DOCS

Configuring LDAP Authentication

LDAP authentication enables DI Server to perform user identification and password checking by accessing authentication data located in an LDAP directory. This topic describes how to set up and activate LDAP authentication.

Opening the LDAP Configuration view

  1. Select Server > Configure LDAP Authentication from the main menu.

    2. Or  

    In the Administration tree, right-click the server connection for which you want to open the LDAP Configuration view and then select Configure LDAP Authentication from the context menu.

    The Specify LDAP Parameters dialog box is displayed.

    This image shows the dialog to specify LDAP parameters.
  2. From the Administrative database drop-down list, select the ADB or ADB candidate.
    3. LDAP authentication requires an active ADB. When you enable LDAP authentication, the current ADB candidate will be set as the active ADB.
  3. In the Available Parameter Templates group, select the option that pertains to your LDAP directory server. The following table lists the options pertaining to the LDAP directory server.
    OptionDescription

    Parameter template for an Active Directory Server with default scheme

    Starts the LDAP configuration with default settings for authenticating users against an Active Directory Server.

    Parameter template for a Tivoli Directory Server with default scheme

    Starts the LDAP configuration with default settings for authenticating users against an IBM Tivoli Directory Server.

    Parameter template for a SunOne5.2 Server with default scheme

    Starts the LDAP configuration with default settings for authenticating users against a SunOne5.2 Server.

  4. Click OK.

    5. The LDAP Configuration of Server <connection name> view is displayed.

    This image shows the LDAP configuration of the Server Admin connection.

    The following table lists the controls in the local toolbar.

    Icon Command Function

    Refresh the Current Page

    Reloads the page content.

    Print the Current Page

    Opens a dialog to print the page content.

    Send the Information as Mail

    Opens a new e-mail in your standard mail program to send the page content via mail.

    Set Up and Test LDAP Connection Parameter

    Opens a dialog for configuring the LDAP parameters. To know more, see Setting up the LDAP authentication.

    Edit LDAP Connection Parameter

    Opens a dialog for editing the LDAP parameters. To know more, see Editing the LDAP settings manually.

    Enable LDAP Authentication

    Enables LDAP authentication.

    Disable LDAP Authentication

    Disables LDAP authentication.

    Enable LDAP Debugging

    Enables the LDAP debugging functionality.

    Disable LDAP Debugging

    Disables the LDAP debugging functionality.

Setting up the LDAP authentication

  1. Open the LDAP Configuration view.
  2. Click the Set up and Test LDAP connection parameter icon in the local toolbar.

    3. The Network Parameter dialog box is displayed.

    This image shows the RPC Services view.
    A few dialogs are part of the Apache LDAP Browser plug-in. A few of the Apache LDAP options do not apply to LDAP authentication in Enterprise Data Intelligence. For detailed information on the plug-in, see New Connection wizard in Apache Directory Studio LDAP Browser User's Guide.
  3. Enter the host name and port where your LDAP server can be reached.

    4. Under Windows, the access via default port 389 only allows to search in Active Directory in the local structure of a specific domain controller.

    If the account for which attributes or groups are to be retrieved or which is to be authenticated is not maintained in the local structure, you must specify a port for the search in the global catalog (that is, 3268 for TCP or 3269 for LDAP via SSL). The port must be activated by the system administrator.

  4. Click Check Network Parameter to test the connection to the LDAP server. It verifies if the LDAP server is reachable at the specified host and the port number.

    5. If the connection is tested successfully, the following message is displayed.

    This image shows the success message after the connection is established.

    Otherwise, an error message is displayed.

  5. Specify what type of encryption method you want to use for the LDAP connection. The settings for the specified Encryption method are validated using the Server authentication check on Authentication page.
  6. Enter the path of the certificates for UNIX and z/OS.
  7. Click Next to continue. The Authentication page is displayed.
    8. This image shows the Authentication page.
  8. In the Server Authentication Method drop-down list and Authentication Method drop-down list, select an appropriate Authentication method. Depending on the selected method, further parameters must be specified.
    • Select External Authentication as Server Authentication Method or Authentication Method and perform the following:
      • In the Domain field, enter the name of a valid domain name to support external server authentication for Windows.

