LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Front cover

advertisement
Front cover
LDAP Directory Services in
IBM WebSphere Everyplace
Access V4.1.1
Learn WebSphere Everyplace Access
and Active Directory interoperability
Use Domino LDAP Services in
WebSphere Everyplace Access
Everyplace Access and
iPlanet integration
Juan R. Rodriguez
Gregory Mebberson
Gianfranco Rutigliano
ibm.com/redbooks
Redpaper
International Technical Support Organization
LDAP Directory Services in IBM WebSphere
Everyplace Access V4.1.1
October 2002
Note: Before using this information and the product it supports, read the information in
“Notices” on page v.
First Edition (October 2002)
This edition applies to Version 4, Release 1, Modification 1 of IBM WebSphere Everyplace
Access for multiplatforms.
© Copyright International Business Machines Corporation 2002. All rights reserved.
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP
Schedule Contract with IBM Corp.
Contents
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The team that wrote this Redpaper . . . . . . . . . . . . . . . . . .
Become a published author . . . . . . . . . . . . . . . . . . . . . . . .
Comments welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.......
.......
.......
.......
......
......
......
......
. . vii
. . vii
. . viii
. . viii
Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace
Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Solution architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1.1 Specifications for the sample scenario . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Installing IBM SecureWay Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Installing WebSphere Everyplace Access . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 Sample applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.4.1 Configuring the LDAP Search portlet . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.4.2 Using IBM DB2e with a remote SecureWay Directory server . . . . . . 11
1.5 Recommendations, hints and tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Chapter 2. iPlanet Directory Services in WebSphere Everyplace Access 25
2.1 Solution architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.1.1 Specifications for the sample scenario . . . . . . . . . . . . . . . . . . . . . . . 27
2.2 Installing and configuring iPlanet Directory . . . . . . . . . . . . . . . . . . . . . . . . 27
2.2.1 Installing iPlanet Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.2.2 Configuring iPlanet for WebSphere Everyplace Access . . . . . . . . . . 29
2.3 Installing WebSphere Everyplace Access . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.4 Sample applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.4.1 Configuring the LDAP Search portlet . . . . . . . . . . . . . . . . . . . . . . . . 36
2.5 Recommendations, hints and tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Chapter 3. Active Directory Services in WebSphere Everyplace Access 41
3.1 Active Directory overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.2 Solution architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.2.1 Specifications for the scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.3 Installing and configuring Active Directory . . . . . . . . . . . . . . . . . . . . . . . . 43
3.3.1 Installing Windows 2000 support and administration tools . . . . . . . . 45
3.3.2 Verifying Active Directory server installation . . . . . . . . . . . . . . . . . . . 46
3.3.3 Configuring Active Directory for WebSphere Everyplace Access . . . 48
3.3.4 Obtaining the LDAP schema for Active Directory . . . . . . . . . . . . . . . 53
© Copyright IBM Corp. 2002. All rights reserved.
iii
3.4 Installing WebSphere Everyplace Access . . . . . . . . . . . . . . . . . . . . . . .
3.5 Sample applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.5.1 Creating users and groups in WebSphere Everyplace Access. . .
3.5.2 DB2 Everyplace synchronization using Active Directory. . . . . . . .
3.5.3 Configuring the client on the Pocket PC and synchronizing . . . . .
..
..
..
..
..
56
63
63
66
72
Chapter 4. Domino Directory Services in WebSphere Everyplace Access .
77
4.1 Lotus Domino R5 overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
4.2 Solution architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
4.2.1 Specifications for the scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
4.2.2 Users and groups required in this scenario. . . . . . . . . . . . . . . . . . . . 80
4.3 Setting up Domino Directory services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.3.1 Installing Lotus Domino server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.3.2 Installing and configuring the Domino Administration client . . . . . . . 88
4.3.3 Configuring LDAP services on Domino . . . . . . . . . . . . . . . . . . . . . . . 92
4.3.4 Obtaining the LDAP schema for the Domino Server. . . . . . . . . . . . . 98
4.4 Installing WebSphere Everyplace Access . . . . . . . . . . . . . . . . . . . . . . . . . 99
4.5 Sample applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
4.5.1 Creating users in WebSphere Everyplace Access . . . . . . . . . . . . . 105
4.5.2 Configuring the LDAP Search portlet . . . . . . . . . . . . . . . . . . . . . . . 108
iv
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information on the products and services currently available in your area.
Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product, program, or service that
does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document.
The furnishing of this document does not give you any license to these patents. You can send license
inquiries, in writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such
provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION
PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer
of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions of the publication. IBM may
make improvements and/or changes in the product(s) and/or the program(s) described in this publication at
any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any
manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm
the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on
the capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrates programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the
sample programs are written. These examples have not been thoroughly tested under all conditions. IBM,
therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy,
modify, and distribute these sample programs in any form without payment to IBM for the purposes of
developing, using, marketing, or distributing application programs conforming to IBM's application
programming interfaces.
© Copyright IBM Corp. 2002. All rights reserved.
v
Trademarks
The following terms are trademarks of the International Business Machines Corporation in the United States,
other countries, or both:
IBM eServer™
IBM®
Redbooks™
Redbooks (logo)™
DB2®
DB2 Universal Database™
Everyplace™
SecureWay®
WebSphere®
The following terms are trademarks of International Business Machines Corporation and Lotus Development
Corporation in the United States, other countries, or both:
Lotus®
Word Pro®
Lotus Notes®
Notes®
Domino™
The following terms are trademarks of other companies:
ActionMedia, LANDesk, MMX, Pentium and ProShare are trademarks of Intel Corporation in the United
States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the
United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun
Microsystems, Inc. in the United States, other countries, or both.
C-bus is a trademark of Corollary, Inc. in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
SET, SET Secure Electronic Transaction, and the SET Logo are trademarks owned by SET Secure
Electronic Transaction LLC.
Other company, product, and service names may be trademarks or service marks of others.
vi
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Preface
This Redpaper will help you install, tailor and configure the new IBM WebSphere
Everyplace Access product using Lightweight Directory Access Protocol (LDAP)
directories such as IBM SecureWay Directory, iPlanet, Microsoft Active Directory
and Domino LDAP Directory. IBM WebSphere Everyplace Access provides the
flexibility of supporting various Lightweight Directory Access Protocol (LDAP)
directories. Although a typical installation of WebSphere Everyplace Access will
incorporate a local or remote IBM SecureWay LDAP directory, support exists for
accessing a remote and pre-existing LDAP directory. A basic knowledge of IBM
WebSphere Everyplace Access and LDAP directories is assumed.
The team that wrote this Redpaper
This Redpaper was produced by a team of specialists from around the world
working at the International Technical Support Organization, Raleigh Center.
Juan R. Rodriguez is a Consulting IT professional at the IBM
ITSO Center, Raleigh. He received his Master of Science
degree in Computer Science from Iowa State University. He
writes extensively and teaches IBM classes worldwide on such
topics as networking, Web technologies, and information
security. Before joining the IBM ITSO, he worked at the IBM
laboratory in the Research Triangle Park (North Carolina, USA)
as a designer and developer of networking products.
Gregory Mebberson is software developer in IBM Global
Services in Sydney, Australia. He has seven years of
experience in developing customer solutions using Lotus Notes
and other applicable technology, and has a Bachelor of Applied
Science from Chisholm Institute of Technology, Melbourne,
Australia. He has co-authored several IBM Redbooks.
Gianfranco Rutigliano holds a degree in Systems Engineering
from the University of Lima (Peru) and is a member of the
Application Management Services (AMS) group in IBM Global
Services, working in e-business projects and related Internet
technologies. He has worked in e-marketplace and
home-banking implementation systems using Java
technologies. Currently he is involved in wireless application
solution projects using PDAs.
© Copyright IBM Corp. 2002. All rights reserved.
vii
Thanks to the following people for their contributions to this project:
Margaret Ticknor
International Technical Support Organization, Raleigh Center
Al Chakra, Darren M. Childress, Jim Brancato, Charlene Frazier
IBM Research Triangle Park, North Carolina, USA
Become a published author
Join us for a two- to six-week residency program! Help write an IBM Redbook
dealing with specific products or solutions, while getting hands-on experience
with leading-edge technologies. You'll team with IBM technical professionals,
Business Partners and/or customers.
Your efforts will help increase product acceptance and customer satisfaction. As
a bonus, you'll develop a network of contacts in IBM development labs, and
increase your productivity and marketability.
Find out more about the residency program, browse the residency index, and
apply online at:
ibm.com/redbooks/residencies.html
Comments welcome
Your comments are important to us!
We want our papers to be as helpful as possible. Send us your comments about
this Redpaper or other Redbooks in one of the following ways:
򐂰 Use the online Contact us review redbook form found at:
ibm.com/redbooks
򐂰 Send your comments in an Internet note to:
redbook@us.ibm.com
򐂰 Mail your comments to:
IBM Corporation, International Technical Support Organization
Dept. HZ8 Building 662
P.O. Box 12195
Research Triangle Park, NC 27709-2195
viii
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
1
Chapter 1.
IBM SecureWay Directory
Services in WebSphere
Everyplace Access
WebSphere Everyplace Access provides the flexibility of supporting various
Lightweight Directory Access Protocol (LDAP) directories. The default LDAP
directory is IBM SecureWay Directory. A typical installation of WebSphere
Everyplace Access could incorporate a local SecureWay LDAP directory.
However, support exists for accessing a remote, pre-existing LDAP directory.
In this chapter, we will discuss how to install and configure WebSphere
Everyplace Access using such a remote IBM SecureWay Directory server. An
installation may be required to use a remote LDAP directory if the customer
wishes to utilize an established LDAP directory in order to keep directory
information in a single repository.
This chapter will highlight the differences encountered when using a remote
directory server. For a complete installation of WebSphere Everyplace Access
with a local IBM SecureWay Directory server, see the Redpaper IBM WebSphere
Everyplace Access V4.1.1 Installation, REDP3587.
© Copyright IBM Corp. 2002. All rights reserved.
1
1.1 Solution architecture
The sample scenario shown in this chapter documents an installation of
WebSphere Everyplace Access using a remote IBM SecureWay Directory.
Windows 2000 Server
Windows 2000 Server
LDAP
SecureWay
Directory V3.2.2
m23x3072.yourco.com
Port 387
WebSphere Everyplace
Access V4.1.1
WebSphere Application
Server V4.0.1
DB2
IBM HTTP Server
m23vnx78.yourco.com
HTTP
Pocket PC
Everyplace client
V8.1
Desktop browser
Figure 1-1 Typical scenario layout using a remote IBM SecureWay LDAP Directory
2
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
1.1.1 Specifications for the sample scenario
Specifications for the sample scenario included in this chapter are shown in
Table 1-1.
