Configuring for Active Directory (including over SSL) - TADDM/taddm-wiki GitHub Wiki

Overview

This guide will assist you in configuring for Active Directory (including over SSL) to use as the TADDM user repository.

There are sections in the TADDM administrator's guide for configuring TADDM for Active Directory and additional support information. It is recommended to read those sections before following this guide.

Preparation

There are a few pieces of information that you will need before doing the configuration.

• An LDAP account and password used to bind (connect). This will need to be provisioned by the LDAP administration team.
• Host name of the Active Directory (AD) server
• Port number of the AD server if different than the default of 389
• The base distinguished name (DN) for users in AD
• The base DN for groups in AD
• If configuring over SSL and an SSL certificate is required, obtain the certificate file from the LDAP administration team.

Tip: You can test the network path from the TADDM primary storage server (PSS) to the AD server using telnet (e.g. telnet ldap.ibm.com 389).

Tip: If running on Linux, you can test your LDAP values outside of TADDM by using the ldapsearch command that comes installed on most Linux distributions. If it's not in your default path, search for it (cd /; find . -name ldapsearch). Here is an example searching for a group name called 'SampleGroupName'.

ldapsearch -h ldap.ibm.com -x -D "cn=svcLDAPTADDM,ou=users,dc=ibm,dc=com" -w password -b "ou=groups,dc=ibm,dc=com" "sAMAccountName=SampleGroupName"

Configuring for Active Directory

Edit dist/etc/collation.properties on the PSS and set the following values.

# The user management module used by this CMDB server.
# Possible values are:
# "file" for a TADDM file-based user registry
# "ldap" for an LDAP user registry
# "vmm" for a Websphere Federated Repositories-configured user registry
com.collation.security.usermanagementmodule=ldap

#==============================
# LDAP Authentication
#==============================
com.collation.security.auth.ldapAuthenticationEnabled=true
com.collation.security.auth.ldapHostName=ldap.ibm.com
com.collation.security.auth.ldapPortNumber=389
com.collation.security.auth.ldapBaseDN=ou=users,dc=ibm,dc=com
#main branch for searching the groups
com.collation.security.auth.ldapBaseGroupDN=ou=groups,dc=ibm,dc=com
#Properties for Simple Authentication
com.collation.security.auth.ldapBindDN=cn=svcLDAPTADDM,ou=users,dc=ibm,dc=com
com.collation.security.auth.ldapBindPassword=myplaintextpassword
# ldap object class and naming attribute for users for treesearch
com.collation.security.auth.ldapUserObjectClass=person
com.collation.security.auth.ldapUIDNamingAttribute=sAMAccountName
# ldap object class, naming and email attributes for groups for treesearch
com.collation.security.auth.ldapGroupObjectClass=group
com.collation.security.auth.ldapGroupNamingAttribute=sAMAccountName
com.collation.security.auth.ldapGroupMemberAttribute=member
# Whether to follow referrals when retrieving users and groups from LDAP.
# In general, set to true for Active Directory and false otherwise.
com.collation.security.auth.ldapFollowReferrals=true
# Increase this value if you are using Active Directory and see
# "LimitExceededException: Referral limit exceeded" in the TADDM logs
com.collation.security.auth.ldapReferralLimit=10

Encrypt the passwords in collation.properties by running the following command:

dist/bin/encryptprops.sh $COLLATION_HOME

Restart the PSS.

To test, log in to the web UI as an administrator. The default administrator account is still read locally by TADDM and will always work the same, even if LDAP is set up as a user repository. Go the Users management page and search for a known user. Then go to the Groups management page and search for a known group. If the search doesn't return anything, it could be that some parameters are incorrect. For the user search, verify with your AD administrator that the objectclass for users is 'person' and that the UID attribute for naming is 'sAMAccountName'. For the group search, verify with your AD administrator that the objectclass for groups is 'group', the group attribute for naming is 'sAMAccountName' and the group attribute for memberships is 'member'. Correct any values, restart the PSS and test again.

Configuring over SSL

It is recommended that you set up the connection without SSL initially to make sure you have all of the basic values set properly.

If required, copy the certificate file (e.g. ibm-ldap.cer) to the PSS.

Create a truststore using the following command and set the passwords (when prompted to trust the certificate answer yes):

dist/external/jdk-Linux-x86_64/bin/keytool -import -file ~/ibm-ldap.cer -alias IBM-Cert -keystore ~/taddmTrustStore.jks
Enter keystore password: changeit
Re-enter new password: changeit

Note: I have not tested the scenario where a certificate is not required. You may want to try creating an empty truststore (use Google to figure it out) and continue following these instructions.

Edit dist/etc/collation.properties on the PSS and set the following values (making sure you don't have duplicate values).

com.collation.security.auth.ldapPortNumber=636

# SSL for LDAP
com.collation.security.auth.ldapUseSSL=true
com.collation.security.auth.ldapClientKeyStore=/home/taddm/taddmTrustStore.jks
com.collation.security.auth.ldapClientKeyStorePassphrase=changeit
com.collation.security.auth.ldapClientTrustStore=/home/taddm/taddmTrustStore.jks
com.collation.security.auth.ldapClientTrustStorePassphrase=changeit

Encrypt the passwords again in collation.properties by running the following command:

dist/bin/encryptprops.sh $COLLATION_HOME

Restart the PSS. Test the user and group search again.