Federated repositories configuration

Step1 :
                Start Portal Server
                Login into Application Server - Integrated Solutions Console
                Go to - Security>Global Security
                Click on configure Note : Make Sure Federated Repository is selected

Step 2:
                On Federated repositories screen click "Add base entry to realm"
                On Repository reference screen click on "Add repository"
                Provide
                                Repository identifier : mytechuserbase
                                Directory type  : IBM Tivoli Directory Server

                                Primary host name  : localhost
                                Port : 389
                                Bind distinguished name : cn=root           Note : make sure this user exist in ldap and has rights to modify ldap entry
                                Bind password : root
                Clock on 'Ok' button

After that provide following info in current window
Distinguished name of a base entry that uniquely identifies this set of entries in the realm
dc=mytech,dc=com
Distinguished name of a base entry in this repository
dc=mytech,dc=com
Click on 'ok' button
Click on 'Save' link

Step3 :

Click on "Supported entity types" link and modify 'Group' and 'PersonAccount' values with
cn=groups,dc=mytech,dc=com and cn=users,dc=mytech,dc=com respectively

Step4 :

Restart the portal server to reflect the changes

Test the LDAP setup :

Login into Application Server - Integrated Solutions Console

Create the user/group and validate the same user/group details in LDAP server through ldap browser or IDSWebApp application.

Installation steps for Tivoli Directory Server Web Administration Tool -
1) Make sure Db2 and TDS instance is running
2) Start server1 profile
3) Deploy and start IDSWebApp.war
4) Open application IDSWebApp http://portal.mytech.com:10000/IDSWebApp/IDSjsp/Login.jsp. Default username and password superadmin/secret
5) Make cn=root as super user for domain (dc=mytech,dc=com)
6) Since we will be configuring Federated repository, we need to remove user's wpsadmin,wpsbind and group 'wpsadmins' from LDAP as these are already available in portal server.

Puma Service/User Details in (Theme, Servlet, Portlet)

a) Get details of User in Theme for loggedIn User
1) Use following tag lib to get basic user attribute value
<%@ taglib uri="http://www.ibm.com/xmlns/prod/websphere/portal/v6.0/portal-fmt" prefix="portal-fmt" %>
<portal-fmt:user attribute="givenName" /> <portal-fmt:user attribute="sn" />
2) To get other info like in which group user belongs to
<%
com.ibm.portal.puma.User portalUser=  (com.ibm.portal.puma.User) request.getAttribute(com.ibm.portal.RequestConstants.REQUEST_USER_OBJECT);
 if(portalUser!=null) {
    java.util.List groups = portalUser.getGroups();
        for (int i=0; i< groups.size() ; i++){
            com.ibm.portal.puma.Group grp = (com.ibm.portal.puma.Group)groups.get(i);
        }
}
%>

b) Get details of User in Servlet for loggedIn User
import java.io.IOException;
import java.util.List;
import java.util.Map;

import javax.naming.CompositeName;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.Name;
import javax.naming.NamingException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import com.ibm.portal.um.PumaHome;
import com.ibm.portal.um.PumaLocator;
import com.ibm.portal.um.PumaProfile;
import com.ibm.portal.um.User;
import com.ibm.portal.um.exceptions.PumaAttributeException;
import com.ibm.portal.um.exceptions.PumaMissingAccessRightsException;
import com.ibm.portal.um.exceptions.PumaModelException;
import com.ibm.portal.um.exceptions.PumaSystemException;

public class UserInfo extends HttpServlet {
    private static final long serialVersionUID = 1L;

    private PumaHome pumaHome;

    @Override
    public void init() throws ServletException {
        super.init();

        try {
            Context context = new InitialContext();
            Name pumaJndiName = new CompositeName(PumaHome.JNDI_NAME);
            pumaHome = (PumaHome) context.lookup(pumaJndiName);
        } catch (NamingException e) {
            e.printStackTrace();
        }
    }

    /**
     * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
     *      response)
     */
    protected void doGet(HttpServletRequest request,
            HttpServletResponse response) throws ServletException, IOException {
        String UIDParam = request.getParameter("uid");

        PumaLocator pLocator = pumaHome.getLocator();
        PumaProfile pProfile = pumaHome.getProfile();

        try {
            List<User> users =pLocator.findUsersByAttribute("uid", UIDParam);

            // get a list of attributes defined for this User
            List attribNames = pProfile.getDefinedUserAttributeNames();
            // Get a map of attribute values for this user
            Map userDetails = pProfile.getAttributes(users.get(0), attribNames);

