IBM WebSphere skills:

WebSphere Application Server (WAS Base, WAS ND & Liberty Profile & Liberty Runtime)

  • Automation
  • Security, SSL
  • Dev Ops
  • Architecture
  • Performance Tuning

Middleware Integration Skills:

  • .NET programming, and Architecture
  • Java Programming, and Architecture
  • SOA, SOAP and XML messaging
  • JBoss Fuse, WMQ, IIB, Mule

Integration Skills:

  • SOA
  • Process Improvement
  • ICD’s
  • Messaging Architecture
  • Governance

General Digital Architecture & Governance

  • Lightweight Architectures
  • Digital Strategy, platform stacks for example IAAS, PAAS, SAAS
  • PCI DSS

Industry Qualifications & Recognition

  • TOGAF 9.1
  • IBM Champion 2013
Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply