Solved

Trying to set up LDAP authentication using Jython with Websphere 6.1

Posted on 2011-09-14
11
1,162 Views
Last Modified: 2013-12-11
Hi!

I am trying to setup LDAP authentication on a Websphere 6.1 server with wsadmin using Jython and I can't seem to find the right command.

I activated the setting in Websphere that shows me the Jython commands submitted by the web inteface (command assistance?) and I ended  with a call to AdminTask.validateLDAPConnection() which is not what I was looking for.

What calls should I made in Jython to setup LDAP authentication using more than one (fallback) servers and is there any way to get these shown by the Jython command assistance log?

Thank you!

Nick
0
Comment
Question by:Marbled
  • 6
  • 5
11 Comments
 
LVL 41

Expert Comment

by:HonorGod
Comment Utility
> I am trying to setup LDAP authentication on a Websphere 6.1 server with wsadmin using Jython and I can't seem to find the right command.

  Good problem description.

Q: ... is there any way to get these shown by the Jython command assistance log?
A: Unfortunately not.

  The support for "command assistance" in the admin console has was incomplete, especially in version 6.1 of the product.  Things have improved over time, and each version of the product (i.e., 7.0, and now 8.0) have increased the coverage.

  However, I "think" that there are still areas that are not 100% complete, but this is a guess on my part.  ;-)

  From your description, It sounds like you have performed the administration configuration commands on the Admin Console in order to do this on at least one of your servers.

  Is this an accurate understanding on my part?

  Now, you are trying to figure out how to perform these same steps on other servers.

  Is that correct?

  If so, please explain the steps that you used to perform these configuration steps.  From them, I should be able to duplicate them on my system, and see what Jython commands are needed.

Thanks for your help!
0
 
LVL 41

Expert Comment

by:HonorGod
Comment Utility
Oh, are you, by any chance, using a federated repository?
0
 

Author Comment

by:Marbled
Comment Utility
Hi HonorGod and thank you for responding to my query!

> > I am trying to setup LDAP authentication on a Websphere 6.1 server with wsadmin
> > using Jython and can't seem to find the right command.
> >
>  Good problem description.

LOL.

Thank you, let's just say I used to having to ask (when I am the one that does the debugging) or provide this kind of information...

>  The support for "command assistance" in the admin console has was incomplete, especially in
> version 6.1 of the product.  Things have improved over time, and each version of the product (i.e., > 7.0, and now 8.0) have increased the coverage.

)-;

Thing is we might end up deploying 7.0 or 8.0 by the time our new servers are deployed but I cannot assume that so I have to assume we're deploying on 6.1...

(I wish I could assume my scripts would be used on 7.0 or greater since I know 7.0 added some script libraries that could greatly simplify my work but I can't... I am not a 100% sure but I think we still have one 5.1 server in production... )-; )

(So it's really difficult to know what we might end up deploying...)

This is actually part of a much bigger script which, when completed, will setup everything each application/server needs in the node in which it is deployed.

(Each application will be installed multiple times both for redundancy and to setup multiple test environments and these must be setted up in a consistent manner.)

In the case of the LDAP setup, I want to set it up so that instead of always using the same local user created locally on the server it looks up the user names on our AD server

The only info I found for setting this up didn't set things such as user and password (I can't query it our servers anonymously) and it looks like running one of the samples I found might have hosed one of the nodes on one of our test servers.

The info I got on how to set this up was actually provided to me as a screen capture of how it should be setted up on 7.0 (even though I still have to assume we deploy on 6.1) and it's on a server that while not in "real" Production I can't risk hosing as it is used for our application development, I have tried to make the necessary adjustments for 6.1 but it's possible I got it wrong.

There's no load balancer on anything of the kind involved so I need to list every LDAP server in the server configuration.

Once I get something that resembles what I must set up (hostname, port (389), LDAP server type, DN info,  query user and password)  I will be able to debug further but for now I can't get anything that the admin console will display...

> Oh, are you, by any chance, using a federated repository?

Nope...

Thank you very much for your help!

Nick
0
 
LVL 41

Expert Comment

by:HonorGod
Comment Utility
> Thing is we might end up deploying 7.0 or 8.0 by the time our new servers are deployed but I cannot assume that so I have to assume we're deploying on 6.1...

  That's a good assumption to make.  Additionally, any scripts you write for your 6.1 environment should port to 7.0 or 8.0 with little, if any, changes required.

> (I wish I could assume my scripts would be used on 7.0 or greater since I know 7.0 added some script libraries that could greatly simplify my work but I can't... I am not a 100% sure but I think we still have one 5.1 server in production... )-; )

  Any scripts written for a 5.1 environment would need to be in Jacl (the Java implementation of Tcl), which was deprecated in 6.1, but stabilized in 7.0.  Which means that Jacl isn't going away, but Jython is the strategic direction, and any new stuff would be targeted for Jython, not Jacl.

> (So it's really difficult to know what we might end up deploying...)
>
> This is actually part of a much bigger script which, when completed, will setup everything each application/server needs in the node in which it is deployed.