Table 1-1 Sample scenario specifications
SecureWay Directory
Server
Role
WebSphere Everyplace
Access Application
Server
Machine DNS Name
m23vnx78.yourco.com
m23x3072.yourco.com
Operating System
Windows 2000 Server
Service Pack 2
Windows 2000 Server
Service Pack 2
Domain
yourco.com
yourco.com
Additional Software
IBM WebSphere
Everyplace Access V4.1.1
IBM SecureWay Directory
Server V3.2.2
eFix 3.2.2-SWD-002
1.2 Installing IBM SecureWay Directory
To set up the environment, you will first need to install and configure IBM
SecureWay Directory. It is important to create the required users and groups in
the LDAP directory before installing WebSphere Everyplace Access.
To install IBM SecureWay Directory, you will use the installation disk for IBM
WebSphere Everyplace Access for Windows, Version 4.1.1 and select only
SecureWay Directory Server. The SecureWay Directory Server also requires the
IBM HTTP Server and DB2 Universal Database Server, and these are
automatically installed.
During the installation process, you are prompted for the directory suffix
information. For this sample scenario environment, you will enter the information
as shown below (see Figure 1-2).
Note: In this sample scenario, the SecureWay Directory Server will be installed
listening on port 387, but it is recommended that you use the default port of 389.
Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access
3
Figure 1-2 Configuring SecureWay Directory
Once the directory server is running, you will import the LDIF file that created the
desired schema. Itis important to note that the required administration users and
groups were created; creating some users for testing is also important.
The required users and groups are:
wpsadmin
Portal administration user.
wpsbind
Used to access the LDAP directory.
wpsadmins
The portal administrators group.
Important: The SecureWay Directory Management Tool configuration file,
dmt.conf, needs to be modified if running LDAP on another port, or if
accessing a remote directory.
Tip: To check that the directory server is running, and also to confirm the
schema, you can use the ldapsearch command. See Example 1-1 on page 6
for the results of a query on our directory server.
4
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
1.3 Installing WebSphere Everyplace Access
Installing WebSphere Everyplace Access with a remote directory server requires
the following to be done during the standard install process.
First, when choosing components, ensure that the SecureWay Directory Server
is not selected (Figure 1-3).
Figure 1-3 Select only the required WebSphere components
Later in the installation, when selecting the LDAP server type, choose
SecureWay Directory, and enter the name of the directory server, in our case,
m23x3072.yourco.com. Since our SecureWay Directory Server is listening on
port 387, you also need to change the LDAP port number from the default value
of 389.
Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access
5
Figure 1-4 Selecting SecureWay Directory as the LDAP server
Next, you need to supply the distinguished names for the LDAP users, groups
and administrators. If required, the ldapsearch command can be used to confirm
schema details, as shown below in Example 1-1.
Example 1-1 Using ldapsearch to confirm LDAP schema.
C:\>ldapsearch -h m23x3072 -p 387 -D cn=wpsadmin -w wpsadmin -b
dc=yourco,dc=com cn=* dn
cn=users, dc=yourco, dc=com
cn=groups,dc=yourco,dc=com
uid=wpsadmin,cn=users,dc=yourco,dc=com
uid=wpsbind,cn=users,dc=yourco,dc=com
cn=wpsadmins,cn=groups,dc=yourco,dc=com
uid=Kelly,cn=users,dc=yourco,dc=com
uid=Greg,cn=users,dc=yourco,dc=com
...
6
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Selecting one of the user records returned, you can determine the User DN
prefix, as well as the User DN suffix. For example, given the following record:
uid=wpsadmin,cn=users, dc=yourco,dc=com
you can see the User DN prefix is uid , and the User DN suffix is cn=users,
dc=yourco,dc=com
Similarly, looking at a group entry:
cn=wpsadmins,cn=groups, dc=yourco,dc=com
the Group DN prefix is cn, and the Group DN suffix is cn=groups,
dc=yourco,dc=com
Using the results from the example above, you can then confirm the details in the
LDAP Configuration panel.
Figure 1-5 Confirming LDAP configuration details
Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access
7
After clicking Next, you will be required to enter the directory in which the
SecureWay Directory client will be installed. Following this, continue with the
installation process. You will be prompted to configure the administration role for
the WebSphere Application Server. For details, see the Redpaper IBM
WebSphere Everyplace Access V4.1.1 Installation, REDP3587.
In the Security Center of the Administrator’s Console, confirm the details on the
Authentication tab (Figure 1-6). The LDAP Settings field entries should
correspond to the remote Directory server, in our case, m23x3072.yourco.com,
port 387.
Figure 1-6 Confirming the LDAP settings in the Administrator’s Console
Selecting the Administrative Role tab, assign users and groups to the
AdminRole, as shown in Figure 1-7.
8
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 1-7 Assigning users and groups to the AdminRole
1.4 Sample applications
Included with IBM WebSphere Everyplace Access are two applications that you
can use to illustrate how WebSphere Everyplace Access and IBM SecureWay
Directory are easily integrated.
First, you will configure the LDAP Search portlet and search the directory for a
specific user, and secondly, you will use the DB2 Everyplace sample application,
Visiting Nurse, to show a more complex scenario involving IBM SecureWay
Directory.
1.4.1 Configuring the LDAP Search portlet
As part of the default WebSphere Everyplace Access installation, an LDAP
search portlet is provided. This allows portal users to search the LDAP directory,
returning such information as department, telephone number and e-mail
address.
Initially, the portlet contains no LDAP directory server information, and needs to
be configured. To access and configure the portlet:
1. Select the Productivity page from WebSphere Everyplace Access Home.
2. Click the Edit button in the title bar to display the settings for the LDAP
search.
Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access
9
3. Enter the LDAP server name.
If your LDAP is not installed on the default port of 389, you will also need to
specify the port number.
In our case, this is m23x3072.yourco.com:387
4. Enter the Directory Name. This matches your LDAP schema, for example
dc=yourco,dc=com
If desired, you can also change some of the search parameters.
Figure 1-8 Entering required directory information for the LDAP Search portlet
5. Click Save to complete the configuration.
With the portlet configured, you can now search the LDAP, with a typical result
shown in Figure 1-9.
10
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 1-9 Typical LDAP search results
1.4.2 Using IBM DB2e with a remote SecureWay Directory server
In this example, you will use IBM DB2 Everyplace with a remote IBM SecureWay
Directory server.
Note: The application used in this sample scenario, Visiting Nurse, is supplied
with DB2 Everyplace.
This example shows how to configure the server and Pocket PC for this
application; a more in-depth look at DB2 Everyplace can be found in the
Redpaper Relational Database Synchronization in IBM WebSphere Everyplace
Access V4.1.1, REDP3590.
First, you will need to create a synchronization group. The members of this group
are all users who need to synchronize with the DB2 Everyplace Sync Server.
In this sample scenario, the default synchronization group name SyncGroup is
used. For example:
1. Create a user group called SyncGroup.
a. From Portal Administration, select the Users and Groups page and click
the Manage User Groups tab.
b. In the Group name field, type SyncGroup and click Create Group.
Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access
11
2. Add all your users to the group who will be using DB2 Everyplace.
a. With SyncGroup highlighted in the User Groups pane, click Membership.
b. Search for either the users or groups you wish to add, then highlight the
entries in the Search Results pane, and click Add to Group.
The names and groups should now appear in the Members Belonging to
Group -- SyncGroup pane (Figure 1-10). Figure 1-11 shows the same
group, as displayed via the SecureWay Directory Management Tool
(DMT).
c. When all required users and groups are added, click OK to save the
group.
Figure 1-10 All the required users are added to the SyncGroup via the portal
12
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 1-11 The same ‘syncgroup’ as viewed via the SecureWay DMT
The next element required for synchronization is the DB2e group. Since you are
using the sample application Visiting Nurse, you will choose to create a group as
described here. The naming convention requires the group to start with DB2e.
3. Create a DB2e group called DB2e_Nurse.
Following a similar sequence as in step 1 above, create a group called
DB2e_Nurse.
4. Populate the group with the users and groups who will be using your DB2e
application.
Follow the steps for populating a group as shown above in step 2. When
completed, it will look similar to Figure 1-12.
Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access
13
Figure 1-12 DB2e_Nurse membership
With the synchronization and DB2e groups populated, you will need to create the
subscriptions using the Mobile Devices Administration Center (MDAC).
Tip: When starting MDAC, ensure that you are logged in with sufficient DB2
access rights.
5. Click Start -> Programs -> IBM Everyplace Synchronization Server ->
Launch MDAC.
Log in specifying your WebSphere Portal Server LDAP logon, wpsadmin , and
your Everyplace Synchronization group that you created in step 1 on page 11,
SyncGroup. This will then connect via a SOAP RPC to the SecureWay
Directory server for authentication (Figure 1-13).
14
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 1-13 Connecting to MDAC specifying the Sync group
Once MDAC has loaded, verify the DB2e groups and users have been imported.
To do this:
6. Click Groups.
The DB2e_Nurse group should be present, as shown below in Figure 1-14.
Figure 1-14 Verifying the required groups are available in MDAC
Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access
15
7. Click Users.
All the users who are members of SyncGroup will appear in this folder. After
you have created a subscription, and the users have connected, this view will
also show their device type and device ID. See Figure 1-20 on page 20 to see
where this is configured.
Figure 1-15 Verifying the users are imported into MDAC
Next, you will need to create a subscription which will enable our users to
connect to the database tables you specify. The Visiting Nurse sample
application provides a suitable JDBC subscription; all you need to do is link it to
the DB2e group.
At this time, you can confirm the details of the supplied subscription:
a. Click the Subscriptions folder.
b. Right-click JDBCSUB1 and select Edit....
c. On the Identification tab, click Define subscription...; you can see what
tables will be synchronized (Figure 1-16).
d. Click Cancel to close the pop-up window.
16
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 1-16 Determining the tables that are synchronized
e. Select the Source tab; in the Database URL field, it shows the VNURSE
database is the source database for this subscription.
Figure 1-17 Confirming the source database
f. On the Subscription sets tab, confirm that the subscription set
SUBCRIPTION_SET1 is in the right hand pane.
Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access
17
Figure 1-18 Assigning a subscription set to a subscription
g. Click Cancel to close the subscription. If you made any changes you wish
to keep, click OK.
Next, you will need to assign the DB2e group to the subscription set assigned to
the Visiting Nurse database.
8. Click the Subscription sets folder.
9. Right-click SUBSCRIPTION_SET1 and select Edit...
10.On the Groups tab, from the Available Groups pane, highlight DB2e_Nurse
and click > to move it into the Selected Groups pane, as shown below.
18
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 1-19 Assigning our DB2e group to the subscription set
11.Click OK to close the subscription set dialog box.
Now that you have completed the subscription, you will need to configure the
client on the Pocket PC.
12.Start the Everyplace client, and the User Options panel will be displayed.
If the user options are not displayed, you can view the user options by clicking
Tools -> User Options.
13.Enter the WebSphere Everyplace Access information.
You will need to enter a user ID that exists in the SyncGroup, as created in
step 2 on page 12.
14.Click OK to close the panel.
Next, you will need to confirm the DB2 Everyplace Sync information. This is
automatically populated with the User Options entered previously.
15.Highlight DB2 Everyplace Sync and from the menu, select Tools ->
Configure
On this panel, you can configure the User ID and password, as well as the
Device ID. The supplied values are acceptable, and the User ID specified
here must belong to a DB2e group. Our user is a member of the DB2e_Nurse
group, as created earlier in step 4 on page 13.
