There are a lot of environments for NOI where an LDAP-accessible Corporate directory (often Microsoft's Active Directory) is perfect for authenticating users. It's possible for DASH, the Impact GUI Server, and the Unity Server (the GUI behind Log Analysis) to share a single-sign-on domain and to do role-based access based on membership in LDAP-provided groups.
What often doesn't work as well is hosting an administrative "service" user via LDAP. Among other issues, firms often have the Corporate Directory administered by a separate group that may be less than responsive (or careful.) I have experienced the issue with the 'impactadmin' user being locked or having the password reset. at multiple customers, causing all sorts of grief.
DASH is not susceptible to this issue as the underlying WebSphere VMM will happily federate file-based users and LDAP-based users. So the magic "smadmin" is set in a file and kept under firm control of the event management team. Unfortunately, Impact uses WebSphere "Liberty" which cannot federate a file-based user repository with an LDAP-based repository. In the past this has meant begging the Corporate Directory team to create 'impactadmin' (it's possible to use a different name) and to make sure the account is set with a non-expiring password.
The good news is that WebSphere Liberty is quite capable of federating multiple LDAP repositories, so I have been able to use a simple OpenLDAP server as the source for the 'impactadmin' user -- as well as a source for the 'unityadmin' user for Log Analysis if needed.
The OpenLDAP daemon, slapd, must be installed and running. To install it (on Red Hat EL):
# yum install -y openldap-clients openldap-servers
For RHEL 7 and later (which use systemctl), slapd can be started and set up for automatic restart with:
# systemctl start slapd
# systemctl enable slapd
For RHEL 6, use the older commands:
# service sladp start
# chkconfig --add slapd
# chkconfig --level 35 slapd on
Once you have sladpd running, use this script config_noi_ldap.sh, to configure the server to add an "admin" user (to bind to), an "impactadmin" user, and optionally a "unityadmin" user. Use it something like this:
# ./config_noi_ldap.sh password1 password2 [ password3]
"password1" is the password for a user named "admin" that is intended to be the bind user (used by Liberty to connect to the LDAP server.)
"password2" is the password for impactadmin, and "password3" (if present) will cause the unityadmin user to be created and set with that password.
It's easy to edit the script if the preset "admin", "impactadmin", and/or "unityadmin" user names need to be changed.
In the next post, I will show how the OpenLDAP server can be federated with another LDAP respository for Impact's use.
One thing more... here is another convenience script for changing the password of one of the users: change_noi_ldap_upasswd.sh.