Deployment Scenario with Siteminder : Multi-LDAP supportAdded by Vincent Perrin on August 22, 2008 | Version 1
Paul Kelsey : Software Engineer email@example.com
Vincent Perrin : Software IT Specialist
Since WebSphere Portal 6.0, WebSphere
Portal can be configured to authenticate users against two or more user
In this scenario, CA Siteminder is responsible
for user authentication with two separate LDAP and WebSphere Portal is
also configured to authenticate users against the same two user directories.
So, we will configure WebSphere Portal
in federated repositories mode, under a single realm.
The environment included the following
WebSphere Portal 6.1 and WebSphere Application Server 126.96.36.199
HTTP Server 6.1
Tivoli Directory Server 6.1 (pdoglinux.raleigh.ibm.com)
One Directory 5.2.4 (pdogwinxp.raleigh.ibm.com)
IBM® Tivoli Directory Server 6.1
- User Base Search: cn=users, o=ibm, c=us
- Groups: cn=groups, o=ibm, c=us
Sun One Directory 5.2.4 :
- User Base Search: ou=people, dc=raleigh,
- Groups: ou=groups, dc=raleigh, dc=ibm,
Installation and configuration
Refer to the topics from the WebSphere
Portal 6.1 Information Center
and Siteminder Documentation listed in the steps below for more
detailed instructions on the steps to install and configure the environment
used for this test.
and configure IBM Tivoli Directory Server (ITDS) 6.1
Sun One Directory 5.2.4
WebSphere Portal 6.1, using the topic “Setting up a stand-alone production
server” in 6.1 Information Center
security for WP 6.1 to IBM Tivoli Directory Server (ITDS) 6.1, using the
topic “Configuring the default federated repository on Windows”
the file system repositories.
Note : You must modify the WAS and Portal
Admin user using the ConfigEngine wp-change-was-admin-user and wp-change-portal-admin-user
before removing the file system repositories.
the WebSphere Admin Console, add a new base entry for the configured federated
repository to Sun One Directory 5.2.4
An alternative method for creating the
second LDAP is to use ConfigEngine wp-create-ldap task as shown in the
as well as in the infocenter.
and configure the IBM HTTP Server using the topic “Setting up a remote
Web server with WebSphere Portal” in WP 6.1 Information Center
Portal Security with each LDAP and IHS WAS Plugin.
and Configure Siteminder Policy Server 6.0 with Sun One Directory and ITDS,
in the User Directories section of Siteminder Administration.
Siteminder Web Agent on top of IHS 6.1 using the “SiteMinder® Web Agent
Installation Guide”, in my environment named portal61.
Siteminder Web Agent for WebSphere on top of WP 6.1 using the “SiteMinder
Agent for IBM WebSphere Guide”, in my environment named was_portal61.
a siteminder Domain and associated both user directories object to it.
a siteminder realm and one rule to protect the portal context root, in
Siteminder Admin Console :
Siteminder Realm Dialog Box:
You have to select the IHS Web Agent
and /wps/myportal as resvource filter.
Siteminder Rule Dialog Box:
To protect the effective ressource /portal61/wps/myportal*for
all action (Get,Post, Put)
In the Users tab, select the Sun One
Directory and ITDS
In the Rules tab, add the rule you have
you can try to log in into WebSphere Portal through Siteminder Authentication
process with users from both directories.
a new brower windows, enter http://[Hostname]/wps/myportal
should be prompted and authenticated by the Siteminder Web Agent, independant
of which directory the user exists.
Application Server Agent (TAI) receives DN of logged-in user and is allowed
to the protected portal page.