Front cover LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Learn WebSphere Everyplace Access and Active Directory interoperability Use Domino LDAP Services in WebSphere Everyplace Access Everyplace Access and iPlanet integration Juan R. Rodriguez Gregory Mebberson Gianfranco Rutigliano ibm.com/redbooks Redpaper International Technical Support Organization LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 October 2002 Note: Before using this information and the product it supports, read the information in “Notices” on page v. First Edition (October 2002) This edition applies to Version 4, Release 1, Modification 1 of IBM WebSphere Everyplace Access for multiplatforms. © Copyright International Business Machines Corporation 2002. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The team that wrote this Redpaper . . . . . . . . . . . . . . . . . . Become a published author . . . . . . . . . . . . . . . . . . . . . . . . Comments welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... ....... ....... ....... ...... ...... ...... ...... . . vii . . vii . . viii . . viii Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 Solution architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1.1 Specifications for the sample scenario . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2 Installing IBM SecureWay Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.3 Installing WebSphere Everyplace Access . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.4 Sample applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.4.1 Configuring the LDAP Search portlet . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.4.2 Using IBM DB2e with a remote SecureWay Directory server . . . . . . 11 1.5 Recommendations, hints and tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Chapter 2. iPlanet Directory Services in WebSphere Everyplace Access 25 2.1 Solution architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.1.1 Specifications for the sample scenario . . . . . . . . . . . . . . . . . . . . . . . 27 2.2 Installing and configuring iPlanet Directory . . . . . . . . . . . . . . . . . . . . . . . . 27 2.2.1 Installing iPlanet Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 2.2.2 Configuring iPlanet for WebSphere Everyplace Access . . . . . . . . . . 29 2.3 Installing WebSphere Everyplace Access . . . . . . . . . . . . . . . . . . . . . . . . . 32 2.4 Sample applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 2.4.1 Configuring the LDAP Search portlet . . . . . . . . . . . . . . . . . . . . . . . . 36 2.5 Recommendations, hints and tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Chapter 3. Active Directory Services in WebSphere Everyplace Access 41 3.1 Active Directory overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 3.2 Solution architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 3.2.1 Specifications for the scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 3.3 Installing and configuring Active Directory . . . . . . . . . . . . . . . . . . . . . . . . 43 3.3.1 Installing Windows 2000 support and administration tools . . . . . . . . 45 3.3.2 Verifying Active Directory server installation . . . . . . . . . . . . . . . . . . . 46 3.3.3 Configuring Active Directory for WebSphere Everyplace Access . . . 48 3.3.4 Obtaining the LDAP schema for Active Directory . . . . . . . . . . . . . . . 53 © Copyright IBM Corp. 2002. All rights reserved. iii 3.4 Installing WebSphere Everyplace Access . . . . . . . . . . . . . . . . . . . . . . . 3.5 Sample applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5.1 Creating users and groups in WebSphere Everyplace Access. . . 3.5.2 DB2 Everyplace synchronization using Active Directory. . . . . . . . 3.5.3 Configuring the client on the Pocket PC and synchronizing . . . . . .. .. .. .. .. 56 63 63 66 72 Chapter 4. Domino Directory Services in WebSphere Everyplace Access . 77 4.1 Lotus Domino R5 overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 4.2 Solution architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 4.2.1 Specifications for the scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 4.2.2 Users and groups required in this scenario. . . . . . . . . . . . . . . . . . . . 80 4.3 Setting up Domino Directory services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 4.3.1 Installing Lotus Domino server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 4.3.2 Installing and configuring the Domino Administration client . . . . . . . 88 4.3.3 Configuring LDAP services on Domino . . . . . . . . . . . . . . . . . . . . . . . 92 4.3.4 Obtaining the LDAP schema for the Domino Server. . . . . . . . . . . . . 98 4.4 Installing WebSphere Everyplace Access . . . . . . . . . . . . . . . . . . . . . . . . . 99 4.5 Sample applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 4.5.1 Creating users in WebSphere Everyplace Access . . . . . . . . . . . . . 105 4.5.2 Configuring the LDAP Search portlet . . . . . . . . . . . . . . . . . . . . . . . 108 iv LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces. © Copyright IBM Corp. 2002. All rights reserved. v Trademarks The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both: IBM eServer™ IBM® Redbooks™ Redbooks (logo)™ DB2® DB2 Universal Database™ Everyplace™ SecureWay® WebSphere® The following terms are trademarks of International Business Machines Corporation and Lotus Development Corporation in the United States, other countries, or both: Lotus® Word Pro® Lotus Notes® Notes® Domino™ The following terms are trademarks of other companies: ActionMedia, LANDesk, MMX, Pentium and ProShare are trademarks of Intel Corporation in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. C-bus is a trademark of Corollary, Inc. in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. SET, SET Secure Electronic Transaction, and the SET Logo are trademarks owned by SET Secure Electronic Transaction LLC. Other company, product, and service names may be trademarks or service marks of others. vi LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Preface This Redpaper will help you install, tailor and configure the new IBM WebSphere Everyplace Access product using Lightweight Directory Access Protocol (LDAP) directories such as IBM SecureWay Directory, iPlanet, Microsoft Active Directory and Domino LDAP Directory. IBM WebSphere Everyplace Access provides the flexibility of supporting various Lightweight Directory Access Protocol (LDAP) directories. Although a typical installation of WebSphere Everyplace Access will incorporate a local or remote IBM SecureWay LDAP directory, support exists for accessing a remote and pre-existing LDAP directory. A basic knowledge of IBM WebSphere Everyplace Access and LDAP directories is assumed. The team that wrote this Redpaper This Redpaper was produced by a team of specialists from around the world working at the International Technical Support Organization, Raleigh Center. Juan R. Rodriguez is a Consulting IT professional at the IBM ITSO Center, Raleigh. He received his Master of Science degree in Computer Science from Iowa State University. He writes extensively and teaches IBM classes worldwide on such topics as networking, Web technologies, and information security. Before joining the IBM ITSO, he worked at the IBM laboratory in the Research Triangle Park (North Carolina, USA) as a designer and developer of networking products. Gregory Mebberson is software developer in IBM Global Services in Sydney, Australia. He has seven years of experience in developing customer solutions using Lotus Notes and other applicable technology, and has a Bachelor of Applied Science from Chisholm Institute of Technology, Melbourne, Australia. He has co-authored several IBM Redbooks. Gianfranco Rutigliano holds a degree in Systems Engineering from the University of Lima (Peru) and is a member of the Application Management Services (AMS) group in IBM Global Services, working in e-business projects and related Internet technologies. He has worked in e-marketplace and home-banking implementation systems using Java technologies. Currently he is involved in wireless application solution projects using PDAs. © Copyright IBM Corp. 2002. All rights reserved. vii Thanks to the following people for their contributions to this project: Margaret Ticknor International Technical Support Organization, Raleigh Center Al Chakra, Darren M. Childress, Jim Brancato, Charlene Frazier IBM Research Triangle Park, North Carolina, USA Become a published author Join us for a two- to six-week residency program! Help write an IBM Redbook dealing with specific products or solutions, while getting hands-on experience with leading-edge technologies. You'll team with IBM technical professionals, Business Partners and/or customers. Your efforts will help increase product acceptance and customer satisfaction. As a bonus, you'll develop a network of contacts in IBM development labs, and increase your productivity and marketability. Find out more about the residency program, browse the residency index, and apply online at: ibm.com/redbooks/residencies.html Comments welcome Your comments are important to us! We want our papers to be as helpful as possible. Send us your comments about this Redpaper or other Redbooks in one of the following ways: Use the online Contact us review redbook form found at: ibm.com/redbooks Send your comments in an Internet note to: redbook@us.ibm.com Mail your comments to: IBM Corporation, International Technical Support Organization Dept. HZ8 Building 662 P.O. Box 12195 Research Triangle Park, NC 27709-2195 viii LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 1 Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access WebSphere Everyplace Access provides the flexibility of supporting various Lightweight Directory Access Protocol (LDAP) directories. The default LDAP directory is IBM SecureWay Directory. A typical installation of WebSphere Everyplace Access could incorporate a local SecureWay LDAP directory. However, support exists for accessing a remote, pre-existing LDAP directory. In this chapter, we will discuss how to install and configure WebSphere Everyplace Access using such a remote IBM SecureWay Directory server. An installation may be required to use a remote LDAP directory if the customer wishes to utilize an established LDAP directory in order to keep directory information in a single repository. This chapter will highlight the differences encountered when using a remote directory server. For a complete installation of WebSphere Everyplace Access with a local IBM SecureWay Directory server, see the Redpaper IBM WebSphere Everyplace Access V4.1.1 Installation, REDP3587. © Copyright IBM Corp. 2002. All rights reserved. 1 1.1 Solution architecture The sample scenario shown in this chapter documents an installation of WebSphere Everyplace Access using a remote IBM SecureWay Directory. Windows 2000 Server Windows 2000 Server LDAP SecureWay Directory V3.2.2 m23x3072.yourco.com Port 387 WebSphere Everyplace Access V4.1.1 WebSphere Application Server V4.0.1 DB2 IBM HTTP Server m23vnx78.yourco.com HTTP Pocket PC Everyplace client V8.1 Desktop browser Figure 1-1 Typical scenario layout using a remote IBM SecureWay LDAP Directory 2 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 1.1.1 Specifications for the sample scenario Specifications for the sample scenario included in this chapter are shown in Table 1-1. Table 1-1 Sample scenario specifications SecureWay Directory Server Role WebSphere Everyplace Access Application Server Machine DNS Name m23vnx78.yourco.com m23x3072.yourco.com Operating System Windows 2000 Server Service Pack 2 Windows 2000 Server Service Pack 2 Domain yourco.com yourco.com Additional Software IBM WebSphere Everyplace Access V4.1.1 IBM SecureWay Directory Server V3.2.2 eFix 3.2.2-SWD-002 1.2 Installing IBM SecureWay Directory To set up the environment, you will first need to install and configure IBM SecureWay Directory. It is important to create the required users and groups in the LDAP directory before installing WebSphere Everyplace Access. To install IBM SecureWay Directory, you will use the installation disk for IBM WebSphere Everyplace Access for Windows, Version 4.1.1 and select only SecureWay Directory Server. The SecureWay Directory Server also requires the IBM HTTP Server and DB2 Universal Database Server, and these are automatically installed. During the installation process, you are prompted for the directory suffix information. For this sample scenario environment, you will enter the information as shown below (see Figure 1-2). Note: In this sample scenario, the SecureWay Directory Server will be installed listening on port 387, but it is recommended that you use the default port of 389. Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access 3 Figure 1-2 Configuring SecureWay Directory Once the directory server is running, you will import the LDIF file that created the desired schema. Itis important to note that the required administration users and groups were created; creating some users for testing is also important. The required users and groups are: wpsadmin Portal administration user. wpsbind Used to access the LDAP directory. wpsadmins The portal administrators group. Important: The SecureWay Directory Management Tool configuration file, dmt.conf, needs to be modified if running LDAP on another port, or if accessing a remote directory. Tip: To check that the directory server is running, and also to confirm the schema, you can use the ldapsearch command. See Example 1-1 on page 6 for the results of a query on our directory server. 4 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 1.3 Installing WebSphere Everyplace Access Installing WebSphere Everyplace Access with a remote directory server requires the following to be done during the standard install process. First, when choosing components, ensure that the SecureWay Directory Server is not selected (Figure 1-3). Figure 1-3 Select only the required WebSphere components Later in the installation, when selecting the LDAP server type, choose SecureWay Directory, and enter the name of the directory server, in our case, m23x3072.yourco.com. Since our SecureWay Directory Server is listening on port 387, you also need to change the LDAP port number from the default value of 389. Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access 5 Figure 1-4 Selecting SecureWay Directory as the LDAP server Next, you need to supply the distinguished names for the LDAP users, groups and administrators. If required, the ldapsearch command can be used to confirm schema details, as shown below in Example 1-1. Example 1-1 Using ldapsearch to confirm LDAP schema. C:\>ldapsearch -h m23x3072 -p 387 -D cn=wpsadmin -w wpsadmin -b dc=yourco,dc=com cn=* dn cn=users, dc=yourco, dc=com cn=groups,dc=yourco,dc=com uid=wpsadmin,cn=users,dc=yourco,dc=com uid=wpsbind,cn=users,dc=yourco,dc=com cn=wpsadmins,cn=groups,dc=yourco,dc=com uid=Kelly,cn=users,dc=yourco,dc=com uid=Greg,cn=users,dc=yourco,dc=com ... 6 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Selecting one of the user records returned, you can determine the User DN prefix, as well as the User DN suffix. For example, given the following record: uid=wpsadmin,cn=users, dc=yourco,dc=com you can see the User DN prefix is uid , and the User DN suffix is cn=users, dc=yourco,dc=com Similarly, looking at a group entry: cn=wpsadmins,cn=groups, dc=yourco,dc=com the Group DN prefix is cn, and the Group DN suffix is cn=groups, dc=yourco,dc=com Using the results from the example above, you can then confirm the details in the LDAP Configuration panel. Figure 1-5 Confirming LDAP configuration details Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access 7 After clicking Next, you will be required to enter the directory in which the SecureWay Directory client will be installed. Following this, continue with the installation process. You will be prompted to configure the administration role for the WebSphere Application Server. For details, see the Redpaper IBM WebSphere Everyplace Access V4.1.1 Installation, REDP3587. In the Security Center of the Administrator’s Console, confirm the details on the Authentication tab (Figure 1-6). The LDAP Settings field entries should correspond to the remote Directory server, in our case, m23x3072.yourco.com, port 387. Figure 1-6 Confirming the LDAP settings in the Administrator’s Console Selecting the Administrative Role tab, assign users and groups to the AdminRole, as shown in Figure 1-7. 8 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 1-7 Assigning users and groups to the AdminRole 1.4 Sample applications Included with IBM WebSphere Everyplace Access are two applications that you can use to illustrate how WebSphere Everyplace Access and IBM SecureWay Directory are easily integrated. First, you will configure the LDAP Search portlet and search the directory for a specific user, and secondly, you will use the DB2 Everyplace sample application, Visiting Nurse, to show a more complex scenario involving IBM SecureWay Directory. 1.4.1 Configuring the LDAP Search portlet As part of the default WebSphere Everyplace Access installation, an LDAP search portlet is provided. This allows portal users to search the LDAP directory, returning such information as department, telephone number and e-mail address. Initially, the portlet contains no LDAP directory server information, and needs to be configured. To access and configure the portlet: 1. Select the Productivity page from WebSphere Everyplace Access Home. 2. Click the Edit button in the title bar to display the settings for the LDAP search. Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access 9 3. Enter the LDAP server name. If your LDAP is not installed on the default port of 389, you will also need to specify the port number. In our case, this is m23x3072.yourco.com:387 4. Enter the Directory Name. This matches your LDAP schema, for example dc=yourco,dc=com If desired, you can also change some of the search parameters. Figure 1-8 Entering required directory information for the LDAP Search portlet 5. Click Save to complete the configuration. With the portlet configured, you can now search the LDAP, with a typical result shown in Figure 1-9. 10 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 1-9 Typical LDAP search results 1.4.2 Using IBM DB2e with a remote SecureWay Directory server In this example, you will use IBM DB2 Everyplace with a remote IBM SecureWay Directory server. Note: The application used in this sample scenario, Visiting Nurse, is supplied with DB2 Everyplace. This example shows how to configure the server and Pocket PC for this application; a more in-depth look at DB2 Everyplace can be found in the Redpaper Relational Database Synchronization in IBM WebSphere Everyplace Access V4.1.1, REDP3590. First, you will need to create a synchronization group. The members of this group are all users who need to synchronize with the DB2 Everyplace Sync Server. In this sample scenario, the default synchronization group name SyncGroup is used. For example: 1. Create a user group called SyncGroup. a. From Portal Administration, select the Users and Groups page and click the Manage User Groups tab. b. In the Group name field, type SyncGroup and click Create Group. Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access 11 2. Add all your users to the group who will be using DB2 Everyplace. a. With SyncGroup highlighted in the User Groups pane, click Membership. b. Search for either the users or groups you wish to add, then highlight the entries in the Search Results pane, and click Add to Group. The names and groups should now appear in the Members Belonging to Group -- SyncGroup pane (Figure 1-10). Figure 1-11 shows the same group, as displayed via the SecureWay Directory Management Tool (DMT). c. When all required users and groups are added, click OK to save the group. Figure 1-10 All the required users are added to the SyncGroup via the portal 12 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 1-11 The same ‘syncgroup’ as viewed via the SecureWay DMT The next element required for synchronization is the DB2e group. Since you are using the sample application Visiting Nurse, you will choose to create a group as described here. The naming convention requires the group to start with DB2e. 3. Create a DB2e group called DB2e_Nurse. Following a similar sequence as in step 1 above, create a group called DB2e_Nurse. 4. Populate the group with the users and groups who will be using your DB2e application. Follow the steps for populating a group as shown above in step 2. When completed, it will look similar to Figure 1-12. Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access 13 Figure 1-12 DB2e_Nurse membership With the synchronization and DB2e groups populated, you will need to create the subscriptions using the Mobile Devices Administration Center (MDAC). Tip: When starting MDAC, ensure that you are logged in with sufficient DB2 access rights. 5. Click Start -> Programs -> IBM Everyplace Synchronization Server -> Launch MDAC. Log in specifying your WebSphere Portal Server LDAP logon, wpsadmin , and your Everyplace Synchronization group that you created in step 1 on page 11, SyncGroup. This will then connect via a SOAP RPC to the SecureWay Directory server for authentication (Figure 1-13). 14 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 1-13 Connecting to MDAC specifying the Sync group Once MDAC has loaded, verify the DB2e groups and users have been imported. To do this: 6. Click Groups. The DB2e_Nurse group should be present, as shown below in Figure 1-14. Figure 1-14 Verifying the required groups are available in MDAC Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access 15 7. Click Users. All the users who are members of SyncGroup will appear in this folder. After you have created a subscription, and the users have connected, this view will also show their device type and device ID. See Figure 1-20 on page 20 to see where this is configured. Figure 1-15 Verifying the users are imported into MDAC Next, you will need to create a subscription which will enable our users to connect to the database tables you specify. The Visiting Nurse sample application provides a suitable JDBC subscription; all you need to do is link it to the DB2e group. At this time, you can confirm the details of the supplied subscription: a. Click the Subscriptions folder. b. Right-click JDBCSUB1 and select Edit.... c. On the Identification tab, click Define subscription...; you can see what tables will be synchronized (Figure 1-16). d. Click Cancel to close the pop-up window. 16 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 1-16 Determining the tables that are synchronized e. Select the Source tab; in the Database URL field, it shows the VNURSE database is the source database for this subscription. Figure 1-17 Confirming the source database f. On the Subscription sets tab, confirm that the subscription set SUBCRIPTION_SET1 is in the right hand pane. Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access 17 Figure 1-18 Assigning a subscription set to a subscription g. Click Cancel to close the subscription. If you made any changes you wish to keep, click OK. Next, you will need to assign the DB2e group to the subscription set assigned to the Visiting Nurse database. 8. Click the Subscription sets folder. 9. Right-click SUBSCRIPTION_SET1 and select Edit... 10.On the Groups tab, from the Available Groups pane, highlight DB2e_Nurse and click > to move it into the Selected Groups pane, as shown below. 18 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 1-19 Assigning our DB2e group to the subscription set 11.Click OK to close the subscription set dialog box. Now that you have completed the subscription, you will need to configure the client on the Pocket PC. 12.Start the Everyplace client, and the User Options panel will be displayed. If the user options are not displayed, you can view the user options by clicking Tools -> User Options. 13.Enter the WebSphere Everyplace Access information. You will need to enter a user ID that exists in the SyncGroup, as created in step 2 on page 12. 14.Click OK to close the panel. Next, you will need to confirm the DB2 Everyplace Sync information. This is automatically populated with the User Options entered previously. 15.Highlight DB2 Everyplace Sync and from the menu, select Tools -> Configure On this panel, you can configure the User ID and password, as well as the Device ID. The supplied values are acceptable, and the User ID specified here must belong to a DB2e group. Our user is a member of the DB2e_Nurse group, as created earlier in step 4 on page 13. 16.Click the Subscription List tab. This list is empty since you have not yet completed a synchronization. 17.Click OK to close the DB2 Everyplace Sync panel. Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access 19 Figure 1-20 Steps to configure the Everyplace Client on the Pocket PC 18.To initiate a synchronization, click the Execute button. Once the synchronization is completed, the status is updated, as shown below. Figure 1-21 Completion of a successful synchronization Now you can check the Subscription List tab, and confirm that the SUBCRIPTION_SET1 is shown. 