Download the configuration document from here - http://www.box.net/shared/sohqo3pvxo
I have separated the challenges have faced during the LDAP implementation in three categories.
First is related with ADS, second is when implemented it using PUMA service and third is mapping ADS with Portal.
A) Manage ADS (Active Directory Service)
1. Connecting ADS over SSL (636 port) - Installed Enterprise CA (certificate authority)
2. Viewing different ADS attribute values - ldapbrowser, JXplorer, Softerra LDAP Administrator 2010.2.
We found Softerra as effective tool however it's not freeware.
B) Application Implementation
1. Date conversion - AD (Active Directory) timestamps are defined as: "A system file time is a 64-bit unsigned value representing the date and time as the number of 100-nanosecond intervals that have elapsed since January 1, 1601 12:00 A.M."
2. Application logic to ensure user will change password in next login if user has assigned a temporary password - pwdLastSet='0' property is used for it.
3. Checking password is not required for newly migrated users - userAccountControl='0x0020' ads property is used for it.
4. Once the password is expired User can't login in ADS through his credentials - Application would redirected user to recovery page to first reset his password and then login.
5. Complex Search using PUMA - PUMA service doesn't provide search on the basis of multiple conditions. For those cases we have directly used JNDI api.
6. Retrieving maxPwdAge (Domain entry) from ADS using PUMA - PUMA service doesn't provide to retrieve Domain entry so he have used JNDI to achieve this functionality.
7. cn, uid and sAMAccountName must be unique to create users in ADS - First we check in ADS if the user exists with the same name and if it does than we add random suffix to the user name and checks recursively for the availability to create the user account.
C) Websphere Application Configuration with ADS
1. User creation and password change (needs connection over SSL for ADS ) - for that we require to import ADS certificate in WAS.
2. User creation in Portal Server - Since VMM ibm-primaryEmail attribute was not mapped with ADS mail attribute It was not able to create user through Portal. Later on we mapped the dependent attributes and the problem was resolved.
3. Changes made directly in LDAP do not show up immediately in Portal - We have disabled PUMA and VMM caching to get the immediate effect.
4. Portal uid doesn't store special characters - Since we have to store user's email in uid we changed Puma Validation rules for uid to store email address and for password to store special characters.
5. Creating user from Portal Admin and from IBM console set default value for the userAccountControl with PASSWD_NOTREQD - We Changed default value of userAccountControl from 544 to 512 in wimconfix.xml to create user as normal account.
No comments:
Post a Comment