16.Click the Subscription List tab.
This list is empty since you have not yet completed a synchronization.
17.Click OK to close the DB2 Everyplace Sync panel.
Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access
19
Figure 1-20 Steps to configure the Everyplace Client on the Pocket PC
18.To initiate a synchronization, click the Execute button.
Once the synchronization is completed, the status is updated, as shown below.
Figure 1-21 Completion of a successful synchronization
Now you can check the Subscription List tab, and confirm that the
SUBCRIPTION_SET1 is shown.
20
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
19.Click Tools -> Configure, and select the Subscription List tab.
You can see that SUBSCRIPTION_SET1 was correctly added to the list.
Figure 1-22 Confirming the synchronization picked up the subscription
This successful synchronization will also have updated our Users view in MDAC
with the device type, device ID and the version of Everyplace Sync client.
20.If required, restart the MDAC application as shown in Step 5 on page 14.
21.Click the Users folder in MDAC.
You can see that the details for our user Kelly have been updated.
Figure 1-23 User details in MDAC showing a user that has connected
Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access
21
Now that the Pocket PC device is synchronizing, you can use the Visiting Nurse
sample application to confirm that data entered on the Pocket PC is getting
synchronized with the DB2 database.
22.Start the Visiting Nurse application on the Pocket PC.
a. Click Start, and select Programs.
b. Open the DB2 Everyplace Samples folder and click VNurse.
23.Select a patient, and create a new medical record. An example is shown in
Figure 1-24. To do this:
a. Highlight a patient’s name and click the Info button.
b. On the Personal Information page, click the Records button.
c. Add a new medical record by clicking Add.
d. Once you have filled out the record, click Save.
Figure 1-24 Creating a record in the Visiting Nurse application
24.Close the Visiting Nurse application.
22
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
25.Start the Everyplace client and initiate a synchronization.
a. Click Start and select Everyplace Client from the menu.
b. Click the Execute button.
Upon successful completion of the synchronization, the records will be replicated
to the source database as defined in the JDBC subscription. One method to
confirm that the new record was added to the DB2 database is to sample the
table contents using the IBM DB2 Control Center as shown in Figure 1-25 below.
Figure 1-25 The new record in the DB2 database after synchronization
Observation: IBM Directory Server provides a powerful LDAP infrastructure
that is using the reliable IBM DB2 Universal Database engine which provides
scalability to tens of millions of entries, as well as groups of hundreds of
thousands of members.
Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access
23
1.5 Recommendations, hints and tips
A critical element when installing WebSphere Everyplace Access is
understanding the LDAP directory schema. You need to know both the User DN
prefix and suffix, as well as the Group DN prefix and suffix.
You also need to confirm that the User DN and password used when selecting
the LDAP server type are correct. This can be checked using the ldapsearch
command (Example 1-1 on page 6).
More information on IBM SecureWay Directory is available with the
documentation provided with the software. The Getting Started guide, as well as
a server and client readme file can be viewed by clicking Start -> Programs ->
IBM SecureWay Directory.
The Getting Started guide also provides further links to product documentation.
24
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
2
Chapter 2.
iPlanet Directory Services in
WebSphere Everyplace
Access
In this chapter, we discuss how WebSphere Everyplace Access can be
integrated with an existing iPlanet directory server using the Lightweight
Directory Access Protocol (LDAP).
The incorporation of LDAP support in IBM WebSphere Everyplace Access allows
both user and group information to remain in a pre-existing iPlanet Directory
Server, while still keeping the same interface and functionality in WebSphere
Everyplace Access.
We will cover a typical scenario, stepping through how the iPlanet Directory is
configured, and how WebSphere Everyplace Access is installed to access this
LDAP directory.
We also cover how to configure the LDAP Search portlet which is installed by
default with WebSphere Everyplace Access.
This chapter covers areas where information specific to supporting iPlanet is
applicable. Once the servers are set up and configured, user and group
management is unaffected by the underlying LDAP directory server, and thus is
not covered.
© Copyright IBM Corp. 2002. All rights reserved.
25
2.1 Solution architecture
The sample scenario shown in this chapter documents an installation of
WebSphere Everyplace Access using an iPlanet Directory for the management
of the portals users and groups. As illustrated in Figure 2-1, the iPlanet Directory
Server is hosted on a separate server than WebSphere Everyplace Access.
Windows 2000 Server
Windows 2000 Server
iPlanet
Directory Server
V5.1
m23x2501.itso.ral.ibm.com
Port 388
WebSphere Everyplace
Access V4.1.1
WebSphere Application
Server V4.0.1
LDBM
IBM HTTP Server
m23vnx78.itso.ral.ibm.com
HTTP
Pocket PC
Everyplace client
V8.1
Desktop browser
Figure 2-1 iPlanet Directory Server solution architecture
Since iPlanet Directory Server provides global directory services, it can be used
by many applications that implement LDAP, and can be used as a single
repository for directory information.
An iPlanet Directory Server installation includes the directory, the LDAP server
side software, and a user interface that allows for the management and search of
entries in the directory.
26
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
2.1.1 Specifications for the sample scenario
Specifications for the sample scenario included in this chapter are shown in
Table 2-1.
Table 2-1 Sample scenario specifications
Role
WebSphere Everyplace
Access Application Server
iPlanet Directory Server
Machine DNS Name
m23vnx78.itso.ral.ibm.com
m23x2501.itso.ral.ibm.com
Operating System
Windows 2000 Server
Service Pack 2
Windows 2000 Server
Service Pack 2
Domain
itso.ral.ibm.com
itso.ral.ibm.com
Additional Software
IBM WebSphere Everyplace
Access V4.1.1
iPlanet Directory Server
V5.1
2.2 Installing and configuring iPlanet Directory
In this section, a sample iPlanet installation and configuration are included.
2.2.1 Installing iPlanet Directory
A typical iPlanet server install is shown in this section. The iPlanet product is
installed using most of the default settings and directories. Following are the
installation steps, and where appropriate, screen shots showing information
specific to this environment.
Note: The iPlanet Directory Server is installed here listening on port 388 to
avoid conflicts with other LDAP servers. However, a typical installation would
probably use the default port 389.
1. Log in to the server as a user with administrator privileges.
2. Run the setup program, and after viewing the Welcome window, click Next to
continue.
3. When prompted, select iPlanet Server installation.
4. Next, choose a Typical installation.
5. Accept the default directory for the installation, and continue.
6. Select the required components and continue.
Note: In this sample installation, all components are selected.
Chapter 2. iPlanet Directory Services in WebSphere Everyplace Access
27
7. For the configuration directory, select This instance will be the
configuration directory server.
If this directory server in not the configuration directory server, select the
configuration directory at this point. The configuration server must be running
for the installation to continue.
8. Choose the default entry Store data in this directory server.
The option for storing data in another directory server is used if this instance
is a configuration server only.
9. Next, you will need to enter the server settings (Figure 2-2).
For Server Identifier, choose the default. Is this case it is our machine
hostname, m23x2501.
The server port, normally the default of 389, is suitable, but in this sample
installation, port 388 is used.
The suffix should correspond to your Internet DNS name. In this case, it is
dc=itso,dc=ral,dc=ibm,dc=com
Click Next to continue.
Figure 2-2 Server settings for our iPlanet Directory server
10.For the Configuration Directory Administrator ID and password, enter the user
name and password you will use when logging in to the iPlanet Console.
11.For the Administration domain, you will accept the default value, in this case,
itso.ral.ibm.com (Figure 2-3). Since you only have one instance of the
iPlanet server, you do not need to be concerned with establishing other
administrative domains.
28
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 2-3 Setting the Administration domain
12.For the Directory Manager DN, accept the suggested value, cn=Directory
Manager, and enter a suitable password.
13.For the Administrative port selection, again the default value is accepted.
14.Following this, the summary is displayed. Click Install when you are ready to
begin the product installation.
At the completion of the installation, the product has built a basic directory tree
that contains server related data. In order to use the iPlanet directory server with
WebSphere Everyplace Access, you will need to configure iPlanet as described
in 2.2.2, “Configuring iPlanet for WebSphere Everyplace Access” on page 29.
More information about the deployment and installation of iPlanet Directory
Server V5.1 can be found at the Sun Product Documentation Library at:
http://docs.sun.com/?q=iplanet&p=/coll/S1_ipDirectoryServer_51
2.2.2 Configuring iPlanet for WebSphere Everyplace Access
Once the iPlanet directory service is running, you will need to create some
entries for administrators and user groups. These must be created before
installing WebSphere Everyplace Access.
1. Start the iPlanet Console
a. Click Start -> Programs -> iPlanet Server Products -> iPlanet Console
5.1
b. Log in using the Configuration Directory Administrator ID as defined during
installation step 10 on page 28.
Chapter 2. iPlanet Directory Services in WebSphere Everyplace Access
29
2. Create a user record for wpsadmin.
a. Click the Users and Groups tab.
b. From the menu, select User -> Create -> User....
c. From the dialog box Select Organizational Unit, highlight People and click
OK.
When selecting the organizational unit to create the user, a useful feature
is a pop-up showing the DN for the type of unit highlighted. Figure 2-4
below confirms the structure when adding a user to the directory.
Alternately, clicking Show DNs will display each organizational unit as its
distinguished name.
Figure 2-4 Schema pop-up confirming directory structure
d. In the Create User dialog box, enter the details for the wpsadmin user.
This is the user you will use for portal administration (Figure 2-5).
Tip: Make sure the User ID is wpsadmin . When generating the User ID,
iPlanet will combine the first letter of the first name with the last name. In this
example, it would create wwpsadmin. You will need to correct the default User
ID generated.
30
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 2-5 Creating the wpsadmin user in iPlanet
3. Create a user record for wpsbind.
Follow the same steps as you did when creating the wpsadmin user above.
4. Create an administrators group, wpsadmins, and add wpsadmin and wpsbind
as members.
a. Click the Users and Groups tab.
b. From the menu, select User > Create > Group....
c. From the dialog box Select Organizational Unit, highlight Groups and click
OK.
d. In the Create Group dialog box, enter wpsadmins as the group name, as
well as a suitable description.
e. In the left hand pane, click Members.
f. Click Add; this will bring up a window for Searching users and groups.
g. Click Search; when complete, highlight wpsadmin and wpsbind and click
OK.
h. With both users added (Figure 2-6) click OK to finish creating the group.
Chapter 2. iPlanet Directory Services in WebSphere Everyplace Access
31
Figure 2-6 Adding the wpsadmin and wpsbind users to the portal administrators group
With these users and groups in the LDAP directory, you can now begin the
installation of WebSphere Everyplace Access.
2.3 Installing WebSphere Everyplace Access
Installing WebSphere Everyplace Access with a remote iPlanet Directory Server
requires only minimal changes from the typical installation (see the Redpaper
IBM WebSphere Everyplace Access V4.1.1 Installation, REDP3587).
1. When selecting which components to install, ensure that SecureWay
Directory Server is not selected (Figure 2-7). The installation of the local
LDAP is not required, as in this case, the LDAP directory is provided by the
iPlanet Directory Server.