20 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 19.Click Tools -> Configure, and select the Subscription List tab. You can see that SUBSCRIPTION_SET1 was correctly added to the list. Figure 1-22 Confirming the synchronization picked up the subscription This successful synchronization will also have updated our Users view in MDAC with the device type, device ID and the version of Everyplace Sync client. 20.If required, restart the MDAC application as shown in Step 5 on page 14. 21.Click the Users folder in MDAC. You can see that the details for our user Kelly have been updated. Figure 1-23 User details in MDAC showing a user that has connected Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access 21 Now that the Pocket PC device is synchronizing, you can use the Visiting Nurse sample application to confirm that data entered on the Pocket PC is getting synchronized with the DB2 database. 22.Start the Visiting Nurse application on the Pocket PC. a. Click Start, and select Programs. b. Open the DB2 Everyplace Samples folder and click VNurse. 23.Select a patient, and create a new medical record. An example is shown in Figure 1-24. To do this: a. Highlight a patient’s name and click the Info button. b. On the Personal Information page, click the Records button. c. Add a new medical record by clicking Add. d. Once you have filled out the record, click Save. Figure 1-24 Creating a record in the Visiting Nurse application 24.Close the Visiting Nurse application. 22 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 25.Start the Everyplace client and initiate a synchronization. a. Click Start and select Everyplace Client from the menu. b. Click the Execute button. Upon successful completion of the synchronization, the records will be replicated to the source database as defined in the JDBC subscription. One method to confirm that the new record was added to the DB2 database is to sample the table contents using the IBM DB2 Control Center as shown in Figure 1-25 below. Figure 1-25 The new record in the DB2 database after synchronization Observation: IBM Directory Server provides a powerful LDAP infrastructure that is using the reliable IBM DB2 Universal Database engine which provides scalability to tens of millions of entries, as well as groups of hundreds of thousands of members. Chapter 1. IBM SecureWay Directory Services in WebSphere Everyplace Access 23 1.5 Recommendations, hints and tips A critical element when installing WebSphere Everyplace Access is understanding the LDAP directory schema. You need to know both the User DN prefix and suffix, as well as the Group DN prefix and suffix. You also need to confirm that the User DN and password used when selecting the LDAP server type are correct. This can be checked using the ldapsearch command (Example 1-1 on page 6). More information on IBM SecureWay Directory is available with the documentation provided with the software. The Getting Started guide, as well as a server and client readme file can be viewed by clicking Start -> Programs -> IBM SecureWay Directory. The Getting Started guide also provides further links to product documentation. 24 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 2 Chapter 2. iPlanet Directory Services in WebSphere Everyplace Access In this chapter, we discuss how WebSphere Everyplace Access can be integrated with an existing iPlanet directory server using the Lightweight Directory Access Protocol (LDAP). The incorporation of LDAP support in IBM WebSphere Everyplace Access allows both user and group information to remain in a pre-existing iPlanet Directory Server, while still keeping the same interface and functionality in WebSphere Everyplace Access. We will cover a typical scenario, stepping through how the iPlanet Directory is configured, and how WebSphere Everyplace Access is installed to access this LDAP directory. We also cover how to configure the LDAP Search portlet which is installed by default with WebSphere Everyplace Access. This chapter covers areas where information specific to supporting iPlanet is applicable. Once the servers are set up and configured, user and group management is unaffected by the underlying LDAP directory server, and thus is not covered. © Copyright IBM Corp. 2002. All rights reserved. 25 2.1 Solution architecture The sample scenario shown in this chapter documents an installation of WebSphere Everyplace Access using an iPlanet Directory for the management of the portals users and groups. As illustrated in Figure 2-1, the iPlanet Directory Server is hosted on a separate server than WebSphere Everyplace Access. Windows 2000 Server Windows 2000 Server iPlanet Directory Server V5.1 m23x2501.itso.ral.ibm.com Port 388 WebSphere Everyplace Access V4.1.1 WebSphere Application Server V4.0.1 LDBM IBM HTTP Server m23vnx78.itso.ral.ibm.com HTTP Pocket PC Everyplace client V8.1 Desktop browser Figure 2-1 iPlanet Directory Server solution architecture Since iPlanet Directory Server provides global directory services, it can be used by many applications that implement LDAP, and can be used as a single repository for directory information. An iPlanet Directory Server installation includes the directory, the LDAP server side software, and a user interface that allows for the management and search of entries in the directory. 26 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 2.1.1 Specifications for the sample scenario Specifications for the sample scenario included in this chapter are shown in Table 2-1. Table 2-1 Sample scenario specifications Role WebSphere Everyplace Access Application Server iPlanet Directory Server Machine DNS Name m23vnx78.itso.ral.ibm.com m23x2501.itso.ral.ibm.com Operating System Windows 2000 Server Service Pack 2 Windows 2000 Server Service Pack 2 Domain itso.ral.ibm.com itso.ral.ibm.com Additional Software IBM WebSphere Everyplace Access V4.1.1 iPlanet Directory Server V5.1 2.2 Installing and configuring iPlanet Directory In this section, a sample iPlanet installation and configuration are included. 2.2.1 Installing iPlanet Directory A typical iPlanet server install is shown in this section. The iPlanet product is installed using most of the default settings and directories. Following are the installation steps, and where appropriate, screen shots showing information specific to this environment. Note: The iPlanet Directory Server is installed here listening on port 388 to avoid conflicts with other LDAP servers. However, a typical installation would probably use the default port 389. 1. Log in to the server as a user with administrator privileges. 2. Run the setup program, and after viewing the Welcome window, click Next to continue. 3. When prompted, select iPlanet Server installation. 4. Next, choose a Typical installation. 5. Accept the default directory for the installation, and continue. 6. Select the required components and continue. Note: In this sample installation, all components are selected. Chapter 2. iPlanet Directory Services in WebSphere Everyplace Access 27 7. For the configuration directory, select This instance will be the configuration directory server. If this directory server in not the configuration directory server, select the configuration directory at this point. The configuration server must be running for the installation to continue. 8. Choose the default entry Store data in this directory server. The option for storing data in another directory server is used if this instance is a configuration server only. 9. Next, you will need to enter the server settings (Figure 2-2). For Server Identifier, choose the default. Is this case it is our machine hostname, m23x2501. The server port, normally the default of 389, is suitable, but in this sample installation, port 388 is used. The suffix should correspond to your Internet DNS name. In this case, it is dc=itso,dc=ral,dc=ibm,dc=com Click Next to continue. Figure 2-2 Server settings for our iPlanet Directory server 10.For the Configuration Directory Administrator ID and password, enter the user name and password you will use when logging in to the iPlanet Console. 11.For the Administration domain, you will accept the default value, in this case, itso.ral.ibm.com (Figure 2-3). Since you only have one instance of the iPlanet server, you do not need to be concerned with establishing other administrative domains. 28 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 2-3 Setting the Administration domain 12.For the Directory Manager DN, accept the suggested value, cn=Directory Manager, and enter a suitable password. 13.For the Administrative port selection, again the default value is accepted. 14.Following this, the summary is displayed. Click Install when you are ready to begin the product installation. At the completion of the installation, the product has built a basic directory tree that contains server related data. In order to use the iPlanet directory server with WebSphere Everyplace Access, you will need to configure iPlanet as described in 2.2.2, “Configuring iPlanet for WebSphere Everyplace Access” on page 29. More information about the deployment and installation of iPlanet Directory Server V5.1 can be found at the Sun Product Documentation Library at: http://docs.sun.com/?q=iplanet&p=/coll/S1_ipDirectoryServer_51 2.2.2 Configuring iPlanet for WebSphere Everyplace Access Once the iPlanet directory service is running, you will need to create some entries for administrators and user groups. These must be created before installing WebSphere Everyplace Access. 1. Start the iPlanet Console a. Click Start -> Programs -> iPlanet Server Products -> iPlanet Console 5.1 b. Log in using the Configuration Directory Administrator ID as defined during installation step 10 on page 28. Chapter 2. iPlanet Directory Services in WebSphere Everyplace Access 29 2. Create a user record for wpsadmin. a. Click the Users and Groups tab. b. From the menu, select User -> Create -> User.... c. From the dialog box Select Organizational Unit, highlight People and click OK. When selecting the organizational unit to create the user, a useful feature is a pop-up showing the DN for the type of unit highlighted. Figure 2-4 below confirms the structure when adding a user to the directory. Alternately, clicking Show DNs will display each organizational unit as its distinguished name. Figure 2-4 Schema pop-up confirming directory structure d. In the Create User dialog box, enter the details for the wpsadmin user. This is the user you will use for portal administration (Figure 2-5). Tip: Make sure the User ID is wpsadmin . When generating the User ID, iPlanet will combine the first letter of the first name with the last name. In this example, it would create wwpsadmin. You will need to correct the default User ID generated. 30 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 2-5 Creating the wpsadmin user in iPlanet 3. Create a user record for wpsbind. Follow the same steps as you did when creating the wpsadmin user above. 4. Create an administrators group, wpsadmins, and add wpsadmin and wpsbind as members. a. Click the Users and Groups tab. b. From the menu, select User > Create > Group.... c. From the dialog box Select Organizational Unit, highlight Groups and click OK. d. In the Create Group dialog box, enter wpsadmins as the group name, as well as a suitable description. e. In the left hand pane, click Members. f. Click Add; this will bring up a window for Searching users and groups. g. Click Search; when complete, highlight wpsadmin and wpsbind and click OK. h. With both users added (Figure 2-6) click OK to finish creating the group. Chapter 2. iPlanet Directory Services in WebSphere Everyplace Access 31 Figure 2-6 Adding the wpsadmin and wpsbind users to the portal administrators group With these users and groups in the LDAP directory, you can now begin the installation of WebSphere Everyplace Access. 2.3 Installing WebSphere Everyplace Access Installing WebSphere Everyplace Access with a remote iPlanet Directory Server requires only minimal changes from the typical installation (see the Redpaper IBM WebSphere Everyplace Access V4.1.1 Installation, REDP3587). 1. When selecting which components to install, ensure that SecureWay Directory Server is not selected (Figure 2-7). The installation of the local LDAP is not required, as in this case, the LDAP directory is provided by the iPlanet Directory Server. 