Overview

Skill Level: Any Skill Level

A basic familiarity with the ISAM LMI console may be needed as I didn't show the datailed menus navigation.

This article deals with the access to the content of the embedded LDAP of IBM ISAM appliance.

Ingredients

A Linux system and an ldap client software is required. An ldapbrowser tool can be used to verify content of LDAP.

Step-by-step

  1. Access to ISAM embedded LDAP

    ISAM embedded LDAP only listen to secure port 636 for security reason.

    As it is not possible to see user registry data from the ISAM LMI, we need to set up an external ldap client.

    To access Embedded ISAM LDAP , here are the default administration credentials:

    User DN : cn=root,secAuthority=Default

    Password: passw0rd

    It is possible to change the initial default administrator password, by navigating to the runtime component view of ISAM LMI and selecting the option as illustrated.

     change_password

     

    Here it is also possible to change the name of the  user data suffix to suit your needs.

    To access embedded LDAP from an LDAP browser, it is sometimes necessary to export its self-signed certificate and import it into the ldapbrowser SSL keystore.

    You can export the ldap server certificate from the ISAM LMI, which is located in the embedded_ldap_keys keystore (LMI navigation: Manage -> Secure Settings -> SSL certificates) :

    export_certificate

     

    I also defined the embedded LDAP server hostname in my /etc/hosts with the cn defined in the certificate.

    To check the certificate being sent by the server, you can use the following command:

     openssl s_client -connect 172.16.91.197:636

     CONNECTED(00000003)

    depth=0 C = us, O = ibm, CN = isam

    So  I added the following entry in my /etc/hosts :

    172.16.91.197   isam   # TEST ISAM

    I then configured my ldap Browser with following paramenters to see user data suffix:

    Host:  isam     

    Port: 636

    Base DN : DC=ISWGA

    SSL

    User DN : cn=root,secAuthority=Default

    Password: passw0rd

    To see the secAuthority=Default suffix, create the following connection :

     Host:  isam     

    Port: 636

    Base DN : secAuthority=Default

    SSL

    User DN : cn=root,secAuthority=Default

    Password: passw0rd

  2. Access and modify embedded LDAP from command line

    To access ISAM embedded LDAP from a Linux bash shell, an ldap client software is needed.

    Mac includes an openldap client pre-installed (as it is for the openssl used above), so  I used the following commands :

     ( first issue export LDAPTLS_REQCERT=allow  or import the Embedded LDAP server certificate in the MAC certificate trusted store )

    ldapsearch -x -H ldaps://isam:636 -D “cn=root,secAuthority=Default” -W -b “dc=iswga” -s sub “(uid=testuser)”

    Enter LDAP Password:

    # LDAPv3
    # base <dc=iswga> with scope subtree
    # filter: (uid=testuser)
    # requesting: ALL
    #

    # testuser, iswga
    dn: uid=testuser,dc=iswga
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    cn: test user
    sn: test
    uid: testuser
    userPassword:: e1NTSEF9THNpeklVWENUUkxyeS9EeWh3emlMNWwwanFQdWVUUnY=
    description:: U0FNTCA=

    # search result
    search: 2
    result: 0 Success

    # numResponses: 2
    # numEntries: 1

     

    If you need to add users in LDAP, for example when the mail attribute is required for authentication, you can use the following ldif:

    # adduser, iswga
    dn: uid=adduser,dc=iswga
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    cn: add user
    sn: test
    uid: adduser
    userPassword:: Passw0rd
    description: “user added with ldif”
    mail: testmail@company.com

     

    Add it with command :

    ¬†ldapadd -x -H ldaps://isam:636 -D “cn=root,secAuthority=Default” -W¬† -f addusermail.ldif

     Enter LDAP Password:

    adding new entry “uid=adduser,dc=iswga”

  3. Backup of Embedded LDAP data in ldif format

    To create an LDIF backup of ISAM embedded LDAP, you can use the following commands from a linux command line. 

    These commands are based on openldap client on Mac (first enter “export LDAPTLS_REQCERT=allow” if you haven’t trusted the server certificate locally):

    ldapsearch -x -H ldaps://isam:636 -D “cn=root,secAuthority=Default” -W -L -b “dc=iswga” -s sub objectclass=* > ISWGA.ldif

    ldapsearch -x -H ldaps://isam:636 -D “cn=root,secAuthority=Default” -W -L -b “secAuthority=Default” -s sub objectclass=* > SecAuthority.ldif

     

Join The Discussion