LDAP for IS

What are the steps to configure LDAP for IS at a high level (no MWS).

I have configured LDAP directory list under Security->User Management->LDAP Configuration.

Are there any other settings beyond this?
Does the IS need a restart?

I am using IS 9.10.

Hi Revathi,

can you explain why you want to use LDAP directly in IS, not via MWS?

This will only work effectively when not using Monitor functionality.

When interconnection with MWS is required, i.e. for monitoring, it is strictly recommended to add the LDAP as an additional directory service to the MWS and modify groups or roles there and then change the ACLs in IS to incorporate the MWS-based groups or roles.

Regards,
Holger

Hi,

Have you followed through the IS Administrator’s Guide chapter “Configuring a Central User Directory or LDAP”?

There are several steps to make before the LDAP connection is of use.

MWS makes it much more simple but you can still get most of the functionality using only the IS.

Good Luck.

Season’s Greeetings.

Hi,

Agree.
MWS makes it very much simpler to configure LDAP and navigate the users and roles.
We verified from our MWS that we can navigate the LDAP and see the users.

On the IS, JDBC pools is configured for Central user to connect to DB having MWS tables.

But when we installed MWS, we did not have the DB yet and it is still using embedded DB.
So how do we change the MWS DB now?
Can we change it from MWS itself?
Or via a backend xml file?
Or we need to re-install the MWS with the DB details provided?

And once MWS points to same DB, what should be configured on the IS Admin Console?

Thanks very much for valuable feedback.

Regards,
Revathi

Hi Revathi,

You need not reinstall MWS to change it from embedded to external DB. You can simply modify the mws.db.xml file located under “SoftwareAG//MWS/server/default/config”.

Below is how it looks:


<?xml version="1.0" encoding="UTF-8" standalone="no"?><CONFIG>
    <CONNECTION default="true" displayname="Default" id="1" name="default" type=                                                                                                                                                             "oracle">
        <SQLWORKERCLASS>com.webmethods.portal.service.sql.core.BaseSqlWorker</SQ                                                                                                                                                             LWORKERCLASS>
        <CONNPROVIDERCLASS>com.webmethods.portal.service.sql.core.provider.pool.                                                                                                                                                             PooledConnectionProvider</CONNPROVIDERCLASS>
        <PARAMS>
            <DRIVER>com.wm.dd.jdbc.oracle.OracleDriver</DRIVER>
            <URL>jdbc:wm:oracle://localhost:1521;serviceName=XE</URL>
            <USER>sample_user</USER>
                        <!-- Password could be specified in clear text, it will                                                                                                                                                              be automatically encrypted during MWS startup -->
            <PASSWORD>{AES}BWUaj/sInspV+fvVX/N6Hw==</PASSWORD>
            <CACHESTATEMENTS>false</CACHESTATEMENTS>
            <TESTSQL>SELECT COUNT(*) FROM TBLTHING WHERE IDTHING = 1</TESTSQL>                                                                                                                                                               
            <MAXCONNECTIONS>100</MAXCONNECTIONS>
            <MINCONNECTIONS>0</MINCONNECTIONS>
            <!-- Max amount of idle time (in seconds) of the objects pooled by t                                                                                                                                                             his pool -->
            <IDLETIMEOUT>60</IDLETIMEOUT>
            <!-- Time (in seconds) between eviction runs -->
            <CLEANUPPERIOD>10</CLEANUPPERIOD>
        </PARAMS>
    </CONNECTION>

Hi,

this requires a restart of MWS and most likely a reconfiguration of MWS instance.

Regards,
Holger

1 Like

Yes simply modify the “mws.db.xml” file located under “SoftwareAG//MWS/server/default/config”.

And during the first state, MWS server initializes and you can tail the the logs to make sure the MWS isn’t in hung state rather it will try to execute various meta-data commands including auto-restart couple of times before it going to get it stabilized connection for accessing it.

HTH,
RMG

Hi,

I now have my MWS connected to the MS SQL DB.
I have LDAP configured as Directory service in MWS.
I can navigate and see the LDAP users in the MWS User Management->Users screen.

In IS Admin console, I have JDBC Pools pointing to the same MS SQL Database.

But in IS Admin console, I go to Security > User Management , I fail to see Central User as Configured.
It still shows as Not Configured. Which step I am missing?

Regards,
Revathi

Have you installed the DB scripts related to Central User in your MS SQL database after pointing your MWS? You can use DB component configurator to do the same or you can go with scripts that come with installation too.

yes DB scripts related to ALL components created in the DB.

Have you restarted your IS after configuring your Central User JDBC pool?

yes, thanks.
After IS restart, I can see groups created in MWS getting added to IS, when I choose ACL provide as Central.

When I navigate in the LDAP group and role via the MWS, I see LDAP group and role are empty.
However, I can view ldap users.
Is this a concern?
Should we have the LDAP users that we want to give authentication via the IS ACL, be tagged to a LDAP group?

I still feel I am missing something more.

The fact that you need to tag IS ACL to the groups is true. But it need not be a literal LDAP group. What you can do is, create an MWS group, and you can map your LDAP users to it. Now, you can place this group under any IS ACL by choosing from “Central” provider as you stated before.

In MWS, I create a group and try to add members from ldap.

I get an error as below.

[POP.012.0003.wm_xt_ldapdirsvc] This directory service does not support modifying User or Group memberships

I guess even though I am trying to create group on MWS, it is trying to create it in ldap.

Sorry, you are right. we cannot create MWS groups for LDAP. it will refer to LDAP groups only. What I meant was MWS Roles

I created the MWS Role.
I can look up this MWS role from IS Admin Console.
I added the MWS Role newly created to the Administrator ACL on the IS Admin Console.

But I still cannot log into the IS Admin Console via a user who is configured in LDAP.

I suspect the LDAP query while creating the MWS role is the problem.
What should this query contain ideally?

If I try to access IS Admin console using a ldap user and password, I get an line as below on the server log.

[1468]2016-12-14 10:58:09 GMT [CommonLib.MWS.0002I] no need to raise event because com.webMethods.portal.portlet.wm_xt_ldapqueryprovider.LdapqueryproviderThing@76aa9661 is not StaticroleThing class

My requirement is,

  1. I need to log into IS Admin console using any ldap user.

  2. Also associate certain service for specific LDAP user.

How do I go about with the above two?

Any suggestions are welcome.

Hi Revathi,

for accessing IS Admin UI the user needs to be member of a group or role which assigned to the Administrators ACL.

You can create custom ACLs for your services for which assign a specifiic service Role in MWS containing the specific user.

See IS Administrators Guide, MWS Administrators Guide and WebServices Developer Guide for details.

Regards,
Holger

yes, I was able to set it up.
Thanks.