32 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 2-7 Select only the required WebSphere components 2. Later in the installation, you are prompted for the LDAP server type (Figure 2-8), select iPlanet and enter the details of your server,as shown below: a. LDAP Server The address of your iPlanet Directory Server. For example: m23x2501.itso.ral.ibm.com b. User DN This corresponds to the administrator details selected when configuring the iPlanet Directory Server (see installation step 10 on page 28). For example: uid=administrator,ou=administrators,ou=TopologyManagement,o=NetscapeRoot c. User password Enter and confirm the password for the user specified above. d. Suffix The suffix for your iPlanet Directory Server. This was specified during the iPlanet Directory Server installation, step 9 on page 28. In this example, it is dc=itso,dc=ral,dc=ibm,dc=com. Chapter 2. iPlanet Directory Services in WebSphere Everyplace Access 33 e. LDAP port The port the LDAP server is using. This is the port value entered during the iPlanet Directory Server installation (see step 9 on page 28), for example port 388. Figure 2-8 Selecting iPlanet as the LDAP server 3. In the next window, you will be prompted for the LDAP configuration information (Figure 2-9). This must match your LDAP directory schema. You can confirm this information by executing the ldapsearch command, as shown below: Example 2-1 Using ldapsearch to confirm LDAP schema c:\>ldapsearch -h m23x2501 -p 388 -D uid=administrator,ou=administrators,ou=TopologyManagement,o=NetscapeRoot -w password -b dc=itso,dc=ral,dc=ibm,dc=com cn=* dn uid=wpsadmin,ou=People, dc=itso,dc=ral,dc=ibm,dc=com uid=wpsbind,ou=People, dc=itso,dc=ral,dc=ibm,dc=com cn=wpsadmins,ou=Groups, dc=itso,dc=ral,dc=ibm,dc=com uid=Kelly,ou=People, dc=itso,dc=ral,dc=ibm,dc=com uid=Greg,ou=People, dc=itso,dc=ral,dc=ibm,dc=com ... 34 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Selecting one of the user records returned,you can determine the User DN prefix, as well as the User DN suffix. For example, given the following record: uid=wpsadmin,ou=People, dc=itso,dc=ral,dc=ibm,dc=com we can see the User DN prefix is uid, and the User DN suffix is ou=People, dc=itso,dc=ral,dc=ibm,dc=com Similarly, looking at a group entry: cn=wpsadmins,ou=Groups, dc=itso,dc=ral,dc=ibm,dc=com the Group DN prefix is cn, and the Group DN suffix is ou=Groups, dc=itso,dc=ral,dc=ibm,dc=com Using results similar to those shown in the example, the LDAP configuration information can be confirmed, and the installation can continue by clicking Next. Figure 2-9 Confirming LDAP configuration details During the installation, you will be prompted to configure the administration role for the WebSphere Application Server. This is completed as per the standard installation, and checking the Authentication tab in the Security Centre, you should see the correct details in the LDAP Settings fields (Figure 2-10). Chapter 2. iPlanet Directory Services in WebSphere Everyplace Access 35 Figure 2-10 Confirming the LDAP settings in the Administrator’s Console Once the installation process is complete, WebSphere Everyplace Access will be running, and will be using the iPlanet Directory server for user authentication and for managing user and group information. 2.4 Sample applications As an example of how you might configure a portlet to query an iPlanet directory server, an example of how to configure the LDAP search portlet is included in this section. 2.4.1 Configuring the LDAP Search portlet Provided with the standard WebSphere Everyplace Access installation is an LDAP Search portlet which allows portal users to search the LDAP directory. The search can be performed using various attributes and will return selected user information such as name, department, telephone number and e-mail address. 36 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 The portlet will need to be configured for a specific LDAP directory, and this can be done either by an individual user who has the proper access rights, or by the portal server administrator. Configuration performed by the administrator, via Work with Pages, will make the portlet configured by default for users. In this example, you will configure the portlet as the administrator, keeping in mind that the same configuration information is applicable to the individual user who has the access rights to edit the portlet. 1. Log in to the WebSphere Everyplace Access server with administration rights. 2. Select Work with Pages. 3. Select WebSphere Everyplace Access Home from the Place drop-down menu. 4. Select Productivity from the Page drop-down menu. 5. Click the Edit portlet icon for the LDAP Search portlet (Figure 2-11). Figure 2-11 Editing the LDAP Search portlet Chapter 2. iPlanet Directory Services in WebSphere Everyplace Access 37 6. This will bring up the properties for the portlet (Figure 2-12) where the LDAP details are entered. The required information is the server name, and the directory name. Figure 2-12 Entering in the LDAP server properties in the portlet a. Optional Display Name This will appear in the portlet’s title bar. Enter something descriptive, or leave it blank. b. Server Name The address of the LDAP directory server. In this case, you want to search the iPlanet Directory Server. Since you are not using the default LDAP port of 389, you will need to specify the port, for example: m23x2501.itso.ral.ibm.com:388 c. Directory Name This corresponds to the suffix for your iPlanet Directory server, for example dc=itso,dc=ral,dc=ibm,dc=com. The remaining parameters are used to set up the default search criteria. You may choose to make Last Name the default field to search on, for example. 7. Click Save to save and close the properties box. The portlet is now configured, and users can perform searches on the LDAP directory (Figure 2-13). 38 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 2-13 Results of doing a wildcard search on the LDAP directory Observations: Using IBM WebSphere Everyplace Access with an iPlanet Directory Server provides a transparent solution for user authentication and user management. The implementation of LDAP allows WebSphere Everyplace Access to have a common look and feel regardless of the underlying LDAP directory. Chapter 2. iPlanet Directory Services in WebSphere Everyplace Access 39 2.5 Recommendations, hints and tips The most critical element when installing WebSphere Everyplace Access is an understanding of the LDAP directory schema. You need to know both the User DN prefix and suffix, as well as the Group DN prefix and suffix. You also need to confirm that the User DN and password used when selecting the LDAP server type is correct. This can be checked by the use of the ldapsearch command (Example 2-1 on page 34). For more information and product documentation on iPlanet Directory Server V5.1, see the Sun Documentation Library at: http://docs.sun.com/?q=iplanet&p=/coll/S1_ipDirectoryServer_51 40 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 3 Chapter 3. Active Directory Services in WebSphere Everyplace Access In this chapter, we discuss the interoperability between WebSphere Everyplace Access and an external Active Directory server using the Lightweight Directory Access Protocol (LDAP). We explain how to install and configure the Active Directory server and how to install the WebSphere Everyplace Access to access this LDAP directory. We also include sample applications in order to verify this installation. © Copyright IBM Corp. 2002. All rights reserved. 41 3.1 Active Directory overview Active Directory is the directory service provided by Windows 2000 Server that allows you to store information of objects in the network (including users, files, printers, servers, domains, etc) and to make this information available to other authorized users, therefore simplifying the access and management of these network resources. Active Directory requires a Domain Name System (DNS) to allow clients to locate the Active Directory server and resources, by resolving domain names to IP addresses. It uses the Lightweight Directory Access Protocol (LDAP) to allow access to data stored in this directory. In addition, it must reside on a domain controller server. 3.2 Solution architecture The scenario described here consists of an Active Directory server configured with the necessary options to allow it to be an external directory service of a WebSphere Everyplace Access server. The sample scenario is illustrated in Figure 3-1. Windows 2000 Server Windows 2000 Server Active Directory m23x3072.yourco.com Port 389 WebSphere Everyplace Access V4.1.1 Server V5.0 WebSphere Application Server V4.0.1 DB2 IBM HTTP Server m23x2676.yourco.com HTTP Pocket PC Everyplace client V8.1 Desktop browser Figure 3-1 WebSphere Everyplace Access with Active Directory - sample scenario 42 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 The sample scenario described in this chapter includes the installation and configuration of the Active Directory server and additional steps required to properly install WebSphere Everyplace Access server with an external Active Directory server. 3.2.1 Specifications for the scenario The configuration values for this sample scenario are shown in Table 3-1. Table 3-1 .Configuration values Role Application Server Active Directory Server Machine DNS Name m23x2676.yourco.com m23x2672.yourco.com IP address 198.168.10.11 198.168.10.5 Operating System Windows 2000 Server Service Pack 2 Windows 2000 Server Service Pack 2 Domain yourco.com yourco.com Domain Role Member Server Domain Controller Domain Name System (DNS) Additional Software IBM WebSphere Everyplace Access V 4.1.1 Active Directory Windows 2000 Support Tools Windows 2000 Administrativet Tools Additional Windows 2000 Components 3.3 Installing and configuring Active Directory The following is a typical Active Directory installation with the required options to fulfill the specifications described above. It is necessary to be logged on with administration privileges in the server to start the installation. 1. Run the dcpromo command to launch the Active Directory Installation Wizard and click Next to continue. Start > Run > dcpromo 2. As the Active Directory installation become the server in a Domain controller, you need to specify an existing domain or create a new one. In this scenario, you do not have a domain created, and therefore you must select to become a server in a Domain controller for a new domain. 3. Select Create a new domain tree. Chapter 3. Active Directory Services in WebSphere Everyplace Access 43 4. Select Create a new forest of domain trees. 5. Enter the Full DNS name for new domain, in this case, yourco.com. 6. Leave the default value for the Domain NetBIOS name (YOURCO for this installation) 7. Accept the default values for Active Directory database and log locations, in some cases you will need to consider changing these values if required. 8. Accept the default folder location to be shared as the system volume or choose a new location. 9. Active Directory needs a DNS server to work correctly but actually our scenario does not have one. A warning message will appear stating that the Active Directory wizard cannot contact the DNS server that handles the selected domain name. Click OK and choose the option to install a DNS server on the computer. Note: You can always configure a DNS at a later time, but for purpose of this scenario the Windows 2000 DNS server installation option is selected during the Active Directory installation. 10.For the user and group objects permissions, select the default option, Permissions compatible with pre-Windows 2000 servers. In this scenario it is valid to select Permissions compatible only with Windows 2000 servers. 11.Enter an Administrator password. 12.Review the installation summary, and click Next when you are ready to begin the installation. 44 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 3-2 Installation summary for Active Directory 13.When the installation is completed, click Finish to close the Active Directory Installation Wizard 14.Restart your computer. 3.3.1 Installing Windows 2000 support and administration tools This section contains installation instructions for the Windows 2000 tools used in the scenarios described in this chapter. Windows 2000 support tools The Windows 2000 Support Tools contain the ADSI Edit MMC snap-in tools, that will be used in this chapter. Note: The ADSI Edit MMC snap-in is a tool that allows you to add, delete, edit or move objects (like users and groups) of the Active Directory. You will need to follow these steps to install these support tools. However, it is necessary that you are logged on the server with administration privileges to begin the installation. Chapter 3. Active Directory Services in WebSphere Everyplace Access 45 1. Run the following command from you Windows 2000 CD-ROM: <CD drive>:\SUPPORT\TOOLS\SETUP.EXE 2. Supply the user information (name and organization name). 