32
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 2-7 Select only the required WebSphere components
2. Later in the installation, you are prompted for the LDAP server type
(Figure 2-8), select iPlanet and enter the details of your server,as shown
below:
a. LDAP Server
The address of your iPlanet Directory Server. For example:
m23x2501.itso.ral.ibm.com
b. User DN
This corresponds to the administrator details selected when configuring
the iPlanet Directory Server (see installation step 10 on page 28). For
example:
uid=administrator,ou=administrators,ou=TopologyManagement,o=NetscapeRoot
c. User password
Enter and confirm the password for the user specified above.
d. Suffix
The suffix for your iPlanet Directory Server. This was specified during the
iPlanet Directory Server installation, step 9 on page 28. In this example, it
is dc=itso,dc=ral,dc=ibm,dc=com.
Chapter 2. iPlanet Directory Services in WebSphere Everyplace Access
33
e. LDAP port
The port the LDAP server is using. This is the port value entered during
the iPlanet Directory Server installation (see step 9 on page 28), for
example port 388.
Figure 2-8 Selecting iPlanet as the LDAP server
3. In the next window, you will be prompted for the LDAP configuration
information (Figure 2-9). This must match your LDAP directory schema. You
can confirm this information by executing the ldapsearch command, as
shown below:
Example 2-1 Using ldapsearch to confirm LDAP schema
c:\>ldapsearch -h m23x2501 -p 388 -D
uid=administrator,ou=administrators,ou=TopologyManagement,o=NetscapeRoot -w
password -b dc=itso,dc=ral,dc=ibm,dc=com cn=* dn
uid=wpsadmin,ou=People, dc=itso,dc=ral,dc=ibm,dc=com
uid=wpsbind,ou=People, dc=itso,dc=ral,dc=ibm,dc=com
cn=wpsadmins,ou=Groups, dc=itso,dc=ral,dc=ibm,dc=com
uid=Kelly,ou=People, dc=itso,dc=ral,dc=ibm,dc=com
uid=Greg,ou=People, dc=itso,dc=ral,dc=ibm,dc=com
...
34
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Selecting one of the user records returned,you can determine the User DN
prefix, as well as the User DN suffix. For example, given the following record:
uid=wpsadmin,ou=People, dc=itso,dc=ral,dc=ibm,dc=com
we can see the User DN prefix is uid, and the User DN suffix is ou=People,
dc=itso,dc=ral,dc=ibm,dc=com
Similarly, looking at a group entry:
cn=wpsadmins,ou=Groups, dc=itso,dc=ral,dc=ibm,dc=com
the Group DN prefix is cn, and the Group DN suffix is ou=Groups,
dc=itso,dc=ral,dc=ibm,dc=com
Using results similar to those shown in the example, the LDAP configuration
information can be confirmed, and the installation can continue by clicking
Next.
Figure 2-9 Confirming LDAP configuration details
During the installation, you will be prompted to configure the administration role
for the WebSphere Application Server. This is completed as per the standard
installation, and checking the Authentication tab in the Security Centre, you
should see the correct details in the LDAP Settings fields (Figure 2-10).
Chapter 2. iPlanet Directory Services in WebSphere Everyplace Access
35
Figure 2-10 Confirming the LDAP settings in the Administrator’s Console
Once the installation process is complete, WebSphere Everyplace Access will be
running, and will be using the iPlanet Directory server for user authentication and
for managing user and group information.
2.4 Sample applications
As an example of how you might configure a portlet to query an iPlanet directory
server, an example of how to configure the LDAP search portlet is included in this
section.
2.4.1 Configuring the LDAP Search portlet
Provided with the standard WebSphere Everyplace Access installation is an
LDAP Search portlet which allows portal users to search the LDAP directory. The
search can be performed using various attributes and will return selected user
information such as name, department, telephone number and e-mail address.
36
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
The portlet will need to be configured for a specific LDAP directory, and this can
be done either by an individual user who has the proper access rights, or by the
portal server administrator. Configuration performed by the administrator, via
Work with Pages, will make the portlet configured by default for users. In this
example, you will configure the portlet as the administrator, keeping in mind that
the same configuration information is applicable to the individual user who has
the access rights to edit the portlet.
1. Log in to the WebSphere Everyplace Access server with administration rights.
2. Select Work with Pages.
3. Select WebSphere Everyplace Access Home from the Place drop-down
menu.
4. Select Productivity from the Page drop-down menu.
5. Click the Edit portlet icon for the LDAP Search portlet (Figure 2-11).
Figure 2-11 Editing the LDAP Search portlet
Chapter 2. iPlanet Directory Services in WebSphere Everyplace Access
37
6. This will bring up the properties for the portlet (Figure 2-12) where the LDAP
details are entered. The required information is the server name, and the
directory name.
Figure 2-12 Entering in the LDAP server properties in the portlet
a. Optional Display Name
This will appear in the portlet’s title bar. Enter something descriptive, or
leave it blank.
b. Server Name
The address of the LDAP directory server. In this case, you want to search
the iPlanet Directory Server. Since you are not using the default LDAP port
of 389, you will need to specify the port, for example:
m23x2501.itso.ral.ibm.com:388
c. Directory Name
This corresponds to the suffix for your iPlanet Directory server, for
example dc=itso,dc=ral,dc=ibm,dc=com.
The remaining parameters are used to set up the default search criteria. You
may choose to make Last Name the default field to search on, for example.
7. Click Save to save and close the properties box.
The portlet is now configured, and users can perform searches on the LDAP
directory (Figure 2-13).
38
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 2-13 Results of doing a wildcard search on the LDAP directory
Observations: Using IBM WebSphere Everyplace Access with an iPlanet
Directory Server provides a transparent solution for user authentication and
user management.
The implementation of LDAP allows WebSphere Everyplace Access to have a
common look and feel regardless of the underlying LDAP directory.
Chapter 2. iPlanet Directory Services in WebSphere Everyplace Access
39
2.5 Recommendations, hints and tips
The most critical element when installing WebSphere Everyplace Access is an
understanding of the LDAP directory schema. You need to know both the User
DN prefix and suffix, as well as the Group DN prefix and suffix.
You also need to confirm that the User DN and password used when selecting
the LDAP server type is correct. This can be checked by the use of the
ldapsearch command (Example 2-1 on page 34).
For more information and product documentation on iPlanet Directory Server
V5.1, see the Sun Documentation Library at:
http://docs.sun.com/?q=iplanet&p=/coll/S1_ipDirectoryServer_51
40
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
3
Chapter 3.
Active Directory Services in
WebSphere Everyplace
Access
In this chapter, we discuss the interoperability between WebSphere Everyplace
Access and an external Active Directory server using the Lightweight Directory
Access Protocol (LDAP).
We explain how to install and configure the Active Directory server and how to
install the WebSphere Everyplace Access to access this LDAP directory. We
also include sample applications in order to verify this installation.
© Copyright IBM Corp. 2002. All rights reserved.
41
3.1 Active Directory overview
Active Directory is the directory service provided by Windows 2000 Server that
allows you to store information of objects in the network (including users, files,
printers, servers, domains, etc) and to make this information available to other
authorized users, therefore simplifying the access and management of these
network resources.
Active Directory requires a Domain Name System (DNS) to allow clients to locate
the Active Directory server and resources, by resolving domain names to IP
addresses. It uses the Lightweight Directory Access Protocol (LDAP) to allow
access to data stored in this directory. In addition, it must reside on a domain
controller server.
3.2 Solution architecture
The scenario described here consists of an Active Directory server configured
with the necessary options to allow it to be an external directory service of a
WebSphere Everyplace Access server. The sample scenario is illustrated in
Figure 3-1.
Windows 2000 Server
Windows 2000 Server
Active
Directory
m23x3072.yourco.com
Port 389
WebSphere Everyplace
Access V4.1.1
Server V5.0
WebSphere Application
Server V4.0.1
DB2
IBM HTTP Server
m23x2676.yourco.com
HTTP
Pocket PC
Everyplace client
V8.1
Desktop browser
Figure 3-1 WebSphere Everyplace Access with Active Directory - sample scenario
42
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
The sample scenario described in this chapter includes the installation and
configuration of the Active Directory server and additional steps required to
properly install WebSphere Everyplace Access server with an external Active
Directory server.
3.2.1 Specifications for the scenario
The configuration values for this sample scenario are shown in Table 3-1.
Table 3-1 .Configuration values
Role
Application Server
Active Directory Server
Machine DNS Name
m23x2676.yourco.com
m23x2672.yourco.com
IP address
198.168.10.11
198.168.10.5
Operating System
Windows 2000 Server
Service Pack 2
Windows 2000 Server
Service Pack 2
Domain
yourco.com
yourco.com
Domain Role
Member Server
Domain Controller
Domain Name System (DNS)
Additional Software
IBM WebSphere Everyplace
Access V 4.1.1
Active Directory
Windows 2000 Support Tools
Windows 2000 Administrativet Tools
Additional Windows 2000
Components
3.3 Installing and configuring Active Directory
The following is a typical Active Directory installation with the required options to
fulfill the specifications described above. It is necessary to be logged on with
administration privileges in the server to start the installation.
1. Run the dcpromo command to launch the Active Directory Installation Wizard
and click Next to continue.
Start > Run > dcpromo
2. As the Active Directory installation become the server in a Domain controller,
you need to specify an existing domain or create a new one. In this scenario,
you do not have a domain created, and therefore you must select to become
a server in a Domain controller for a new domain.
3. Select Create a new domain tree.
Chapter 3. Active Directory Services in WebSphere Everyplace Access
43
4. Select Create a new forest of domain trees.
5. Enter the Full DNS name for new domain, in this case, yourco.com.
6. Leave the default value for the Domain NetBIOS name (YOURCO for this
installation)
7. Accept the default values for Active Directory database and log locations, in
some cases you will need to consider changing these values if required.
8. Accept the default folder location to be shared as the system volume or
choose a new location.
9. Active Directory needs a DNS server to work correctly but actually our
scenario does not have one. A warning message will appear stating that the
Active Directory wizard cannot contact the DNS server that handles the
selected domain name. Click OK and choose the option to install a DNS
server on the computer.
Note: You can always configure a DNS at a later time, but for purpose of this
scenario the Windows 2000 DNS server installation option is selected during
the Active Directory installation.
10.For the user and group objects permissions, select the default option,
Permissions compatible with pre-Windows 2000 servers. In this scenario it is
valid to select Permissions compatible only with Windows 2000 servers.
11.Enter an Administrator password.
12.Review the installation summary, and click Next when you are ready to begin
the installation.
44
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 3-2 Installation summary for Active Directory
13.When the installation is completed, click Finish to close the Active Directory
Installation Wizard
14.Restart your computer.
3.3.1 Installing Windows 2000 support and administration tools
This section contains installation instructions for the Windows 2000 tools used in
the scenarios described in this chapter.
Windows 2000 support tools
The Windows 2000 Support Tools contain the ADSI Edit MMC snap-in tools, that
will be used in this chapter.
