Table of Contents
Advertisement
4.2.2 Reconfigure security
In WebSphere Portal Version 6, the resource permissions are all keyed on the extId of the
users or groups. This makes the security reconfiguration much more involved. The reason is
that switching the LDAP server implies all extIds used for resource permissions will be invalid
in the new LDAP server, if extIds are mapped to a unique attributes created by the LDAP
system, such as ibm-entryUUID (IBM Tivoli Directory Server), or objectGUID (Microsoft
Active Directory). Thus, the simple procedure of "disable-reenable" security may wipe out all
of the Portal Access Control configuration. The solution is to have a full XMLaccess export on
all protected resources in all domains. and a full XMLaccess of the users and groups before
security reconfiguration, and import these XML files back to recreate the permission
configuration. If Application Groups are used, they must be recreated by importing the users
and groups XML file before the permissions can be recreated.
Important: Do not run "disable-security" before you understand its consequences. If you
are unsure, contact IBM WebSphere Portal support before taking any action.
4.2.3 Change user IDs and passwords
For portal security configuration, there are mainly four user IDs and one group required in the
LDAP. To successfully run the configuration task, however, you also need a couple of groups
for WebSphere Web Content Management and Portal Document Manager. In this Redpaper,
we only discuss the issues with Portal configuration and problem determination, and the
users and groups used in Portal and WebSphere Application Server.
The four user IDs and one group are referenced in wpconfig.properties as:
WasUserid: This is the administrator user for WebSphere Application Server, sometimes
called Server ID. You use this ID to start and stop the server, and to log on to the
administrative console for any administration configuration on the application server. This
user ID can be any user in the LDAP server. It does not necessarily have any rights in the
LDAP.
LDAPBindID: This is the user ID that WebSphere Application Server uses to bind to the
LDAP server. It must be able to authenticate user IDs and have the necessary access
rights (read/write/modify/delete) on the LDAP server, depending on how the application
server is configured to use the LDAP server.
PortalAdminId: This is the portal administrator user. It is the most important user in portal
configuration, but this user can be any LDAP user that can be searched. Make sure you
always specify the full user Distinguished Name (DN) on this line.
PortalAdminGroupId: This is the portal administrator group. Any user IDs in this group
should have the same administrative rights as the portal administrator user does. In some
cases, you can disable the portal administrator user ID and only administrate your portal
server using user IDs within this group
LDAPAdminUId: This user ID is used by WebSphere Member Manager to bind to the
LDAP server for its inquires to the LDAP. Like LDAPBindID, it should have the necessary
access rights to be able to operate on the sub trees in the LDAP such that portal can make
changes to the users and groups.
Since these user IDs can be all different at one extreme or all the same at the other, when you
make any changes to the users, you have to understand the implications.
98
IBM WebSphere Portal V6 Self Help Guide
Advertisement
Table of Contents
Troubleshooting