3. Select Typical as the installation type. 4. Click Next to begin the installation. 5. Click Finish to close the installation wizard at the end of the Support Tools installation. Windows 2000 administration tools The Windows 2000 Administration Tools includes the Active Directory Users and Computers management console, required in this chapter. Note: The Active Directory Users and Computers is a management console used to administer data in the directory server. Follow these steps to install the Administration Tools: 1. Run the following command: C:\WINNT\System32\adminpak.msi 2. Select Install all of the Administrative Tools. 3. When the installation ends, click Finish to close the wizard. Before you can use the ADSI Edit MMC snap-in tool you will also have to register the schmmgmt.dll. To register the DLL file, run the following command: regsvr32 schmmgmt.dll 3.3.2 Verifying Active Directory server installation It is recommended that you verify that Active Directory and DNS are working correctly before continue with the WebSphere Everyplace Access installation. As Active Directory needs the support of a DNS, you should ensure that there are no problems with the DNS service in your server. One of the steps you must do to verify this in a Windows 2000 DNS server is confirm that the DNS service location records for the new domain controller have been created. For example: a. Start the DNS Administrator Console. Start > Programs > Administrative Tools > DNS b. Expand your server name folder (m23x2672 in this case), expand Forward Lookup Zones folder and expand your domain name folder (yourco.com for this scenario). 46 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 c. The following folders must be present: _msdcs, _sites, _tcp, and _udp . These folders and the service location records they contain, are critical to Active Directory operations. Note: This is not the only procedure to ensure Windows 2000 DNS server is working correctly. There are many additional steps to verify the correct working of the DNS server, and the steps may be different depending on the DNS server model you are using. Refer to the documentation of your DNS server for more details about procedures to verify your DNS is correctly configure. A quick way (not necessarily the only way) to verify if your Active Directory is working correctly is by adding a new machine to the domain. In this sample scenario you will need to add the WebSphere Everyplace Access server machine to the new domain created for this scenario (yourco.com). If the WebSphere Everyplace Access machine appears in your Active Directory Users and Computers management console in the Computers folder, and you can log in the domain from the WebSphere Everyplace Access machine, the Active Directory could probably be working correctly. Figure 3-3 Active Directory USers and Computers management console Chapter 3. Active Directory Services in WebSphere Everyplace Access 47 3.3.3 Configuring Active Directory for WebSphere Everyplace Access It is necessary to create some users and groups in the Active Directory before beginning the WebSphere Everyplace Access installation. These are the WebSphere Everyplace Access administrator users and groups that must be in the LDAP server so that WebSphere Everyplace Access can validate them when required. Table 3-2 and Table 3-3 summarize the groups and users, used during WebSphere Everyplace Access installation, that must be configured in Active Directory. Table 3-2 Groups needed for WebSphere Everyplace Access installation Group name Description Member of wpsadmins WebSphere Everyplace Access administrative group Administrators group Table 3-3 Users needed for WebSphere Everyplace Access installation User name Description Member of wpsadmin WebSphere Everyplace Access administrator user wpsadmins group wpsbind User for WebSphere Everyplace Access security purposes. (to bind between WebSphere Everyplace Access and LDAP) wpsadmins group For example, follow these suggested steps to create groups and users: 1. Start the Active Directory Users and Computers tool. a. Log in to the server as a user with administrator privileges. b. Click Start -> Programs -> Administrative Tools -> Active Directory Users and Computers. c. Expand the contents of the domain name you created (yourco.com in this case) in the left panel tree view as shown in Figure 3-4. 48 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 3-4 Active Directory Users and Computers tool 2. Create the administrator group wpsadmins. a. Right-click the Users folder, select New, and then click Group. b. In the New Object-Group dialog box, enter the details for the wpsadmins group (Figure 3-5). Chapter 3. Active Directory Services in WebSphere Everyplace Access 49 Figure 3-5 Creating the wpsadmins group in Active Directory c. Click OK to create the group. d. Righ-click the wpsadmins group recently created and select Properties. e. Select Member Of tab and click Add. f. Select the Administrators group in your domain, click Add and click OK (Figure 3-6). 50 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 3-6 Including wpsadmins in Administrators group g. Click Ok. 3. Create the administrator user wpsadmin. a. Right-click the Users folder, select New, and then click User. b. In the New Object-User dialog box, enter the details for the wpsadmin user (Figure 3-7). Chapter 3. Active Directory Services in WebSphere Everyplace Access 51 Figure 3-7 Creating wpsadmin user in Active Directory c. Type the password for this user and click Next. d. Review the summary for the new user and click Finish. e. Righ-click the webadmin user recently created and select Properties. f. Select the Member Of tab and click Add. g. Select the wpsadmins group in your domain, click Add and click OK (Figure 3-8). 52 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 3-8 Including wpsadmin user in wpsadmins group h. Click OK. 4. Create the administrator user wpsbind. Follow the same steps as you did when creating the wpsadmin user above. 3.3.4 Obtaining the LDAP schema for Active Directory One way to obtain the LDAP directory schema for your Active Directory server is to use the ADSI Edit MMC snap-in. This tool show objects of the Active Directory in a hierarchical tree, allowing you to manipulate them. For example, to obtain the Distinguished Name (DN) prefix and suffix of the user wpsadmin created previously in the Active Directory, you could do the following: 1. Open the ADSI Edit MMC snap-in tool by clicking Start -> Programs -> Windows 2000 Support Tools -> Tools -> ADSI Edit. 2. Find the wpsadmin user in the tree left panel. a. Expand the Domain NC container. b. Expand the Domain DN where the user was created, in this case DC=yourco,DC=com Chapter 3. Active Directory Services in WebSphere Everyplace Access 53 c. Expand CN=Users; the CN=wpsadmin object must be below it. Figure 3-9 ADSI Edit MMC snap-in 3. Obtain the Distinguished Name (DN). The Distinguished Name of the wpsadmin user can be obtained by joining in reverse order the objects to which the wpsadmin user belongs. In this case, the DN of wpsadmin is: cn=wpsadmin,cn=Users,dc=yourco,dc=com The User DN prefix is: cd The User DN suffix is: cn=Users,dc=yourco,dc=com In the example below, it is fairly simple to obtain the DN of the Administrator user and wpsadmins group. For example: The DN of the Administrator user is: cn=Administrator,cn=Users,dc=yourco,dc=com 54 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 The User DN prefix is: cd The User DN suffix is: cn=Users,dc=yourco,dc=com The DN of the wpsadmins group is: cn=wpsadmins,cn=Users,dc=yourco,dc=com The User DN prefix is: cd The User DN suffix is: cn=Users,dc=yourco,dc=com Another way to obtain the LDAP directory schema for your Active Directory server is to use the ldifde command, as shown in Figure 3-10. Figure 3-10 Executing ldifde command This command returns a ldif file that contains all the users in the Active Directory. If you open this file (output.ldf in this case), you will be able to obtain the Distinguished Name of the users. For example: dn: CN=Users,DC=yourco,DC=com changetype: add cn: Users description: Default container for upgraded user accounts distinguishedName: CN=Users,DC=yourco,DC=com dSCorePropagationData: 20020912153740.0Z dSCorePropagationData: 20020912153723.0Z dSCorePropagationData: 16010101000417.0Z instanceType: 4 name: Users objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=yourco,DC=com objectClass: container showInAdvancedViewOnly: FALSE systemFlags: -1946157056 uSNChanged: 3218 uSNCreated: 1314 whenChanged: 20020912153740.0Z whenCreated: 20020906143204.0Z Chapter 3. Active Directory Services in WebSphere Everyplace Access 55 dn: CN=wpsadmin,CN=Users,DC=yourco,DC=com changetype: add accountExpires: 9223372036854775807 adminCount: 1 cn: wpsadmin codePage: 0 countryCode: 0 displayName: wpsadmin distinguishedName: CN=wpsadmin,CN=Users,DC=yourco,DC=com instanceType: 4 name: wpsadmin objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=yourco,DC=com objectClass: user sAMAccountName: wpsadmin sn: wpsadmin userAccountControl: 66048 userPrincipalName: wpsadmin@yourco.com uSNChanged: 2810 uSNCreated: 2787 whenChanged: 20020906145631.0Z whenCreated: 20020906145534.0Z .... If you select wpsadmin, the DN for this user is the row named “dn:”. In this case, the created value is CN=wpsadmin,CN=Users,DC=yourco,DC=com Note: During the WebSphere Everyplace Access installation, you will need information about your LDAP schema. 3.4 Installing WebSphere Everyplace Access The WebSphere Access installation using a remote Active Directory server is similar to a typical installation using IBM SecureWay LDAP services. However, there are considerations you must be aware of: 1. When you have to select the desired WebSphere Everyplace Access components and subcomponents to install, do not select SecureWay Directory Server. Note: The SecureWay Directory is the default LDAP server provided by WebSphere Everyplace Access and can be installed locally or on a remote server. 56 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 In this sample scenario, Active Directory has already been installed as a remote LDAP server, and therefore you do not need to install SecureWay Directory. Figure 3-11 illustrates this option. Figure 3-11 Selecting WebSphere Everyplace Access install components 2. In the LTPA password window, you will be prompted to enter the LTPA password. You must enter the password of the bind user you previously created; this is wpsbind. 3. Later in the installation, in the LDAP server type selection window, enter the following configuration values (Figure 3-12): a. Select Microsoft Active Directory. b. LDAP Server: the address or full computer name of the Active Directory Server (in this case, m23x2672.yourco.com) c. User DN: the LDAP schema for the Active Directory administrator user. You can refer to Section 3.3.4, “Obtaining the LDAP schema for Active Directory” on page 53 for more details. In this scenario, the User DN is : cn=Administrator,cn=users,dc=yourco,dc=com Chapter 3. Active Directory Services in WebSphere Everyplace Access 57 d. User password and Confirm password: enter the password for the administrator user specified above. e. Suffix: the suffix for the server has been configured. In this case, dc=yourco,dc=com f. LDAP port number: the port the Active Directory Server uses. By default, this is 389. Figure 3-12 Selecting Active Directory as the LDAP server 4. In the next window, you must provide information about the Active Directory configuration (Figure 3-13). You can refer to Section 3.3.4, “Obtaining the LDAP schema for Active Directory” on page 53 for information about the Distinguished Name of users and groups in your Active Directory. 58 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 3-13 LDAP Configuration details 5. Fill in the fields and click Next to continue the WebSphere Everyplace Access installation. 