Note: The ADSI Edit MMC snap-in is a tool that allows you to add, delete, edit or
move objects (like users and groups) of the Active Directory.
You will need to follow these steps to install these support tools. However, it is
necessary that you are logged on the server with administration privileges to
begin the installation.
Chapter 3. Active Directory Services in WebSphere Everyplace Access
45
1. Run the following command from you Windows 2000 CD-ROM:
<CD drive>:\SUPPORT\TOOLS\SETUP.EXE
2. Supply the user information (name and organization name).
3. Select Typical as the installation type.
4. Click Next to begin the installation.
5. Click Finish to close the installation wizard at the end of the Support Tools
installation.
Windows 2000 administration tools
The Windows 2000 Administration Tools includes the Active Directory Users and
Computers management console, required in this chapter.
Note: The Active Directory Users and Computers is a management console
used to administer data in the directory server.
Follow these steps to install the Administration Tools:
1. Run the following command:
C:\WINNT\System32\adminpak.msi
2. Select Install all of the Administrative Tools.
3. When the installation ends, click Finish to close the wizard.
Before you can use the ADSI Edit MMC snap-in tool you will also have to register
the schmmgmt.dll. To register the DLL file, run the following command:
regsvr32 schmmgmt.dll
3.3.2 Verifying Active Directory server installation
It is recommended that you verify that Active Directory and DNS are working
correctly before continue with the WebSphere Everyplace Access installation.
As Active Directory needs the support of a DNS, you should ensure that there
are no problems with the DNS service in your server. One of the steps you must
do to verify this in a Windows 2000 DNS server is confirm that the DNS service
location records for the new domain controller have been created. For example:
a. Start the DNS Administrator Console.
Start > Programs > Administrative Tools > DNS
b. Expand your server name folder (m23x2672 in this case), expand Forward
Lookup Zones folder and expand your domain name folder (yourco.com
for this scenario).
46
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
c. The following folders must be present: _msdcs, _sites, _tcp, and _udp .
These folders and the service location records they contain, are critical to
Active Directory operations.
Note: This is not the only procedure to ensure Windows 2000 DNS server is
working correctly. There are many additional steps to verify the correct
working of the DNS server, and the steps may be different depending on the
DNS server model you are using. Refer to the documentation of your DNS
server for more details about procedures to verify your DNS is correctly
configure.
A quick way (not necessarily the only way) to verify if your Active Directory is
working correctly is by adding a new machine to the domain. In this sample
scenario you will need to add the WebSphere Everyplace Access server
machine to the new domain created for this scenario (yourco.com). If the
WebSphere Everyplace Access machine appears in your Active Directory Users
and Computers management console in the Computers folder, and you can log
in the domain from the WebSphere Everyplace Access machine, the Active
Directory could probably be working correctly.
Figure 3-3 Active Directory USers and Computers management console
Chapter 3. Active Directory Services in WebSphere Everyplace Access
47
3.3.3 Configuring Active Directory for WebSphere Everyplace Access
It is necessary to create some users and groups in the Active Directory before
beginning the WebSphere Everyplace Access installation. These are the
WebSphere Everyplace Access administrator users and groups that must be in
the LDAP server so that WebSphere Everyplace Access can validate them when
required.
Table 3-2 and Table 3-3 summarize the groups and users, used during
WebSphere Everyplace Access installation, that must be configured in Active
Directory.
Table 3-2 Groups needed for WebSphere Everyplace Access installation
Group name
Description
Member of
wpsadmins
WebSphere Everyplace
Access administrative
group
Administrators group
Table 3-3 Users needed for WebSphere Everyplace Access installation
User name
Description
Member of
wpsadmin
WebSphere Everyplace
Access administrator user
wpsadmins group
wpsbind
User for WebSphere
Everyplace Access
security purposes. (to bind
between WebSphere
Everyplace Access and
LDAP)
wpsadmins group
For example, follow these suggested steps to create groups and users:
1. Start the Active Directory Users and Computers tool.
a. Log in to the server as a user with administrator privileges.
b. Click Start -> Programs -> Administrative Tools -> Active Directory
Users and Computers.
c. Expand the contents of the domain name you created (yourco.com in this
case) in the left panel tree view as shown in Figure 3-4.
48
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 3-4 Active Directory Users and Computers tool
2. Create the administrator group wpsadmins.
a. Right-click the Users folder, select New, and then click Group.
b. In the New Object-Group dialog box, enter the details for the wpsadmins
group (Figure 3-5).
Chapter 3. Active Directory Services in WebSphere Everyplace Access
49
Figure 3-5 Creating the wpsadmins group in Active Directory
c. Click OK to create the group.
d. Righ-click the wpsadmins group recently created and select Properties.
e. Select Member Of tab and click Add.
f. Select the Administrators group in your domain, click Add and click OK
(Figure 3-6).
50
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 3-6 Including wpsadmins in Administrators group
g. Click Ok.
3. Create the administrator user wpsadmin.
a. Right-click the Users folder, select New, and then click User.
b. In the New Object-User dialog box, enter the details for the wpsadmin user
(Figure 3-7).
Chapter 3. Active Directory Services in WebSphere Everyplace Access
51
Figure 3-7 Creating wpsadmin user in Active Directory
c. Type the password for this user and click Next.
d. Review the summary for the new user and click Finish.
e. Righ-click the webadmin user recently created and select Properties.
f. Select the Member Of tab and click Add.
g. Select the wpsadmins group in your domain, click Add and click OK
(Figure 3-8).
52
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 3-8 Including wpsadmin user in wpsadmins group
h. Click OK.
4. Create the administrator user wpsbind.
Follow the same steps as you did when creating the wpsadmin user above.
3.3.4 Obtaining the LDAP schema for Active Directory
One way to obtain the LDAP directory schema for your Active Directory server is
to use the ADSI Edit MMC snap-in. This tool show objects of the Active
Directory in a hierarchical tree, allowing you to manipulate them.
For example, to obtain the Distinguished Name (DN) prefix and suffix of the user
wpsadmin created previously in the Active Directory, you could do the following:
1. Open the ADSI Edit MMC snap-in tool by clicking Start -> Programs ->
Windows 2000 Support Tools -> Tools -> ADSI Edit.
2. Find the wpsadmin user in the tree left panel.
a. Expand the Domain NC container.
b. Expand the Domain DN where the user was created, in this case
DC=yourco,DC=com
Chapter 3. Active Directory Services in WebSphere Everyplace Access
53
c. Expand CN=Users; the CN=wpsadmin object must be below it.
Figure 3-9 ADSI Edit MMC snap-in
3. Obtain the Distinguished Name (DN).
The Distinguished Name of the wpsadmin user can be obtained by joining in
reverse order the objects to which the wpsadmin user belongs.
In this case, the DN of wpsadmin is:
cn=wpsadmin,cn=Users,dc=yourco,dc=com
The User DN prefix is: cd
The User DN suffix is: cn=Users,dc=yourco,dc=com
In the example below, it is fairly simple to obtain the DN of the Administrator user
and wpsadmins group. For example:
򐂰 The DN of the Administrator user is:
cn=Administrator,cn=Users,dc=yourco,dc=com
54
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
򐂰 The User DN prefix is: cd
򐂰 The User DN suffix is: cn=Users,dc=yourco,dc=com
򐂰 The DN of the wpsadmins group is:
cn=wpsadmins,cn=Users,dc=yourco,dc=com
򐂰 The User DN prefix is: cd
򐂰 The User DN suffix is: cn=Users,dc=yourco,dc=com
Another way to obtain the LDAP directory schema for your Active Directory
server is to use the ldifde command, as shown in Figure 3-10.
Figure 3-10 Executing ldifde command
This command returns a ldif file that contains all the users in the Active Directory.
If you open this file (output.ldf in this case), you will be able to obtain the
Distinguished Name of the users. For example:
dn: CN=Users,DC=yourco,DC=com
changetype: add
cn: Users
description: Default container for upgraded user accounts
distinguishedName: CN=Users,DC=yourco,DC=com
dSCorePropagationData: 20020912153740.0Z
dSCorePropagationData: 20020912153723.0Z
dSCorePropagationData: 16010101000417.0Z
instanceType: 4
name: Users
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=yourco,DC=com
objectClass: container
showInAdvancedViewOnly: FALSE
systemFlags: -1946157056
uSNChanged: 3218
uSNCreated: 1314
whenChanged: 20020912153740.0Z
whenCreated: 20020906143204.0Z
Chapter 3. Active Directory Services in WebSphere Everyplace Access
55
dn: CN=wpsadmin,CN=Users,DC=yourco,DC=com
changetype: add
accountExpires: 9223372036854775807
adminCount: 1
cn: wpsadmin
codePage: 0
countryCode: 0
displayName: wpsadmin
distinguishedName: CN=wpsadmin,CN=Users,DC=yourco,DC=com
instanceType: 4
name: wpsadmin
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=yourco,DC=com
objectClass: user
sAMAccountName: wpsadmin
sn: wpsadmin
userAccountControl: 66048
userPrincipalName: wpsadmin@yourco.com
uSNChanged: 2810
uSNCreated: 2787
whenChanged: 20020906145631.0Z
whenCreated: 20020906145534.0Z
....
If you select wpsadmin, the DN for this user is the row named “dn:”. In this case,
the created value is CN=wpsadmin,CN=Users,DC=yourco,DC=com
Note: During the WebSphere Everyplace Access installation, you will need
information about your LDAP schema.
3.4 Installing WebSphere Everyplace Access
The WebSphere Access installation using a remote Active Directory server is
similar to a typical installation using IBM SecureWay LDAP services. However,
there are considerations you must be aware of:
1. When you have to select the desired WebSphere Everyplace Access
components and subcomponents to install, do not select SecureWay
Directory Server.
Note: The SecureWay Directory is the default LDAP server provided by
WebSphere Everyplace Access and can be installed locally or on a remote
server.
56
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
In this sample scenario, Active Directory has already been installed as a
remote LDAP server, and therefore you do not need to install SecureWay
Directory. Figure 3-11 illustrates this option.
Figure 3-11 Selecting WebSphere Everyplace Access install components
2. In the LTPA password window, you will be prompted to enter the LTPA
password. You must enter the password of the bind user you previously
created; this is wpsbind.
3. Later in the installation, in the LDAP server type selection window, enter the
following configuration values (Figure 3-12):
a. Select Microsoft Active Directory.
b. LDAP Server: the address or full computer name of the Active Directory
Server (in this case, m23x2672.yourco.com)
c. User DN: the LDAP schema for the Active Directory administrator user.
You can refer to Section 3.3.4, “Obtaining the LDAP schema for Active
Directory” on page 53 for more details.
In this scenario, the User DN is :
cn=Administrator,cn=users,dc=yourco,dc=com
Chapter 3. Active Directory Services in WebSphere Everyplace Access
57
d. User password and Confirm password: enter the password for the
administrator user specified above.
e. Suffix: the suffix for the server has been configured. In this case,
dc=yourco,dc=com
f. LDAP port number: the port the Active Directory Server uses. By default,
this is 389.
