Federating two LDAP servers with a common root organization

All users and organizations reside on a single LDAP server by default. If you require that shoppers and internal users exist on separate LDAP servers, you can follow this example to set up this configuration. In this example, B2C shoppers exist under the default organization, which resides on LDAP server 1, and internal users that manage the site exist under the seller organization, which resides on LDAP server 2.

Before you begin

Ensure that before you federate multiple LDAP servers (with common root or different root), you check that the RDN prefix for users is the same, for example uid or cn, but not a mix of both.

Procedure

  1. On a single LDAP server, create the following organization structure and user:
    o=root organization
    • o=seller organization (for administrators)
    • o=default organization (for B2C shoppers)
  2. Open the WebSphere Commerce Integration Wizard and specify the following LDAP values:
    • root organization: o=root organization
    • default organization: o=default organization,o=root organization
    • base DN: o=default organization,o=root organization
    Important: Do not restart the WebSphere Commerce server yet.
  3. Login to Organization Administration Console with the WebSphere Commerce site administrator logon ID. 
    For example, wcsadmin.
  4. Create a user with logonId admin under o=seller organization,o=root organization. Give the new admin user the Site Administrator role for Root Organization.

    Instead of wcsadmin, this new admin user becomes the new site administrator used once federated repositories are configured to point to two base entries.

  5. Ensure that the admin user can successfully log in to Organization Administration Console.
  6. From the WebSphere Application Server administration console, create a second LDAP repository by using LDAP server 2, where o=seller organization,o=root organization is the base entry. Include this second LDAP repository in the realm that already includes the first LDAP repository and the file-based repository.
  7. Save the changes in the WebSphere Application Server administration console.
    Note: The realm in wimconfig.xml now includes the following two base entries:
    LDAP1
    <config:baseEntries name="o=default organization,o=root organization" nameInRepository="o=default organization,o=root organization"/>
    LDAP2
    <config:baseEntries name="o=seller organization,o=root organization" nameInRepository="o=seller organization,o=root organization"/>
  8. Modify WC_installdir/xml/config/wc-server.xml to specify that Root Organization in the WebSphere Commerce database must not be synchronized with LDAP, since it is above the base entries that are defined in the WebSphere Application Server federated repositories:
    1. Find the SyncOrganizationExclusionList element.
    2. Add any organization DN values that exist in WebSphere Commerce database, but are above the base entries.
      For example, Root Organization:
      
      <SyncOrganizationExclusionList display="false">
           <Org DN="o=root organization"/>
      </SyncOrganizationExclusionList>
      
  9. Modify WC_installdir/xml/config/wc-server.xml to specify the LDAP DNs of the search bases (base entries) to be used during Logon, SSO, and UserRegistrationAdd. These DNs must be under the root organization:
    1. Find the MemberSubSystem element.
    2. Add the following sub element inside, specifying the base entry LDAP DNs. These DNs must be under the LDAP Root Organization:
      
      <SearchBases display="false"> 
           <Org DN="o=default organization,o=root organization"/> 
           <Org DN="o=seller organization,o=root organziation"/> 
      </SearchBases> 
      
  10. Run UpdateEAR to propagate the wc-server.xml changes to the EAR.
  11. Restart the WebSphere Commerce Server.
  12. Try to login to Organization Administration Console by using the new admin user. The admin user can now manage all the organizations, including the users that are descendants of the base entry organizations.

    Registered shoppers can register and logon to consumer direct stores. Guest users can also place orders in a consumer direct store.