6. As a part of the WebSphere Everyplace Access installation, you must configure the Security Center of the WebSphere Application Server. These configuration values are related to LDAP settings and the administration role for the WebSphere Application Server. When you open the Security Center during the standard WebSphere Everyplace Access installation, click the Authentication tab to check the details for the LDAP settings. The panel is shown in Figure 3-14. Chapter 3. Active Directory Services in WebSphere Everyplace Access 59 Figure 3-14 Authentication tab in WebSphere Application Server Security Center The LDAP settings for the sample scenario in this chapter are: – Security Server ID: the DN of the user created for security purposes. In this case, cn=wpsbind,cn=users,cn=yourco,cn=com – Security Server Password: the password for the user above. – Host: the IP address or fully-qualified DNS name of the Active Directory server. In this case, m23x2672.yourco.com – Directory Type: Active Directory. – Port: port for Active Directory Server. We are using the 389 default port. – Base Distinguished Name: the DN of the domain the Active Directory administrator’s user belongs to. In this case, the user Administrator belongs to cn=yourco,cn=com – Bind Distinguished Name: the full DN of the administrator user. In this case, cn=Administrator,cn=users,cn=yourco,cn=com – Bind Password: the password for the administrator user. 60 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 7. Complete the configuration of the Administration Role and the rest of the standard WebSphere Everyplace Access installation. For details, see IBM WebSphere Everyplace Access Installation, REDP3587. 8. Important: Before you begin working with the WebSphere Everyplace Access server, it is required that you provide the WebSphere Everyplace Access administrator user (wpsadmin in this case) full manage authority over the users and groups in the WebSphere Everyplace Access. This will allow the WebSphere Everyplace Access administrator to search for and manage users and groups in WebSphere Everyplace Access. For example: a. Log on to the WebSphere Everyplace Access server as user wpsadmin (or another user with administration rights). b. Select Portal Administration. c. Click the Security tab. d. Click Get Users and Groups. e. Click Search for users. f. Type an asterisk (*) in the Name is field and click Go. g. From the search results list, select the wpsadmin user, click Add to list and click OK. h. From the Select the objects for permissions drop-down menu, select User groups and click Go. i. From the table list, check the Select all option in the Manage column. j. Click Save. Figure 3-15 illustrate the new permissions for the wpsadmin user. Chapter 3. Active Directory Services in WebSphere Everyplace Access 61 Figure 3-15 Adding permissions tor the wpsadmin user in Portal server You can now see both the users and groups you previously created in Active Directory when you perform a search on users and groups (Figure 3-16). 62 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 3-16 Manage users and groups in Portal server 3.5 Sample applications In this section, sample applications are executed using the configured WebSphere Everyplace Access with Active Directory LDAP services. 3.5.1 Creating users and groups in WebSphere Everyplace Access Creating users and groups is a simple way to verify the interoperability of WebSphere Everyplace Access and Active Directory. Note: In this environment, you can add users and groups directly from the Active Directory or using the WebSphere Everyplace Access interface. If you want to add users and groups directly in Active Directory, see the suggested steps to create the wpsadmins group and wpsadmin and wpsbind users (see Section 3.3.3, “Configuring Active Directory for WebSphere Everyplace Access” on page 48). Chapter 3. Active Directory Services in WebSphere Everyplace Access 63 There are two ways to create users using WebSphere Everyplace Access: by using the sign-up option (self-enrollment) or by using an administrator user. User self-enrollment To create a user using the self-enrollment option, you must enter the Portal server and click the Sign up button. You will the fill out the registration form (Figure 3-17) and submit the request. Figure 3-17 Self-enrollment user registration User enrollment by an administrator To create users in WebSphere Everyplace Access through an administration user, follow these steps: 1. Log on to the Portal server using the wpsadmin user (or an administrator user) 2. Select Portal Administration. 3. Click the Users and Groups tab. 64 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 4. Click Create new user. 5. Enter the information for the new user and click Ok (Figure 3-18). Figure 3-18 Creating a new user Group creation by an administrator To create groups in WebSphere Everyplace Access through an administration user, follow these steps: 1. Log on to the Portal server using the wpsadmin user (or an administrator user). 2. Select Portal Administration. 3. Click the Users and Groups tab. 4. Click the Manage User Groups tab. 5. Enter the name of the new group in the Group Name field and click Create group (Figure 3-19). Chapter 3. Active Directory Services in WebSphere Everyplace Access 65 Figure 3-19 Creating a new group in WebSphere Everyplace Access 3.5.2 DB2 Everyplace synchronization using Active Directory In this sample scenario, a sample application supplied by DB2 Everyplace, called Visiting Nurse, is used. This scenario illustrates DB2 Everyplace synchronization when using a remote Active Directory server for LDAP services. In this section, we briefly explain how to configure WebSphere Everyplace Access server and a Pocket PC for this application. For more details, see Relational Database Synchronization in IBM WebSphere Everyplace Access V4.1.1, REDP1111. Creating the synchronization and DB2e groups First, you will need to create a synchronization group in WebSphere Everyplace Access. This group will have all the users who need to synchronize with the DB2 Everyplace Sync Server. In this sample scenario, the default name SyncGroup is used for this group. Once the SyncGroup group is created, you will be required to add all users for which you want to allow DB2 Everyplace synchronization capabilities (Figure 3-20). 66 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 3-20 Setting the SyncGroup group Since this is the Visiting Nurse application, the new DB2e group will be called DB2e_Nurse, and you will add the users that need to work with this application (Figure 3-21). Chapter 3. Active Directory Services in WebSphere Everyplace Access 67 Figure 3-21 Setting up the DB2e_Nurse group Creating a subscription and subscription set To create a subscription and a subscription set, we must use the Mobile Devices Administration Center (MDAC). 1. Click Start -> Programs -> IBM Everyplace Synchronization Server - > Launch MDAC, and log in with wpsadmin user and SyncGroup as the synchronization group. 2. Verify that the DB2e group (DB2e_Nurse group in this case) is available in the Groups folder (Figure 3-22). 68 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 3-22 MDAC Groups folder 3. Verify that all the users who are members of SyncGroup appear in the Users folder (Figure 3-23). Figure 3-23 MDAC Users folder 4. In this scenario, a JDBC subscription is used. For example: a. Click the Subscriptions folder. b. Right-click JDBCSUB1 and select Edit (Figure 3-24). Chapter 3. Active Directory Services in WebSphere Everyplace Access 69 Figure 3-24 Edit JDBCSUB1 Subscription c. On the Identification tab, click Define subscription... to see the tables that will be synchronized (Figure 3-25). Figure 3-25 Define Replication Subscription d. Select the Source tab; the VNURSE database must appear in the Database URL field. 70 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 e. On the Subscription sets tab, the subscription set SUBSCRIPTION_SET1 must be in the right-hand pane (Figure 3-26). Figure 3-26 Subscription sets f. Close the subscription dialog box. 5. You will need to assign the DB2e group to the subscription set assigned to the Visiting Nurse database. a. Click the Subscription sets folder. b. Right-click SUBSCRIPTION_SET1 and select Edit. c. On the Groups tab, select DB2e_Nurse from the Available Groups list and move it to the Select Groups list (Figure 3-27). Chapter 3. Active Directory Services in WebSphere Everyplace Access 71 Figure 3-27 Editing Subscription Set d. Close the subscription set dialog box. 3.5.3 Configuring the client on the Pocket PC and synchronizing The following procedure can be used to configure the client in the Pocket PC: 1. Start the Everyplace client and go to the User Options panel (Tools -> User Options). 2. Fill out the WerbSphere Everyplace Access information. You will need to provide a user ID that belongs to the SyncGroup created prevoously (Figure 3-28). 3. Click OK to close the panel. 4. Click DB2 Everyplace Sync and from the menu, select Tools -> Configure (Figure 3-28). 5. In the Configure panel, you must provide a value for User ID and Device ID. Leave the default values shown (Figure 3-28). 6. To initiate the synchronization, click Execute. Once the synchronization is completed, the status is updated (Figure 3-28). 72 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 3-28 Steps to configure the Everyplace Client on the Pocket PC 7. Click the Subscription List tab and confirm that SUBSCRIPTION_SET1 is available (Figure 3-29). Figure 3-29 Verifying that the synchronization process selected the subscription Chapter 3. Active Directory Services in WebSphere Everyplace Access 73 8. Notice that in the MDAC application, the user executing the synchronization process has been updated with the device type, device ID and the version of Everyplace Sync client (Figure 3-30). Figure 3-30 MADC Users details Verifying the synchronization Now that the Pocket PC device is synchronizing, you can use the Visiting Nurse sample application to confirm that in fact, data entered on the Pocket PC is getting synchronized with the DB2 database. For example: 1. Start the Visiting Nurse application on the Pocket PC. a. Click Start, and select Programs. b. Open the DB2 Everyplace Samples folder and click VNurse. 2. Select a patient and create a new medical record. An example is shown in Figure 3-31. To do this: a. Highlight a patient’s name and click the Info button. b. On the Personal Information page, click the Records button. c. Add a new medical record by clicking Add. d. Once you have filled out the record, click Save. 74 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 3-31 Creating a record in the Visiting Nurse application 3. Close the Visiting Nurse application. 4. Start the Everyplace client and initiate a synchronization. a. Click Start and select Everyplace Client from the menu. b. Click the Execute button. Upon successful completion of the synchronization, the records will be replicated to the source database as defined in the JDBC subscription. One method to confirm that new records are added to the DB2 database is to view the table contents using the IBM DB2 Control Center, as shown in Figure 3-32 below. Chapter 3. Active Directory Services in WebSphere Everyplace Access 75 Figure 3-32 The new record in the DB2 database after synchronization 76 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 4 Chapter 4. Domino Directory Services in WebSphere Everyplace Access In this chapter, we discuss the interoperability between WebSphere Everyplace Access and an external Lotus Domino server using the Lightweight Directory Access Protocol (LDAP). We explain how to install and configure the Lotus Domino server and LDAP services and how to install WebSphere Everyplace Access to access this LDAP directory. We also include sample scenarios to verify the installation. © Copyright IBM Corp. 2002. All rights reserved. 