Figure 3-12 Selecting Active Directory as the LDAP server
4. In the next window, you must provide information about the Active Directory
configuration (Figure 3-13). You can refer to Section 3.3.4, “Obtaining the
LDAP schema for Active Directory” on page 53 for information about the
Distinguished Name of users and groups in your Active Directory.
58
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 3-13 LDAP Configuration details
5. Fill in the fields and click Next to continue the WebSphere Everyplace Access
installation.
6. As a part of the WebSphere Everyplace Access installation, you must
configure the Security Center of the WebSphere Application Server. These
configuration values are related to LDAP settings and the administration role
for the WebSphere Application Server.
When you open the Security Center during the standard WebSphere
Everyplace Access installation, click the Authentication tab to check the
details for the LDAP settings. The panel is shown in Figure 3-14.
Chapter 3. Active Directory Services in WebSphere Everyplace Access
59
Figure 3-14 Authentication tab in WebSphere Application Server Security Center
The LDAP settings for the sample scenario in this chapter are:
– Security Server ID: the DN of the user created for security purposes. In
this case, cn=wpsbind,cn=users,cn=yourco,cn=com
– Security Server Password: the password for the user above.
– Host: the IP address or fully-qualified DNS name of the Active Directory
server. In this case, m23x2672.yourco.com
– Directory Type: Active Directory.
– Port: port for Active Directory Server. We are using the 389 default port.
– Base Distinguished Name: the DN of the domain the Active Directory
administrator’s user belongs to. In this case, the user Administrator
belongs to cn=yourco,cn=com
– Bind Distinguished Name: the full DN of the administrator user. In this
case, cn=Administrator,cn=users,cn=yourco,cn=com
– Bind Password: the password for the administrator user.
60
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
7. Complete the configuration of the Administration Role and the rest of the
standard WebSphere Everyplace Access installation. For details, see IBM
WebSphere Everyplace Access Installation, REDP3587.
8. Important: Before you begin working with the WebSphere Everyplace
Access server, it is required that you provide the WebSphere Everyplace
Access administrator user (wpsadmin in this case) full manage authority over
the users and groups in the WebSphere Everyplace Access. This will allow
the WebSphere Everyplace Access administrator to search for and manage
users and groups in WebSphere Everyplace Access. For example:
a. Log on to the WebSphere Everyplace Access server as user wpsadmin (or
another user with administration rights).
b. Select Portal Administration.
c. Click the Security tab.
d. Click Get Users and Groups.
e. Click Search for users.
f. Type an asterisk (*) in the Name is field and click Go.
g. From the search results list, select the wpsadmin user, click Add to list
and click OK.
h. From the Select the objects for permissions drop-down menu, select User
groups and click Go.
i. From the table list, check the Select all option in the Manage column.
j. Click Save.
Figure 3-15 illustrate the new permissions for the wpsadmin user.
Chapter 3. Active Directory Services in WebSphere Everyplace Access
61
Figure 3-15 Adding permissions tor the wpsadmin user in Portal server
You can now see both the users and groups you previously created in Active
Directory when you perform a search on users and groups (Figure 3-16).
62
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 3-16 Manage users and groups in Portal server
3.5 Sample applications
In this section, sample applications are executed using the configured
WebSphere Everyplace Access with Active Directory LDAP services.
3.5.1 Creating users and groups in WebSphere Everyplace Access
Creating users and groups is a simple way to verify the interoperability of
WebSphere Everyplace Access and Active Directory.
Note: In this environment, you can add users and groups directly from the Active
Directory or using the WebSphere Everyplace Access interface.
If you want to add users and groups directly in Active Directory, see the
suggested steps to create the wpsadmins group and wpsadmin and wpsbind
users (see Section 3.3.3, “Configuring Active Directory for WebSphere
Everyplace Access” on page 48).
Chapter 3. Active Directory Services in WebSphere Everyplace Access
63
There are two ways to create users using WebSphere Everyplace Access: by
using the sign-up option (self-enrollment) or by using an administrator user.
User self-enrollment
To create a user using the self-enrollment option, you must enter the Portal
server and click the Sign up button. You will the fill out the registration form
(Figure 3-17) and submit the request.
Figure 3-17 Self-enrollment user registration
User enrollment by an administrator
To create users in WebSphere Everyplace Access through an administration
user, follow these steps:
1. Log on to the Portal server using the wpsadmin user (or an administrator
user)
2. Select Portal Administration.
3. Click the Users and Groups tab.
64
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
4. Click Create new user.
5. Enter the information for the new user and click Ok (Figure 3-18).
Figure 3-18 Creating a new user
Group creation by an administrator
To create groups in WebSphere Everyplace Access through an administration
user, follow these steps:
1. Log on to the Portal server using the wpsadmin user (or an administrator
user).
2. Select Portal Administration.
3. Click the Users and Groups tab.
4. Click the Manage User Groups tab.
5. Enter the name of the new group in the Group Name field and click Create
group (Figure 3-19).
Chapter 3. Active Directory Services in WebSphere Everyplace Access
65
Figure 3-19 Creating a new group in WebSphere Everyplace Access
3.5.2 DB2 Everyplace synchronization using Active Directory
In this sample scenario, a sample application supplied by DB2 Everyplace, called
Visiting Nurse, is used. This scenario illustrates DB2 Everyplace synchronization
when using a remote Active Directory server for LDAP services.
In this section, we briefly explain how to configure WebSphere Everyplace
Access server and a Pocket PC for this application. For more details, see
Relational Database Synchronization in IBM WebSphere Everyplace Access
V4.1.1, REDP1111.
Creating the synchronization and DB2e groups
First, you will need to create a synchronization group in WebSphere Everyplace
Access. This group will have all the users who need to synchronize with the DB2
Everyplace Sync Server. In this sample scenario, the default name SyncGroup is
used for this group.
Once the SyncGroup group is created, you will be required to add all users for
which you want to allow DB2 Everyplace synchronization capabilities
(Figure 3-20).
66
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 3-20 Setting the SyncGroup group
Since this is the Visiting Nurse application, the new DB2e group will be called
DB2e_Nurse, and you will add the users that need to work with this application
(Figure 3-21).
Chapter 3. Active Directory Services in WebSphere Everyplace Access
67
Figure 3-21 Setting up the DB2e_Nurse group
Creating a subscription and subscription set
To create a subscription and a subscription set, we must use the Mobile Devices
Administration Center (MDAC).
1. Click Start -> Programs -> IBM Everyplace Synchronization Server - >
Launch MDAC, and log in with wpsadmin user and SyncGroup as the
synchronization group.
2. Verify that the DB2e group (DB2e_Nurse group in this case) is available in the
Groups folder (Figure 3-22).
68
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 3-22 MDAC Groups folder
3. Verify that all the users who are members of SyncGroup appear in the Users
folder (Figure 3-23).
Figure 3-23 MDAC Users folder
4. In this scenario, a JDBC subscription is used. For example:
a. Click the Subscriptions folder.
b. Right-click JDBCSUB1 and select Edit (Figure 3-24).
Chapter 3. Active Directory Services in WebSphere Everyplace Access
69
Figure 3-24 Edit JDBCSUB1 Subscription
c. On the Identification tab, click Define subscription... to see the tables
that will be synchronized (Figure 3-25).
Figure 3-25 Define Replication Subscription
d. Select the Source tab; the VNURSE database must appear in the
Database URL field.
70
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
e. On the Subscription sets tab, the subscription set
SUBSCRIPTION_SET1 must be in the right-hand pane (Figure 3-26).
Figure 3-26 Subscription sets
f. Close the subscription dialog box.
5. You will need to assign the DB2e group to the subscription set assigned to the
Visiting Nurse database.
a. Click the Subscription sets folder.
b. Right-click SUBSCRIPTION_SET1 and select Edit.
c. On the Groups tab, select DB2e_Nurse from the Available Groups list and
move it to the Select Groups list (Figure 3-27).
Chapter 3. Active Directory Services in WebSphere Everyplace Access
71
Figure 3-27 Editing Subscription Set
d. Close the subscription set dialog box.
3.5.3 Configuring the client on the Pocket PC and synchronizing
The following procedure can be used to configure the client in the Pocket PC:
1. Start the Everyplace client and go to the User Options panel (Tools -> User
Options).
2. Fill out the WerbSphere Everyplace Access information. You will need to
provide a user ID that belongs to the SyncGroup created prevoously
(Figure 3-28).
3. Click OK to close the panel.
4. Click DB2 Everyplace Sync and from the menu, select Tools -> Configure
(Figure 3-28).
5. In the Configure panel, you must provide a value for User ID and Device ID.
Leave the default values shown (Figure 3-28).
6. To initiate the synchronization, click Execute. Once the synchronization is
completed, the status is updated (Figure 3-28).
72
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 3-28 Steps to configure the Everyplace Client on the Pocket PC
7. Click the Subscription List tab and confirm that SUBSCRIPTION_SET1 is
available (Figure 3-29).
Figure 3-29 Verifying that the synchronization process selected the subscription
Chapter 3. Active Directory Services in WebSphere Everyplace Access
73
8. Notice that in the MDAC application, the user executing the synchronization
process has been updated with the device type, device ID and the version of
Everyplace Sync client (Figure 3-30).
Figure 3-30 MADC Users details
Verifying the synchronization
Now that the Pocket PC device is synchronizing, you can use the Visiting Nurse
sample application to confirm that in fact, data entered on the Pocket PC is
getting synchronized with the DB2 database. For example:
1. Start the Visiting Nurse application on the Pocket PC.
a. Click Start, and select Programs.
b. Open the DB2 Everyplace Samples folder and click VNurse.
2. Select a patient and create a new medical record. An example is shown in
Figure 3-31. To do this:
a. Highlight a patient’s name and click the Info button.
b. On the Personal Information page, click the Records button.
c. Add a new medical record by clicking Add.
d. Once you have filled out the record, click Save.
74
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 3-31 Creating a record in the Visiting Nurse application
3. Close the Visiting Nurse application.
4. Start the Everyplace client and initiate a synchronization.
a. Click Start and select Everyplace Client from the menu.
b. Click the Execute button.
Upon successful completion of the synchronization, the records will be replicated
to the source database as defined in the JDBC subscription. One method to
confirm that new records are added to the DB2 database is to view the table
contents using the IBM DB2 Control Center, as shown in Figure 3-32 below.
Chapter 3. Active Directory Services in WebSphere Everyplace Access
75
Figure 3-32 The new record in the DB2 database after synchronization
76
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
4
Chapter 4.
Domino Directory Services
in WebSphere Everyplace
Access
In this chapter, we discuss the interoperability between WebSphere Everyplace
Access and an external Lotus Domino server using the Lightweight Directory
Access Protocol (LDAP).
We explain how to install and configure the Lotus Domino server and LDAP
services and how to install WebSphere Everyplace Access to access this LDAP
directory. We also include sample scenarios to verify the installation.
© Copyright IBM Corp. 2002. All rights reserved.
77
4.1 Lotus Domino R5 overview
Lotus Domino R5 is an integrated server platform for messaging, groupware, and
Web applications, delivering secure communication, collaboration and business
applications. It includes the following servers:
򐂰 Domino Mail Server, used for messaging purposes.