  This is called job security.  :-)

> (Each application will be installed multiple times both for redundancy and to setup multiple test environments and these must be setted up in a consistent manner.)

  Tailor made for scripting.

> In the case of the LDAP setup, I want to set it up so that instead of always using the same local user created locally on the server it looks up the user names on our AD server

  AD as in Windows Active Directory?

> The only info I found for setting this up didn't set things such as user and password (I can't query it our servers anonymously) and it looks like running one of the samples I found might have hosed one of the nodes on one of our test servers.

  Bad news!  ;-(

> The info I got on how to set this up was actually provided to me as a screen capture of how it should be setted up on 7.0 (even though I still have to assume we deploy on 6.1) and it's on a server that while not in "real" Production I can't risk hosing as it is used for our application development, I have tried to make the necessary adjustments for 6.1 but it's possible I got it wrong.

  ?!? From where did you get this screen capture ?!?

> There's no load balancer on anything of the kind involved so I need to list every LDAP server in the server configuration.

  Not necessarily.  That's why I asked about whether or not you were using a Federated Repository.

  Take a look at this developerWorks article:

Title: IBM WebSphere Developer Technical Journal: Expand your user registry options with a federated repository in WebSphere Application Server V6.1
http://www.ibm.com/developerworks/websphere/techjournal/0701_ilechko/0701_ilechko.html

  It has had more than 90K views since it was first published Jan 07

  It might help with what you are trying to do.

Let's see what we can make happen.
0
 

Author Comment

by:Marbled
Comment Utility
Hi HonorGod!

>  Any scripts written for a 5.1 environment would need to be in Jacl (the Java implementation of Tcl),

Fortunately I don't need to deal with that 5.1 server...

The thing I still haven't understood though is why we have to use either Jython, a Java implementation of Python, or Jacl, a Java implementation of Tcl, couldn't we just use regular Java (which is, after all what Websphere is written in and what the applications deployed on it are also written in)? Scripts can soon become too complex for admins to do and if the job of doing them is dispatched to a programmer they have to learn another language...

There are advantages to learning a new language though... (-;

A nice, well documented Java API would be so nice... (-;

> Tailor made for scripting.

Yep!

>  AD as in Windows Active Directory?

Unfortunately yes... (-;

> Bad news!  ;-(

Yep and that seems very easy to do too... )-;

>  ?!? From where did you get this screen capture ?!?

From one of the consultant we hired at work... He wasn't a Websphere specialist (and that wasn't why we hired him principally) but he was quite familiar with IBM products in general and found were this had to be setted up.

Unfortunately he left before the end of the project he, I and others are working on.

> Not necessarily.  That's why I asked about whether or not you were using a Federated
> Repository.

I must have misunderstood its uses because it looks like it's essentially used as a way to combine many user repositories together.but it doesn't seem to support sharing, replicating (like a master-slave relationship for DNSe for examples) or discovering by other servers a server that would act as a federated repository.

I does have the advantage though that it allows the use of failover LDAP registtries.

It does sound this has to be setted up on each server or have I misunderstood something?

Thank you!

Nick


0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 41

Accepted Solution

by:
HonorGod earned 500 total points
Comment Utility
> The thing I still haven't understood though is why we have to use either Jython, ... couldn't we just use regular Java?

  Yes.  That is an option.  To do that, all you have to do is use the Java Management Extensions (JMX) interface.  For example:

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=%2Fcom.ibm.websphere.express.doc%2Finfo%2Fexp%2Fae%2Ftjmx_programming.html

> A nice, well documented Java API would be so nice... (-;

  Agreed.  The javadocs for WebSphere are available.  However, it's not like a book has been written for administering WebSphere environments using JMX.  However, one has been written for doing so using Jython:

Amazon site = http://www.amazon.com/dp/0137009526  [25% off]
IBMPress site = http://www.ibmpressbooks.com/bookstore/product.asp?isbn=0137009526 [30% off]

> It does sound this has to be setted up on each server or have I misunderstood something?

  Are you talking about stand alone Application Servers, or do you have a Deployment Management (DM) environment?

  Federated repositories are loosely coupled, meaning that the individual LDAP servers don't need to know about each other.  This has advantages, and disadvantages.

- Advantage:
  - One can create a "Federated Repository" on the WebSphere environment, and use the WebSphere wizards to tell WebSphere how to access each, and how to query each for information.
  - The act of adding an LDAP server does not involve querying each LDAP server to verify that each entry is unique (this would be an enormous burden, and require far too much time, and effort).

- Disadvantage:
  - Imagine how much "fun" would be involved in identifying, and resolving ambiguous identification result:
    > Multiple LDAP servers responding to the query: Is userid=Bob valid?

Does that help any?
0
 

Author Comment

by:Marbled
Comment Utility
Hi HonorGod!

> Yes.  That is an option.  To do that, all you have to do is use the Java Management
> Extensions (JMX) interface.  For example:

Hmm, nice!

> However, one has been written for doing so using Jython:

LOL, I have that book and while for some subjects it does go enough in depth on others it barely mentions them.

According to the book if I want to setup a federated registry using Jython scripting I am essentially on my own since it`s, essentially, an undocumented area. What they suggest is to enable command assistance, do what I need to do manually and recopy what are known to be unducumented commands so they might change with subsequent versions of Websphere.