            String userEmail = (String) userDetails.get("mail");
            System.out.println("UserInfo.doGet()" + UIDParam + ":"+ userEmail + ":" + users.size());
        } catch (PumaSystemException e) {
            e.printStackTrace();
        } catch (PumaAttributeException e) {
            e.printStackTrace();
        } catch (PumaMissingAccessRightsException e) {
            e.printStackTrace();
        } catch (PumaModelException e) {
            e.printStackTrace();
        }
    }

}

c) Get details of User in Portlet for loggedIn User

import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

import javax.naming.Context;
import javax.naming.InitialContext;
import javax.portlet.ActionRequest;
import javax.portlet.PortletRequest;

import com.ibm.portal.portlet.service.PortletServiceHome;
import com.ibm.portal.um.PumaController;
import com.ibm.portal.um.PumaEnvironment;
import com.ibm.portal.um.PumaLocator;
import com.ibm.portal.um.PumaProfile;
import com.ibm.portal.um.User;
import com.ibm.portal.um.portletservice.PumaHome;
import com.ibm.websphere.security.UserRegistry;

public class UserProfileService {
    // This class uses PUMA SPI to access the LDAP and retrieve user profile information
    private static PumaHome pumaHome;

    // List of all Attribute Names that are defined in LDAP for USER group
    public static final String LAST_NAME = "sn";
    public static final String FIRST_NAME = "givenName";
    public static final String EMAIL = "mail";
    public static final String PASSWORD_USER_PROPERTY = "password";
    public static final String USERID_USER_PROPERTY = "uid";
    public static final String COMMONNAME_USER_PROPERTY = "cn";
   
    // Method to connect and create a PumaHome object
    public UserProfileService() {
        try {
            Context ctx = new InitialContext();
            PortletServiceHome psh = (PortletServiceHome) ctx
                    .lookup("portletservice/com.ibm.portal.um.portletservice.PumaHome");

            if (psh != null) {
                pumaHome = (PumaHome) psh.getPortletService(PumaHome.class);
            }

        } catch (Exception ne) {
            // ne.printStackTrace();
            pumaHome = null;
        }

    }

    public Map getUserProfile(PortletRequest req) {
        Map userDetails = null;
        // Util method that uses PUMA SPI to load user attributes from LDAP into
        // // a domain object (LmsUser)
        if (pumaHome == null) {
            return null;
        } else {
            try {
                // first get a PumaProfile object
                PumaProfile pumaProfile = pumaHome.getProfile(req);
                // get a list of attributes defined for this User
                List attribNames = pumaProfile.getDefinedUserAttributeNames();

                // Get a map of attribute values for this user
                userDetails = pumaProfile.getAttributes(pumaProfile
                        .getCurrentUser(), attribNames);
                System.out.println("userDetails::::::"+userDetails);
            } catch (Exception e) {
                e.printStackTrace();
                return null;
            }
        }
        return userDetails;
    }

    public static PumaHome getPumaHome() {
        if (pumaHome == null) {
            try {
                PortletServiceHome psh;
                Context ctx = new InitialContext();
                psh = (PortletServiceHome) ctx.lookup(PumaHome.JNDI_NAME);
                if (psh != null) {
                    pumaHome = (PumaHome) psh.getPortletService(PumaHome.class);
                }
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
        return pumaHome;
    }

    protected static PumaLocator getPumaLocator(PortletRequest portletRequest) {
        PumaLocator pumaLocator = getPumaHome().getLocator(portletRequest);
        return pumaLocator;
    }
    protected static PumaProfile getPumaProfile(PortletRequest portletRequest) {
        PumaProfile pumaProfile = getPumaHome().getProfile(portletRequest);
        return pumaProfile;
    }

    protected static PumaEnvironment getPumaEnvironment() {
        PumaEnvironment pumaEnvironment = getPumaHome().getEnvironment();
        return pumaEnvironment;
    }
    protected static PumaController getPumaController(PortletRequest portletRequest) {
        PumaController pumaController = getPumaHome().getController((ActionRequest) portletRequest);
        return pumaController;
    }
    public static void changePasswordLDAP(ActionRequest actionRequest, String password) {
        final PumaProfile pf = getPumaProfile(actionRequest);
        final PumaController pc = getPumaController(actionRequest);
        final PumaEnvironment pe = getPumaEnvironment();
        final Map userSetAttr = new HashMap();
        final List passwd=new ArrayList();
        passwd.add(password);
        // set AD password attribute in the Map
        userSetAttr.put(PASSWORD_USER_PROPERTY, passwd);
        try {
            pe.runUnrestricted(new PrivilegedExceptionAction() {
                public Object run() {
                    try {
                            User user = pf.getCurrentUser();
                            pc.setAttributes(user, userSetAttr);
                    } catch (Exception e) {
                        e.printStackTrace();
                    }
                    return null;
                }
            });
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