򐂰 Domino Application Server, a secure platform to deliver Web applications. It
provides an integrated messaging and Web application software platform.
򐂰 Domino Enterprise Server, which extends the functionality of Domino Mail
and Domino Application Servers with high availability services.
The Domino Directory services are a way to refer the directory architecture in
Domino R5, whose central component is the Domino Directory, a store for
directory information about users, servers, groups, and other objects, used by
the Domino servers and by clients within a Domino domain. The other
components of the Domino Directory services are:
򐂰 Directory Catalog, a specialized database with information about one or more
Domino directories.
򐂰 Directory Assistance, which provides a redirect mechanism to access
directory information from secondary directories, with the information residing
in its original directory.
򐂰 Domino LDAP server task, which provides LDAP version 3-compliant access
to Domino and third-party directories from clients and applications.
A Domino server is required to have Domino Directory services running and
available. For this reason, you will need to set up and configure LDAP services in
the Domino server. In addition, you can also set up and configure Directory
Assistance and Directory Catalogs when required.
For more information about Domino Directory services, refer to IBM Redbook
Getting the Most From Your Domino Directory, SG24-5986.
4.2 Solution architecture
The scenario presented in this chapter includes a Lotus Domino Application
server with LDAP services configured with the required options to allow it to be
an external directory service of a WebSphere Everyplace Access server. The
sample scenario described in this chapter is illustrated in Figure 4-1.
78
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Windows 2000 Server
Windows 2000 Server
Domino
Server V5.08
m23x3074.yourco.com
Port 386
WebSphere Everyplace
Access V4.1.1
WebSphere Application
Server V4.0.1
Notes
DB2
IBM HTTP Server
m23x2501.yourco.com
HTTP
Pocket PC
Everyplace client
V8.1
Desktop browser
Figure 4-1 WebSphere Everyplace Access and Domino LDAP Services
The description of this scenario includes the installation and configuration of a
Lotus Domino Application server, and the configuration of the LDAP services.
Note: In this sample scenario, it may not be necessary to configure Directory
Assistance and Directory Catalogs in the Domino server. However, this could be
a requirement in other situations.
Chapter 4. Domino Directory Services in WebSphere Everyplace Access
79
4.2.1 Specifications for the scenario
Table 4-1 illustrates the configuration values used in this sample scenario.
Table 4-1 Configuration
Role
Application Server
Domino R5 Server
Machine DNS Name
m23x2501.yourco.com
m23x2674.yourco.com
IP address
198.168.10.12
198.168.10.6
Operating System
Windows 2000 Server
Service Pack 2
Windows 2000 Server
Service Pack 2
Domain
yourco.com
yourco.com
Additional Software
IBM WebSphere Everyplace
Access V 4.1.1
Domino R5.08 Server (Domino
Application Server)
4.2.2 Users and groups required in this scenario
It will be required that you create users and groups in the Domino server before
starting the WebSphere Everyplace Access installation. These are the
WebSphere Everyplace Access administrator users and groups that must be
available in the LDAP server so that WebSphere Everyplace Access can validate
them when required.
Table 4-2 and Table 4-3 summarize the groups and users used during
WebSphere Everyplace Access installation that must be configured in the LDAP
Directory.
Table 4-2 Groups needed for WebSphere Everyplace Access installation
80
Group name
Description
Member of
wpsadmins
WebSphere Everyplace
Access administrative
group
Administrators group
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Table 4-3 Users needed for WebSphere Everyplace Access installation
User name
Description
Member of
wpsadmin
WebSphere Everyplace
Access administrator user
wpsadmins group
wpsbind
User for WebSphere
Everyplace Access
security purposes. (to bind
between WebSphere
Everyplace Access and
LDAP)
wpsadmins group
4.3 Setting up Domino Directory services
You will need to install a Domino server to have Domino Directory services. For
this scenario, a Domino Application Server is installed as Domino server. You will
also need to install the Lotus Domino Administrator client to administer the
Domino server, and configure LDAP to run in this server.
4.3.1 Installing Lotus Domino server
This is a typical Lotus Domino server installation; in this sample scenario, most of
the default settings and directories are used. The required options are selected
to fulfill the specifications of the scenario described in Table 4-2 and Table 4-3.
For example:
1. Log in to the server as a user with administrator privileges.
2. Run the setup program to open the installation wizard. Click Next in the
Welcome window.
3. Read the License Agreement and click Yes.
4. Supply the company information (user and company name) and click Next.
5. Accept the default product and data folders locations or change them if you
desire.
6. Choose to install a Domino Application Server and click Next (Figure 4-2). For
the purpose of this scenario, it is not necessary to customize the installation.
Chapter 4. Domino Directory Services in WebSphere Everyplace Access
81
Figure 4-2 Select the type of Domino server
7. Accept the default Program Folder and click Next to start the Domino server
installation.
8. At the end of the installation, click Finish to close the installation wizard and
finish the Domino server installation.
9. Open the Lotus Domino server to start the server setup, including the LDAP
services, by clicking Start -> Programs -> Lotus Applications -> Lotus
Domino Server.
10.In the Step 1 window, select the option First Domino Server and click the
right-pointing arrow on the top right-hand side as illustrated in Figure 4-3.
82
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 4-3 Step 1 - Creating a new Domino server
11.In the Step 2 window, select Advanced Configuration to customize the
server configuration parameters. Click the right-pointing arrow as shown in
Figure 4-4.
Chapter 4. Domino Directory Services in WebSphere Everyplace Access
83
Figure 4-4 Step 2 - Select a setup method
In the Step 3 window, enter the advanced configuration parameters. You must
select LDAP as Internet Directory Services to set the LDAP server to
automatically run on server startup. You must also activate the HTTP and IIOP
options in the Web Browsers section. The rest of the options are optional. Click
the right-pointing arrow as illustrated in Figure 4-5.
84
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 4-5 Step 3 - Domino advanced configuration
12.In the Step 4 window, enter the administration settings information
(Figure 4-6). Enter the password for the certified ID (password in this case),
and the administrator user and password for the Domino server (in this
sample scenario, wpsadmin). See Section 4.2.2, “Users and groups required
in this scenario” on page 80 to obtain information about users and groups
required for this scenario.
Important: Be sure to enter wpsadmin as the administrator’s last name and
leave blank the first and middle name in the Administrator’s Identity section.
Domino server generates the user ID combining the first letter of the first name
with the last name.
Chapter 4. Domino Directory Services in WebSphere Everyplace Access
85
Figure 4-6 Step 4 - Domino administrative settings
13.Click Finish to complete the Domino server setup. A summary of the Domino
configuration will appear; review the options (Figure 4-7).
Important: Be sure to remember the location and password for the Certified
ID and Administrator ID created during the Domino Server setup and shown in
the summary configuration window. You will need this information for
configuring and for administration tasks.
As we need to create the wpsadmins administrator group, click the Set
Access Control List Entry button.
86
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 4-7 Domino configuration summary
14.In the Set Default Database Access window, select the Add a group option
and type wpsadmins as the name of the group. Click OK (Figure 4-8).
Figure 4-8 Creating the wpsadmins group
Chapter 4. Domino Directory Services in WebSphere Everyplace Access
87
15.Click the Exit Configuration button in the Domino summary configuration
window.
16.Start the Domino server by clicking Start -> Programs -> Lotus
Applications -> Lotus Domino Server.
17.Wait until the Domino server finishes loading (Figure 4-9).
Figure 4-9 Starting Domino server
4.3.2 Installing and configuring the Domino Administration client
You will need to install the Domino Administration client to be able to administer
the Domino server.
Important: The Lotus Domino server must be available and running before
you start the Domino Administration client installation.
For example, follow this procedure:
1. Run the setup program to open the installation wizard. Click Next at the
Welcome window.
2. Read the License Agreement and click Yes.
3. Supply the company information (user and company name) and click Next.
4. Accept the default product and data folders locations or change them if you
desire. Click Next.
88
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
5. Select the Domino Administrator option and click Next (Figure 4-10). For
the purpose of this scenario, it is not necessary to customize the Domino
Administrator installation.
Figure 4-10 Installing Domino Administration
6. Accept the default Program Folder and click Next to begin the Domino
Administration installation.
7. At the end of the installation, click Finish to close the installation wizard and
finish the installation.
8. Open the Lotus Domino Administration client by clicking Start ->
Programs -> Lotus Applications -> Lotus Domino Administrator.
This will start the administrator configuration process.
9. Click Next in the Setting Up Connections window.
10.Select I want to connect to a Domino server and click Next.
11.Select Set up a connection to a local area network (LAN) and click Next.
12.Enter the Domino server name, in this case m23x2674/yourco, and click Next
(Figure 4-11).
Chapter 4. Domino Directory Services in WebSphere Everyplace Access
89
Figure 4-11 Entering the Domino server name
13.Select the Use my name as identification option and enter the administrator
user name for the Domino server. In this case, wpsadmin is the administrator
during the Domino server installation.
90
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 4-12 Enter the Domino administrator user
14.Click Next in the Connecting to a Domino Server over a LAN window.
15.For this scenario, select I don’t want to create an Internet mail account
and click Next.
16.For this scenario, select I don’t want to connect to a news server and click
Next.
17.For this scenario, select I don’t want to connect to another directory
server and click Next.
18.Choose whether you will use a proxy to connect to the Internet and click Next .
In this sample scenario, a proxy is not used.
19.Select how you will connect to the Internet. For example, in this scenario
select the Connect over local area network (or cable modem) option and
click Next.
20.Click Finish to complete the Domino Administration client configuration. You
will be prompted to enter a password to start the Administration client. Enter
the password for the administrator user (the user is wpsadmin in this case)
and click OK.
Chapter 4. Domino Directory Services in WebSphere Everyplace Access
91
4.3.3 Configuring LDAP services on Domino
It is necessary to create an additional user (wpsbind, as shown in Section 4.2.2,
“Users and groups required in this scenario” on page 80 for more information)
and set some LDAP parameters in Domino before beginning the WebSphere
Everyplace Access installation.
Creating users in Domino
Follow these steps to create a user:
1. Start Domino Administration client if it is not opened by clicking Start ->
Programs -> Lotus Applications -> Lotus Domino Administrator.
2. Go to the Administration page and select the People & Groups tab
(Figure 4-13).
Figure 4-13 Domino Administration client
3. Right-click People and select Register Person.
4. When you are prompted to choose the Certified ID, select the cert.id file from
your Domino server data directory (by default, it is located in
c:\Lotus\Domino\Data). Click Open.
5. Enter the password for the certifier ID selected below and click OK .
Tip: The certified ID is created during the Domino Server setup, in the
administrative settings form (Step 4 window). For more information, see
Section 4.3.1, “Installing Lotus Domino server” on page 81).
92
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
6. Click the Basics button on the left-hand side, and enter the information for
the new user wpsbind (Figure 4-14).
7. Select the Advanced option to configure an Internet password.
Tip: You will be required to set an Internet password for all users because
LDAP uses this as a means to authenticate users.