    Or

    • Select Simple Authentication as Server Authentication Method or Authentication Method and perform the following:
      1. In the Bind DN or user field, enter the name of a valid LDAP user account.
      2. In the Bind password field, enter the password for the user account.
      3. If you have selected an encryption method different from None on the Network Parameter dialog, then you must specify the parameters for the Trusted store.
      4. Enter the name of the Trusted store and the Trusted store type. The values of the Trusted store and the Trusted store type fields depend on the operating system that the server is running. The common value to Trusted store and Trusted store type fields are:
        • Windows
          • Trusted store: nul
          • Trusted store type: Windows-Root
        • s/OS(RACF settings)
          • Trusted store: safkeyring://auth/*
          • Trusted store type: JCERACFKS
        • UNIX system
          • The server authentication check is not supported for both the encryption methods.
      5. Click Check Server Authentication to verify the server authentication settings.
    The Check Server Authentication option verifies the server authentication using the specified encryption method. The Server Authentication check requires the RPC4LDAP RPC service and the privilege R (use of RPC calls is permitted) options. The RPC4LDAP RPC service is configured when you install Metability (except for the server that is running on z/OS operating systems). For server that run on z/OS operating system, you can configure the RPC service manually. To configure the RPC4LDAP RPC service manually, see Creating a New RPC Service. You must use Java based environment as the Execution environment and add the setting "KEEP_ACTIVE=0" to retrieve the correct check results. The JSRPC service is used as an alternative when the RPC4LDAP RPC service is not available. If JSRPC service is used, then the setting "KEEP_ACTIVE=0" has to be added to JSPRC's definition to retrieve the correct check results.

    If the Server authentication check is successful, this message is displayed.

    This image shows that authentication was successful.

    Otherwise, an error message is displayed.

  9. Click Next to continue.

    10. The Browser Options page is displayed.

    This image shows the Browse Options dialog.
  10. Click Fetch User Base DNs. Depending on your settings, the Login for LDAP Search dialog is displayed.
    11. This image shows the Login for LDAP Search dialog.

    1. In the Bind DN or user field, enter the name of a valid LDAP user account.

    2. In the Bind password field, enter the password for the user account.

    3. If you have selected an encryption method different from None on the Network Parameter dialog, then you must specify the parameters for the Trusted store. Enter the name of the Trusted store and the Trusted store type.

    4. Click OK, a message is displayed that lists the fetched user base DNs.

      5. This image shows the list of Base DNs.
  11. Close the message and then select the user base DN that you want to use from the User Base DNs drop-down list.
  12. Click Fetch Group Base DNs. A message is displayed that lists the fetched group base DNs.
  13. Close the message and then select the group base DN that you want to use from the Group Base DNs drop-down list.
  14. Click Finish.

    15. A message is displayed informing you that the LDAP settings have changed.

    This image shows the dialog to save the changed LDAP authentication parameters.
  15. Click Save to save the LDAP configuration settings to the server initialization file.

    16. The LDAP perspective is displayed.

    This image shows the LDAP dialog.
  16. In the LDAP Browser tree, expand the External Users node to trigger an initial search in the LDAP directory.
    17. This image shows the LDAP browse tree.

    The value in parenthesis on the External Users node indicates the approximate number of user entries that have been found in the LDAP directory.

    A value of 0 and the message No Results indicate an error in the LDAP configuration, as shown in the following example.

    This image shows a sample error message.

    To resolve the error, use the LDAP Browser plug-in to modify and retest the configuration until the user search returns the correct results. For help with using the plug-in, see the LDAP Browser User’s Guide available under:

    http://directory.apache.org/studio/static/users_guide/ldap_browser/

    When you have identified the error, you must manually correct it in the server initialization file. For more information, see Editing the LDAP settings manually.

  17. When you have finished testing the LDAP configuration, select Window > Close Perspective to close the LDAP perspective.

    18. You are returned to the LDAP Configuration view and the resulting LDAP configuration in the server initialization file is displayed.

    This image shows the LDAP configuration of Server Admin connection.

    For information on how to activate the LDAP configuration, see Enabling and Disabling LDAP Authentication.

Editing the LDAP settings manually

  1. Open the LDAP Configuration view.
  2. Click the Edit LDAP connection parameter icon in the local toolbar.

    3. The Edit Rochade Configuration Sections dialog box is displayed.

    This image shows the dialog to edit rochade configuration.

    The Edit Rochade Configuration Sections dialog box displays the section of the server initialization file where the LDAP settings are defined.

  3. Edit the settings in the Parameters field as required. You also can add new settings.
    4. To enable the Rochade user account for logging into Rochade, even if LDAP authentication is enabled, add this parameter to the server initialization file:

    AllowInternalAccounts=YES

    For detailed information on the available settings, refer to LDAP authentication in the ASG-DI Administration Online Documentation.

    If the Parameters field contains a UserAttributes entry, the referenced section (for example, LDAP_ATTRIBUTES) can also be selected in Sections drop-down list. If not, use the Add validation settings button to create this entry. The UserAttributes section specifies the LoginAttributeName parameter which refers to the LDAP attribute that contains the account name.

    To configure Rochade to get more LDAP attributes, add corresponding lines to the LDAP UserAttributes section. For example, email=mail_attr, where mail_attr is the name of the LDAP attribute that contains the e-mail address.
  4. Click Save to save your changes.
Terms|Privacy Policy|Contact Us
Copyright © 2021 ASG Technologies. All rights reserved