77 4.1 Lotus Domino R5 overview Lotus Domino R5 is an integrated server platform for messaging, groupware, and Web applications, delivering secure communication, collaboration and business applications. It includes the following servers: Domino Mail Server, used for messaging purposes. Domino Application Server, a secure platform to deliver Web applications. It provides an integrated messaging and Web application software platform. Domino Enterprise Server, which extends the functionality of Domino Mail and Domino Application Servers with high availability services. The Domino Directory services are a way to refer the directory architecture in Domino R5, whose central component is the Domino Directory, a store for directory information about users, servers, groups, and other objects, used by the Domino servers and by clients within a Domino domain. The other components of the Domino Directory services are: Directory Catalog, a specialized database with information about one or more Domino directories. Directory Assistance, which provides a redirect mechanism to access directory information from secondary directories, with the information residing in its original directory. Domino LDAP server task, which provides LDAP version 3-compliant access to Domino and third-party directories from clients and applications. A Domino server is required to have Domino Directory services running and available. For this reason, you will need to set up and configure LDAP services in the Domino server. In addition, you can also set up and configure Directory Assistance and Directory Catalogs when required. For more information about Domino Directory services, refer to IBM Redbook Getting the Most From Your Domino Directory, SG24-5986. 4.2 Solution architecture The scenario presented in this chapter includes a Lotus Domino Application server with LDAP services configured with the required options to allow it to be an external directory service of a WebSphere Everyplace Access server. The sample scenario described in this chapter is illustrated in Figure 4-1. 78 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Windows 2000 Server Windows 2000 Server Domino Server V5.08 m23x3074.yourco.com Port 386 WebSphere Everyplace Access V4.1.1 WebSphere Application Server V4.0.1 Notes DB2 IBM HTTP Server m23x2501.yourco.com HTTP Pocket PC Everyplace client V8.1 Desktop browser Figure 4-1 WebSphere Everyplace Access and Domino LDAP Services The description of this scenario includes the installation and configuration of a Lotus Domino Application server, and the configuration of the LDAP services. Note: In this sample scenario, it may not be necessary to configure Directory Assistance and Directory Catalogs in the Domino server. However, this could be a requirement in other situations. Chapter 4. Domino Directory Services in WebSphere Everyplace Access 79 4.2.1 Specifications for the scenario Table 4-1 illustrates the configuration values used in this sample scenario. Table 4-1 Configuration Role Application Server Domino R5 Server Machine DNS Name m23x2501.yourco.com m23x2674.yourco.com IP address 198.168.10.12 198.168.10.6 Operating System Windows 2000 Server Service Pack 2 Windows 2000 Server Service Pack 2 Domain yourco.com yourco.com Additional Software IBM WebSphere Everyplace Access V 4.1.1 Domino R5.08 Server (Domino Application Server) 4.2.2 Users and groups required in this scenario It will be required that you create users and groups in the Domino server before starting the WebSphere Everyplace Access installation. These are the WebSphere Everyplace Access administrator users and groups that must be available in the LDAP server so that WebSphere Everyplace Access can validate them when required. Table 4-2 and Table 4-3 summarize the groups and users used during WebSphere Everyplace Access installation that must be configured in the LDAP Directory. Table 4-2 Groups needed for WebSphere Everyplace Access installation 80 Group name Description Member of wpsadmins WebSphere Everyplace Access administrative group Administrators group LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Table 4-3 Users needed for WebSphere Everyplace Access installation User name Description Member of wpsadmin WebSphere Everyplace Access administrator user wpsadmins group wpsbind User for WebSphere Everyplace Access security purposes. (to bind between WebSphere Everyplace Access and LDAP) wpsadmins group 4.3 Setting up Domino Directory services You will need to install a Domino server to have Domino Directory services. For this scenario, a Domino Application Server is installed as Domino server. You will also need to install the Lotus Domino Administrator client to administer the Domino server, and configure LDAP to run in this server. 4.3.1 Installing Lotus Domino server This is a typical Lotus Domino server installation; in this sample scenario, most of the default settings and directories are used. The required options are selected to fulfill the specifications of the scenario described in Table 4-2 and Table 4-3. For example: 1. Log in to the server as a user with administrator privileges. 2. Run the setup program to open the installation wizard. Click Next in the Welcome window. 3. Read the License Agreement and click Yes. 4. Supply the company information (user and company name) and click Next. 5. Accept the default product and data folders locations or change them if you desire. 6. Choose to install a Domino Application Server and click Next (Figure 4-2). For the purpose of this scenario, it is not necessary to customize the installation. Chapter 4. Domino Directory Services in WebSphere Everyplace Access 81 Figure 4-2 Select the type of Domino server 7. Accept the default Program Folder and click Next to start the Domino server installation. 8. At the end of the installation, click Finish to close the installation wizard and finish the Domino server installation. 9. Open the Lotus Domino server to start the server setup, including the LDAP services, by clicking Start -> Programs -> Lotus Applications -> Lotus Domino Server. 10.In the Step 1 window, select the option First Domino Server and click the right-pointing arrow on the top right-hand side as illustrated in Figure 4-3. 82 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 4-3 Step 1 - Creating a new Domino server 11.In the Step 2 window, select Advanced Configuration to customize the server configuration parameters. Click the right-pointing arrow as shown in Figure 4-4. Chapter 4. Domino Directory Services in WebSphere Everyplace Access 83 Figure 4-4 Step 2 - Select a setup method In the Step 3 window, enter the advanced configuration parameters. You must select LDAP as Internet Directory Services to set the LDAP server to automatically run on server startup. You must also activate the HTTP and IIOP options in the Web Browsers section. The rest of the options are optional. Click the right-pointing arrow as illustrated in Figure 4-5. 84 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 4-5 Step 3 - Domino advanced configuration 12.In the Step 4 window, enter the administration settings information (Figure 4-6). Enter the password for the certified ID (password in this case), and the administrator user and password for the Domino server (in this sample scenario, wpsadmin). See Section 4.2.2, “Users and groups required in this scenario” on page 80 to obtain information about users and groups required for this scenario. Important: Be sure to enter wpsadmin as the administrator’s last name and leave blank the first and middle name in the Administrator’s Identity section. Domino server generates the user ID combining the first letter of the first name with the last name. Chapter 4. Domino Directory Services in WebSphere Everyplace Access 85 Figure 4-6 Step 4 - Domino administrative settings 13.Click Finish to complete the Domino server setup. A summary of the Domino configuration will appear; review the options (Figure 4-7). Important: Be sure to remember the location and password for the Certified ID and Administrator ID created during the Domino Server setup and shown in the summary configuration window. You will need this information for configuring and for administration tasks. As we need to create the wpsadmins administrator group, click the Set Access Control List Entry button. 86 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 4-7 Domino configuration summary 14.In the Set Default Database Access window, select the Add a group option and type wpsadmins as the name of the group. Click OK (Figure 4-8). Figure 4-8 Creating the wpsadmins group Chapter 4. Domino Directory Services in WebSphere Everyplace Access 87 15.Click the Exit Configuration button in the Domino summary configuration window. 16.Start the Domino server by clicking Start -> Programs -> Lotus Applications -> Lotus Domino Server. 17.Wait until the Domino server finishes loading (Figure 4-9). Figure 4-9 Starting Domino server 4.3.2 Installing and configuring the Domino Administration client You will need to install the Domino Administration client to be able to administer the Domino server. Important: The Lotus Domino server must be available and running before you start the Domino Administration client installation. For example, follow this procedure: 1. Run the setup program to open the installation wizard. Click Next at the Welcome window. 2. Read the License Agreement and click Yes. 3. Supply the company information (user and company name) and click Next. 4. Accept the default product and data folders locations or change them if you desire. Click Next. 88 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 5. Select the Domino Administrator option and click Next (Figure 4-10). For the purpose of this scenario, it is not necessary to customize the Domino Administrator installation. Figure 4-10 Installing Domino Administration 6. Accept the default Program Folder and click Next to begin the Domino Administration installation. 7. At the end of the installation, click Finish to close the installation wizard and finish the installation. 8. Open the Lotus Domino Administration client by clicking Start -> Programs -> Lotus Applications -> Lotus Domino Administrator. This will start the administrator configuration process. 9. Click Next in the Setting Up Connections window. 10.Select I want to connect to a Domino server and click Next. 11.Select Set up a connection to a local area network (LAN) and click Next. 12.Enter the Domino server name, in this case m23x2674/yourco, and click Next (Figure 4-11). Chapter 4. Domino Directory Services in WebSphere Everyplace Access 89 Figure 4-11 Entering the Domino server name 13.Select the Use my name as identification option and enter the administrator user name for the Domino server. In this case, wpsadmin is the administrator during the Domino server installation. 90 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 4-12 Enter the Domino administrator user 14.Click Next in the Connecting to a Domino Server over a LAN window. 15.For this scenario, select I don’t want to create an Internet mail account and click Next. 16.For this scenario, select I don’t want to connect to a news server and click Next. 17.For this scenario, select I don’t want to connect to another directory server and click Next. 18.Choose whether you will use a proxy to connect to the Internet and click Next . In this sample scenario, a proxy is not used. 19.Select how you will connect to the Internet. For example, in this scenario select the Connect over local area network (or cable modem) option and click Next. 20.Click Finish to complete the Domino Administration client configuration. You will be prompted to enter a password to start the Administration client. Enter the password for the administrator user (the user is wpsadmin in this case) and click OK. Chapter 4. Domino Directory Services in WebSphere Everyplace Access 91 4.3.3 Configuring LDAP services on Domino It is necessary to create an additional user (wpsbind, as shown in Section 4.2.2, “Users and groups required in this scenario” on page 80 for more information) and set some LDAP parameters in Domino before beginning the WebSphere Everyplace Access installation. Creating users in Domino Follow these steps to create a user: 1. Start Domino Administration client if it is not opened by clicking Start -> Programs -> Lotus Applications -> Lotus Domino Administrator. 2. Go to the Administration page and select the People & Groups tab (Figure 4-13). Figure 4-13 Domino Administration client 3. Right-click People and select Register Person. 4. When you are prompted to choose the Certified ID, select the cert.id file from your Domino server data directory (by default, it is located in c:\Lotus\Domino\Data). Click Open. 5. Enter the password for the certifier ID selected below and click OK . Tip: The certified ID is created during the Domino Server setup, in the administrative settings form (Step 4 window). For more information, see Section 4.3.1, “Installing Lotus Domino server” on page 81). 92 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 6. Click the Basics button on the left-hand side, and enter the information for the new user wpsbind (Figure 4-14). 