Figure 4-14 Registering user wpsbind
8. Click the Groups button, select wpsadmins and click the Add button
(Figure 4-15).
Chapter 4. Domino Directory Services in WebSphere Everyplace Access
93
Figure 4-15 Adding wpsbin to the wpsadmins group
9. Click the Add person button. If you want, you can create more users at this
time, or you can do so later.
10.Click the Register All button, and when the registration process finishes,
click Done to close the Register Person form.
Configuring LDAP in Domino
To configure LDAP services on your Domino server, you will need to create a
server configuration document.
1. In the Domino Administration client, select the Configuration tab and expand
the Server section, then click the Configurations icon. Now click the Add
Configuration action button to create a new configuration document.
2. Select the Use these settings as the default settings for all servers
checkbox (Figure 4-16).
Note: Note that only one configuration document can be designated as such.
94
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 4-16 Creating a new server configuration document
3. Once you have selected this option, the LDAP tab appears. Click it to move to
that section.
4. Click the button Choose fields that anonymous users can query via
LDAP; an LDAP Field List window will appear with a list of queriable fields.
Accept this list or add more fields if you want, then click OK (Figure 4-17).
Figure 4-17 LDAP field list
5. In the LDAP Configuration form, select Yes in the Allow LDAP users write
access option. Leave the other fields with their default values (Figure 4-18).
Chapter 4. Domino Directory Services in WebSphere Everyplace Access
95
Figure 4-18 LDAP Configuration settings
6. Click the Save and Close button; a new configuration document will be
created (Figure 4-19).
96
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 4-19 Configuration document for all the servers
7. In the Configuration tab, in the Server section, click the Current Server
Document icon and the Edit Server button.
8. Select the Ports tab; inside the Port section, click the Internet Ports tab and
select the Directory tab. You will see some configurations about LDAP. In this
sample scenario, LDAP services uses port 386, but you can always use the
default port 389 if you so desire (Figure 4-20).
Chapter 4. Domino Directory Services in WebSphere Everyplace Access
97
Figure 4-20 LDAP settings
9. Click the Save and Close button to save the changes you made.
4.3.4 Obtaining the LDAP schema for the Domino Server
To obtain the LDAP directory schema for your Domino server, you can execute
the ldapsearch command located in the Lotus Notes program directory (by
default, c:\Lotus\Notes).
For example, at the command prompt window, enter the following command:
ldapsearch -h m23x2674 -p 386 -d cn=wpsadmin,o=yourco -w wpsadmin -b
o=yourco cn=* dn
You will see a list of the Distinguished Names of the users in your Domino server
(Figure 4-21).
98
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 4-21 LDAP schema for Domino server
By selecting one of the returned records, you can determine the User DN prefix
and suffix. For example, given the following record:
CN=wpsadmin,O=Yourco
the User DN prefix for the wpsadmin user is CN, and the User DN suffix is
O=Yourco
Note: During the WebSphere Everyplace Access installation, you will need
information about your Domino server LDAP schema.
4.4 Installing WebSphere Everyplace Access
The WebSphere Access installation using remote Domino Directory services
requires some special considerations compared to the typical installation using
IBM SecureWay Directory services. For example:
1. When you have to select the desired WebSphere Everyplace Access
components and subcomponents to install, do not select SecureWay
Directory Server.
Note: The SecureWay Directory is the default LDAP server provided with
WebSphere Everyplace Access and can be installed locally or as a remote
server.
In this sample scenario, it is assumed that Domino Directory services have
already been installed as a remote LDAP server, and therefore you do not
need to install SecureWay Directory (Figure 4-22).
Chapter 4. Domino Directory Services in WebSphere Everyplace Access
99
Figure 4-22 Selecting WebSphere Everyplace Access install components
2. In the LTPA Password window, you will be prompted to enter the LTPA
Password. You must enter the password of the bind user wpsbind created
previously.
3. Later in the installation, in the LDAP server type selection window, enter the
following details (Figure 4-23):
a. Select Lotus Domino Application Server.
b. LDAP Server: the address or full computer name of the Domino Server (in
this case, m23x2674.yourco.com).
c. User DN: the LDAP schema for the Domino server administrator user. You
can refer to Section 4.3.4, “Obtaining the LDAP schema for the Domino
Server” on page 98 for more details
In this scenario, the User DN is cn=wpsadmin,o=yourco
d. User password and Confirm password: enter the password for the
administrator user specified above.
e. Suffix: the suffix for the server that has been configured. In this case,
o=yourco
100
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
f. LDAP port number: the port the LDAP uses. In this scenario, we are using
port 386.
Figure 4-23 Selecting Domino Server as the LDAP server
4. In the next window, you must provide information about the Domino Server
configuration (Figure 4-24). You can review Section 4.3.4, “Obtaining the
LDAP schema for the Domino Server” on page 98 to obtain information about
Distinguished Names of users and groups in your Domino Server.
Chapter 4. Domino Directory Services in WebSphere Everyplace Access
101
Figure 4-24 LDAP configuration details
Fill in the fields and click Next to continue the WebSphere Everyplace Access
installation.
5. As part of the WebSphere Everyplace Access installation, you must perform
some configurations in the Security Center of the WebSphere Application
Server. These configurations are related to LDAP settings and the
administration role for the WebSphere Application Server.
When you have to open the Security Center during the standard WebSphere
Everyplace Access installation, execute the following additional step:
– Click the Authentication tab and check the details for LDAP settings
(Figure 4-25).
102
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 4-25 Authentication tab at the WebSphere Application Server Security Center
The LDAP Settings for this sample scenario are:
򐂰 Security Server ID: the DN of the user created for security purposes. In this
case, cn=wpsbind,o=yourco
򐂰 Security Server Password: password for the user above.
򐂰 Host: the IP address or full DNS name of the Domino Server. In this case,
m23x2674.yourco.com
򐂰 Directory Type: Domino 5.0
򐂰 Port: the LDAP port. Port 386 is used in this scenario.
򐂰 Base Distinguished Name: the DN of the domain the Domino Server
administrator’s user belongs to. In this case, the user wpsadmin belongs to
o=yourco
򐂰 Bind Distinguished Name: the full DN of the administrator user. In this case,
cn=wpsadmin,o=yourco
򐂰 Bind Password: the password for the administrator user.
Chapter 4. Domino Directory Services in WebSphere Everyplace Access
103
6. Complete the configuration of the Administration Role and the rest of the
standard WebSphere Everyplace Access installation. For details, see for
example IBM WebSphere Everyplace Access V4.1.1 Installation, REDP3587.
7. After the installation and before you start any work, you will be required to
provide full manage authority of the users and groups to the WebSphere
Everyplace Access administrator user (wpsadmin in this case). This will allow
the WebSphere Everyplace Access administrator to search for and manage
users and groups. For example, you may want to follow this procedure:
a. Log on to the WebSphere Everyplace Access server using the wpsadmin
user (or another user with administration rights).
b. Select Portal Administration.
c. Click the Security tab.
d. Click Get Users and Groups.
e. Click Search for users.
f. Type an asterisk (*) in the Name is field and click Go.
g. From the search results list, select the wpsadmin user, click Add to list
and click OK.
h. From the Select the objects for permissions drop-down menu, select
User groups and click Go.
i. From the table list, check the Select all option in the Manage column.
j. Click Save.
Figure 4-26 illustrate the new permissions for the wpsadmin user.
104
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 4-26 Adding permissions to the wpsadmin user
4.5 Sample applications
In this section, two different tasks are described to show the interoperability of
IBM WebSphere Everyplace Access and Domino Directory services.
4.5.1 Creating users in WebSphere Everyplace Access
You can add users directly from the Lotus Administration client or by using the
WebSphere Everyplace Access administration interface. The latter option is
shown here to verify that WebSphere Everyplace Access and the Domino Server
are working correctly.
Chapter 4. Domino Directory Services in WebSphere Everyplace Access
105
1. Log on to the Portal server as a wpsadmin user
2. Select Portal Administration.
3. Click the Users and Groups tab.
4. Click the Manage Users tab.
5. Click Create new user.
6. Enter the information for the new user and click OK (Figure 4-27).
Figure 4-27 Creating a new user
7. A message confirming the creation of the new user will appear.
8. You can validate the creation of the new user by searching for all Domino
Directory users (Figure 4-28). Type an asterisk (*) in the Name is field and
click Get users. You will see the users in Domino Server, including the new
user created, test1.
106
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Figure 4-28 Searching users from WebSphere Everyplace Access
9. You can also view the Domino Administrator client to verify that the new user
has been created in the Domino server (Figure 4-29).
Figure 4-29 Viewing users in the Domino Administrator client
Chapter 4. Domino Directory Services in WebSphere Everyplace Access
107
4.5.2 Configuring the LDAP Search portlet
The LDAP Search portlet allows you to search LDAP directories and obtain
information about users. This portlet is provided by the standard installation of
the WebSphere Everyplace Access.
1. Log on to the WebSphere Everyplace Access server as the wpsadmin
administration user or as a user with administration rights.
2. Select the Productivity tab.
3. Click the Edit icon in LDAP Search portlet.
4. Enter the LDAP Search properties (Figure 4-30):
– Optional Display Name: a name that describe the portlet.
– Server name: the full DNS name of the LDAP server, including the LDAP
port. In this case, this is ldap://m23x2674.yourco.com:386
– Directory name: the DN suffix of the LDAP server.
– The criteria for the initial search.
Figure 4-30 Configuring the LDAP Search portlet
108
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
5. Click Save.
The LDAP Search portlet is configured and ready to perform a search in the
Domino Server (Figure 4-31).
Figure 4-31 LDAP Search portlet results
Chapter 4. Domino Directory Services in WebSphere Everyplace Access
109
110
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1
Back cover
LDAP Directory Services in
IBM WebSphere
Everyplace Access V4.1.1
Learn WebSphere
Everyplace Access
and Active Directory
interoperability
Use Domino LDAP
Services in
WebSphere
Everyplace Access
Everyplace Access
and iPlanet
integration
®
Redpaper
This Redpaper will help you install, tailor and configure the
new IBM WebSphere Everyplace Access product using
Lightweight Directory Access Protocol (LDAP) directories such
as IBM SecureWay Directory, iPlanet, Microsoft Active
Directory and Domino LDAP Directory.
INTERNATIONAL
TECHNICAL
SUPPORT
ORGANIZATION
IBM WebSphere Everyplace Access provides the flexibility of
supporting various Lightweight Directory Access Protocol
(LDAP) directories. Although a typical installation of
WebSphere Everyplace Access will incorporate a local or
remote IBM SecureWay LDAP directory, support exists for
accessing a remote and pre-existing LDAP directory.
BUILDING TECHNICAL
INFORMATION BASED ON
PRACTICAL EXPERIENCE
A basic knowledge of IBM WebSphere Everyplace Access and
LDAP directories is assumed.
IBM Redbooks are developed by
the IBM International Technical
Support Organization. Experts
from IBM, Customers and
Partners from around the world
create timely technical
information based on realistic
scenarios. Specific
recommendations are provided
to help you implement IT
solutions more effectively in
your environment.
For more information:
ibm.com/redbooks
Download