The samples on that book website (which I found by googling) seem to suggest there might be a way to setup multiple LDAP registries like I wanted to do without using federated registries but that doesn't seem to work with 6.1.

>  Are you talking about stand alone Application Servers, or do you have a Deployment
> Management (DM) environment?

Stand alone application servers... Deployment manager was discussed but no decision was reached so I have to assume standalone.

What difference would that have made in a deployment manager environment, does it copy the configuration from one node to the other as well as the apps?

(I haven't yet found a good book on Websphere unfortunately but from what I had read I thought it only the apps from one node to another (on the same or another server), not the config as well.)

> Federated repositories are loosely coupled, meaning that the individual LDAP servers
> don't need to know about each other.  

In my case the LDAP servers would return the same information, it's only to make sure I do get an answer (in case the server I try to query first is unavailable (hardware failure, planned maintenance, etc...).

(What I want to do is a little similar to having multiple DNSes that resolve the same zone(s) listed in the OS' network configuration...)

I'll see what I can do on the federated registry side (I don't quite like this since it's undocumented (and so it could change in the future) and if that doesn't work I'll put it aside for now and work on the rest of the script... We have both put way too much time in this without getting much result...

(I'll of course give you the points/ratings assigned to this question...)

This should have been so easy to do if it had been properly documented...

Thank you and have a nice day!

Nck
0
 
LVL 41

Expert Comment

by:HonorGod
Comment Utility
> I have that book and while for some subjects it does go enough in depth on others it barely mentions them.

  True.  Unfortunately, writing a book, any book, is a collection of trade offs.  There is a contractual time limit in which the book must be written, and the number of pages allowed is also part of the contract.  Unfortunately, it is not always obvious how many pages are going to be generated by the text that is written in the word processing software that was used...

> What difference would that have made in a deployment manager environment, does it copy the configuration from one node to the other as well as the apps?

  Yes, and no.  When you have a cluster, then every AppServer within the cluster is virtually identical (except for hostnames)...  meaning that any resource on 1 cluster member is duplicated on every other cluster member.

  Let me see what information I can find about Federated Repositories...  It has been a few years since the Jython book was written, and I expect that more information has become available since then.

Thank you Nick
0
 

Author Comment

by:Marbled
Comment Utility
Hi HonorGod!

Sorry for the delayed reply, I had to work on other things for the past few days and I didn't even had the chance to try what I wanted to try (set up a federated registry).

>  True.  Unfortunately, writing a book, any book, is a collection of trade offs.  There is a
> contractual time limit  in which the book must be written, and the number of pages allowed
> is also part of the contract.  Unfortunately, it is not always obvious how many pages are
> going to be generated by the text that is written in the word processing software that was
> used...

Oops, sorry...

I guess I should start googling people's aliases on forums...

I had realized from your replies that there was a strong possibility that you work (or worked) for IBM but not that you are one of that book's (main I assume since your name is first) author...

The problem is not with the book (and I am actually quite glad I bought it), it's that doing administration with wsdadmin/Jython is overall poorly documented.

I should be able to find information online that picks up where the book left off but that's clealy not what's happening and I am getting increasingly frustrated by that...

What I want to do should be relatively simple to do and would have been completed weeks ago if it was properly documented. The fact that I have to learn a new language certainly doesn't help but it's not what's blocking me now...

Funnily what I expected could cause me problems (doing file I/O under Jython) will end up being a lot simpler than I thought because the information was easily available on the web...

> > What difference would that have made in a deployment manager environment, does it
>  >  copy the configuration from one node to the other as well as the apps?
>
>   Yes, and no.  When you have a cluster, then every AppServer within the cluster is
> virtually identical (except for hostnames)...  meaning that any resource on 1 cluster
> member is duplicated on every other cluster member.

OK, thank you!

> Let me see what information I can find about Federated Repositories...  It has been a few
> years since the Jython book was written, and I expect that more information has become
> available since then.

Thank you but don't spend too much time on this as you have already spent way too much tme on this already...

Thank you and sorry if it might not have seem like it but I do appreciate your book, what I am mostly frustrated with is that nothing picks up where it leaves off...

Nick

PS: Please excuse some possible mistakes and possibly a wrong choice of words/expressions as English is not actually my mother tongue.

0
 

Author Comment

by:Marbled
Comment Utility
Hi HonorGod!

It looks like the commanda command assistance produces for a federated registry are now documented.

I am now converting what was produced by command assistance to list format since it's more useful that way for my uses...

Thank you!

Nick
0
 
LVL 41

Expert Comment

by:HonorGod
Comment Utility
Thank you for the grade & points.

Good luck & have a great day.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Most of the developers using Tomcat find it easy to configure the datasource in Server.xml and use the JNDI name in the code to get the connection.  So the default connection pool using DBCP (or any other framework) is made available and the life go…
This article is about some of the basic and important steps to be used to improve the performance in web-sphere commerce application development. 1) Always leverage the Dyna-caching facility provided by the product 2) Remove the unwanted code …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now