7. Select the Advanced option to configure an Internet password. Tip: You will be required to set an Internet password for all users because LDAP uses this as a means to authenticate users. Figure 4-14 Registering user wpsbind 8. Click the Groups button, select wpsadmins and click the Add button (Figure 4-15). Chapter 4. Domino Directory Services in WebSphere Everyplace Access 93 Figure 4-15 Adding wpsbin to the wpsadmins group 9. Click the Add person button. If you want, you can create more users at this time, or you can do so later. 10.Click the Register All button, and when the registration process finishes, click Done to close the Register Person form. Configuring LDAP in Domino To configure LDAP services on your Domino server, you will need to create a server configuration document. 1. In the Domino Administration client, select the Configuration tab and expand the Server section, then click the Configurations icon. Now click the Add Configuration action button to create a new configuration document. 2. Select the Use these settings as the default settings for all servers checkbox (Figure 4-16). Note: Note that only one configuration document can be designated as such. 94 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 4-16 Creating a new server configuration document 3. Once you have selected this option, the LDAP tab appears. Click it to move to that section. 4. Click the button Choose fields that anonymous users can query via LDAP; an LDAP Field List window will appear with a list of queriable fields. Accept this list or add more fields if you want, then click OK (Figure 4-17). Figure 4-17 LDAP field list 5. In the LDAP Configuration form, select Yes in the Allow LDAP users write access option. Leave the other fields with their default values (Figure 4-18). Chapter 4. Domino Directory Services in WebSphere Everyplace Access 95 Figure 4-18 LDAP Configuration settings 6. Click the Save and Close button; a new configuration document will be created (Figure 4-19). 96 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 4-19 Configuration document for all the servers 7. In the Configuration tab, in the Server section, click the Current Server Document icon and the Edit Server button. 8. Select the Ports tab; inside the Port section, click the Internet Ports tab and select the Directory tab. You will see some configurations about LDAP. In this sample scenario, LDAP services uses port 386, but you can always use the default port 389 if you so desire (Figure 4-20). Chapter 4. Domino Directory Services in WebSphere Everyplace Access 97 Figure 4-20 LDAP settings 9. Click the Save and Close button to save the changes you made. 4.3.4 Obtaining the LDAP schema for the Domino Server To obtain the LDAP directory schema for your Domino server, you can execute the ldapsearch command located in the Lotus Notes program directory (by default, c:\Lotus\Notes). For example, at the command prompt window, enter the following command: ldapsearch -h m23x2674 -p 386 -d cn=wpsadmin,o=yourco -w wpsadmin -b o=yourco cn=* dn You will see a list of the Distinguished Names of the users in your Domino server (Figure 4-21). 98 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 4-21 LDAP schema for Domino server By selecting one of the returned records, you can determine the User DN prefix and suffix. For example, given the following record: CN=wpsadmin,O=Yourco the User DN prefix for the wpsadmin user is CN, and the User DN suffix is O=Yourco Note: During the WebSphere Everyplace Access installation, you will need information about your Domino server LDAP schema. 4.4 Installing WebSphere Everyplace Access The WebSphere Access installation using remote Domino Directory services requires some special considerations compared to the typical installation using IBM SecureWay Directory services. For example: 1. When you have to select the desired WebSphere Everyplace Access components and subcomponents to install, do not select SecureWay Directory Server. Note: The SecureWay Directory is the default LDAP server provided with WebSphere Everyplace Access and can be installed locally or as a remote server. In this sample scenario, it is assumed that Domino Directory services have already been installed as a remote LDAP server, and therefore you do not need to install SecureWay Directory (Figure 4-22). Chapter 4. Domino Directory Services in WebSphere Everyplace Access 99 Figure 4-22 Selecting WebSphere Everyplace Access install components 2. In the LTPA Password window, you will be prompted to enter the LTPA Password. You must enter the password of the bind user wpsbind created previously. 3. Later in the installation, in the LDAP server type selection window, enter the following details (Figure 4-23): a. Select Lotus Domino Application Server. b. LDAP Server: the address or full computer name of the Domino Server (in this case, m23x2674.yourco.com). c. User DN: the LDAP schema for the Domino server administrator user. You can refer to Section 4.3.4, “Obtaining the LDAP schema for the Domino Server” on page 98 for more details In this scenario, the User DN is cn=wpsadmin,o=yourco d. User password and Confirm password: enter the password for the administrator user specified above. e. Suffix: the suffix for the server that has been configured. In this case, o=yourco 100 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 f. LDAP port number: the port the LDAP uses. In this scenario, we are using port 386. Figure 4-23 Selecting Domino Server as the LDAP server 4. In the next window, you must provide information about the Domino Server configuration (Figure 4-24). You can review Section 4.3.4, “Obtaining the LDAP schema for the Domino Server” on page 98 to obtain information about Distinguished Names of users and groups in your Domino Server. Chapter 4. Domino Directory Services in WebSphere Everyplace Access 101 Figure 4-24 LDAP configuration details Fill in the fields and click Next to continue the WebSphere Everyplace Access installation. 5. As part of the WebSphere Everyplace Access installation, you must perform some configurations in the Security Center of the WebSphere Application Server. These configurations are related to LDAP settings and the administration role for the WebSphere Application Server. When you have to open the Security Center during the standard WebSphere Everyplace Access installation, execute the following additional step: – Click the Authentication tab and check the details for LDAP settings (Figure 4-25). 102 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 4-25 Authentication tab at the WebSphere Application Server Security Center The LDAP Settings for this sample scenario are: Security Server ID: the DN of the user created for security purposes. In this case, cn=wpsbind,o=yourco Security Server Password: password for the user above. Host: the IP address or full DNS name of the Domino Server. In this case, m23x2674.yourco.com Directory Type: Domino 5.0 Port: the LDAP port. Port 386 is used in this scenario. Base Distinguished Name: the DN of the domain the Domino Server administrator’s user belongs to. In this case, the user wpsadmin belongs to o=yourco Bind Distinguished Name: the full DN of the administrator user. In this case, cn=wpsadmin,o=yourco Bind Password: the password for the administrator user. Chapter 4. Domino Directory Services in WebSphere Everyplace Access 103 6. Complete the configuration of the Administration Role and the rest of the standard WebSphere Everyplace Access installation. For details, see for example IBM WebSphere Everyplace Access V4.1.1 Installation, REDP3587. 7. After the installation and before you start any work, you will be required to provide full manage authority of the users and groups to the WebSphere Everyplace Access administrator user (wpsadmin in this case). This will allow the WebSphere Everyplace Access administrator to search for and manage users and groups. For example, you may want to follow this procedure: a. Log on to the WebSphere Everyplace Access server using the wpsadmin user (or another user with administration rights). b. Select Portal Administration. c. Click the Security tab. d. Click Get Users and Groups. e. Click Search for users. f. Type an asterisk (*) in the Name is field and click Go. g. From the search results list, select the wpsadmin user, click Add to list and click OK. h. From the Select the objects for permissions drop-down menu, select User groups and click Go. i. From the table list, check the Select all option in the Manage column. j. Click Save. Figure 4-26 illustrate the new permissions for the wpsadmin user. 104 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 4-26 Adding permissions to the wpsadmin user 4.5 Sample applications In this section, two different tasks are described to show the interoperability of IBM WebSphere Everyplace Access and Domino Directory services. 4.5.1 Creating users in WebSphere Everyplace Access You can add users directly from the Lotus Administration client or by using the WebSphere Everyplace Access administration interface. The latter option is shown here to verify that WebSphere Everyplace Access and the Domino Server are working correctly. Chapter 4. Domino Directory Services in WebSphere Everyplace Access 105 1. Log on to the Portal server as a wpsadmin user 2. Select Portal Administration. 3. Click the Users and Groups tab. 4. Click the Manage Users tab. 5. Click Create new user. 6. Enter the information for the new user and click OK (Figure 4-27). Figure 4-27 Creating a new user 7. A message confirming the creation of the new user will appear. 8. You can validate the creation of the new user by searching for all Domino Directory users (Figure 4-28). Type an asterisk (*) in the Name is field and click Get users. You will see the users in Domino Server, including the new user created, test1. 106 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Figure 4-28 Searching users from WebSphere Everyplace Access 9. You can also view the Domino Administrator client to verify that the new user has been created in the Domino server (Figure 4-29). Figure 4-29 Viewing users in the Domino Administrator client Chapter 4. Domino Directory Services in WebSphere Everyplace Access 107 4.5.2 Configuring the LDAP Search portlet The LDAP Search portlet allows you to search LDAP directories and obtain information about users. This portlet is provided by the standard installation of the WebSphere Everyplace Access. 1. Log on to the WebSphere Everyplace Access server as the wpsadmin administration user or as a user with administration rights. 2. Select the Productivity tab. 3. Click the Edit icon in LDAP Search portlet. 4. Enter the LDAP Search properties (Figure 4-30): – Optional Display Name: a name that describe the portlet. – Server name: the full DNS name of the LDAP server, including the LDAP port. In this case, this is ldap://m23x2674.yourco.com:386 – Directory name: the DN suffix of the LDAP server. – The criteria for the initial search. Figure 4-30 Configuring the LDAP Search portlet 108 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 5. Click Save. The LDAP Search portlet is configured and ready to perform a search in the Domino Server (Figure 4-31). Figure 4-31 LDAP Search portlet results Chapter 4. Domino Directory Services in WebSphere Everyplace Access 109 110 LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Back cover LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1 Learn WebSphere Everyplace Access and Active Directory interoperability Use Domino LDAP Services in WebSphere Everyplace Access Everyplace Access and iPlanet integration ® Redpaper This Redpaper will help you install, tailor and configure the new IBM WebSphere Everyplace Access product using Lightweight Directory Access Protocol (LDAP) directories such as IBM SecureWay Directory, iPlanet, Microsoft Active Directory and Domino LDAP Directory. INTERNATIONAL TECHNICAL SUPPORT ORGANIZATION IBM WebSphere Everyplace Access provides the flexibility of supporting various Lightweight Directory Access Protocol (LDAP) directories. Although a typical installation of WebSphere Everyplace Access will incorporate a local or remote IBM SecureWay LDAP directory, support exists for accessing a remote and pre-existing LDAP directory. BUILDING TECHNICAL INFORMATION BASED ON PRACTICAL EXPERIENCE A basic knowledge of IBM WebSphere Everyplace Access and LDAP directories is assumed. IBM Redbooks are developed by the IBM International Technical Support Organization. Experts from IBM, Customers and Partners from around the world create timely technical information based on realistic scenarios. Specific recommendations are provided to help you implement IT solutions more effectively in your environment. For more information: ibm.com/redbooks