}

WebSphere SSO & LDAP Configuration Links

Here's the URL for SSO configuration between WebSpherev6.1 & Connection v2.5:
http://publib.boulder.ibm.com/infocenter/ltscnnct/v2r0/index.jsp?topic=/com.ibm.connections.25.help/c_sec_config_sso.html 

Also consider following points when doing SSO : 
* make sure that LDAP is same on Portal and Connections and make sure that the Realm name is exactly the same 
* make sure that both servers are accessed through a common domain like .yourwebsite.com 
* just export LTPA from one server to another and you should be set 
* just make sure that in the Web SSO settings for each server the domain name is the same, and put a period in front of it 
* ex: .yourwebsite.com 
* one last thing, make sure the time and time zones are the same on both servers 
* otherwise you could generate a cookie that has already expired on the next server

http://publib.boulder.ibm.com/infocenter/wpdoc/v6r0/index.jsp - Ldap Configuration

http://www.ibm.com/developerworks/wikis/display/lotusQuickrDeployment/Configuring+Single-Sign-On+Between+Lotus+Quickr+and+Lotus+Sametime - Configuring Single-Sign-On Between Lotus Quickr and Lotus Sametime

http://www.scribd.com/doc/11636904/Understanding-single-signon-SSO-between-IBM-WebSphere-Portal-and-IBM-Lotus-Domino - Understanding single sign-on (SSO) between IBM WebSphere Portal and IBM Lotus Domino

ADS configuration with WebSphere Portal v6.1 > Federated Repository

Download the configuration document from here - http://www.box.net/shared/sohqo3pvxo

I have separated the challenges have faced during the LDAP implementation in three categories.
First is related with ADS, second is when implemented it using PUMA service and third is mapping ADS with Portal.

A) Manage ADS (Active Directory Service)
 1. Connecting ADS over SSL (636 port) - Installed Enterprise CA (certificate authority)
 2. Viewing different ADS  attribute values - ldapbrowser, JXplorer, Softerra LDAP Administrator 2010.2.
     We found Softerra as effective tool however it's not freeware.

B) Application Implementation
 1. Date conversion - AD (Active Directory) timestamps are defined as: "A system file time is a 64-bit unsigned value representing the date and time as the number of     100-nanosecond intervals that have elapsed since January 1, 1601 12:00 A.M."
 2. Application logic to ensure user will change password in next login if user  has assigned a temporary  password - pwdLastSet='0' property is  used for it.
 3. Checking password is not required for newly migrated users - userAccountControl='0x0020' ads property is used for it.
 4. Once the password is expired User can't login in ADS through his credentials - Application would redirected user to recovery page to first reset his password and then login.
 5. Complex Search using  PUMA - PUMA service doesn't provide search on the basis of multiple conditions. For those cases we have directly used JNDI api.
 6. Retrieving maxPwdAge (Domain entry) from ADS using PUMA - PUMA service doesn't provide to retrieve Domain entry so he have used JNDI to achieve this functionality.
 7. cn, uid and sAMAccountName must be unique to create users  in ADS - First we check in ADS if the  user  exists  with the same name and if it does  than we add random suffix  to the user name and checks recursively for the availability to create the user account.

C) Websphere Application Configuration with ADS
 1. User creation and password change (needs  connection over  SSL  for ADS ) - for that we require to import ADS certificate in WAS.
 2. User creation in Portal Server  -  Since VMM ibm-primaryEmail attribute was not mapped  with ADS mail attribute It was  not able to create user through Portal. Later on we mapped the dependent attributes and the problem was resolved.
 3. Changes made directly in LDAP do not show up immediately in Portal - We have disabled PUMA and VMM caching to get the immediate effect.
 4. Portal uid doesn't store special characters - Since we have to store user's email in uid we changed Puma Validation rules  for uid to store email address  and for password to store special characters.
 5. Creating user from Portal Admin and from IBM console set default value for the userAccountControl with PASSWD_NOTREQD - We Changed default value of userAccountControl from 544 to 512 in wimconfix.xml to create user as normal account.