Configuring an LDAP namespace for Active Directory Server

If you configure a new LDAP namespace for use with an Active Directory Server, default values are generated for you.

Procedure

  1. In every location where you installed Content Manager, open IBM® Cognos® Configuration.
  2. In the Explorer window, under Security, right-click Authentication, and then click New resource > Namespace.
  3. In the Name box, type a name for your authentication namespace.
  4. In the Type list, select LDAP - Default values for Active Directory and then click OK.

    The new authentication provider resource appears in the Explorer window, under the Authentication component. Default values are generated for you. Check them and make changes as needed.

  5. In the Properties window, for the NamespaceID property, specify a unique identifier for the namespace.
    Tip: Do not use colons (:) in the Namespace ID property.
  6. Specify the values for all other required properties to ensure that IBM Cognos components can locate and use your existing authentication provider.

    The following settings are examples:

    • For User lookup, enter (sAMAccountName=${userID})
    • If you use single signon, for Use external identity, set the value to True.
    • If you use single signon, for External identity mapping, enter (sAMAccountName=${environment("REMOTE_USER")})

      If you want to remove the domain name from the REMOTE_USER variable, enter (sAMAccountName=${replace(${environment("REMOTE_USER")}, "domain\\","")}).

      Important: Ensure that you use only the variable REMOTE_USER. Using another variable can cause a security vulnerability.
    • For Bind user DN and password, enter user@domain.
    • For Unique identifier, enter objectGUID
  7. If you want the LDAP authentication provider to bind to the directory server by using a specific Bind user DN and password when you perform searches, then specify these values.

    If no values are specified, the LDAP authentication provider binds as anonymous.

  8. If you do not use external identity mapping, use bind credentials for searching the LDAP directory server by doing the following steps:
    • Ensure that Use external identity is set to False.
    • Set Use bind credentials for search to True.
    • Specify the user ID and password for Bind user DN and password.
  9. From the File menu, click Save.
  10. Test the connection to a new namespace. In the Explorer window, under Authentication, right-click the new authentication resource and click Test.

    You are prompted to enter credentials for a user in the namespace to complete the test.

    Depending on how your namespace is configured, you can enter either a valid user ID and password for a user in the namespace or the bind user DN and password.

Results

IBM Cognos loads, initializes, and configures the provider libraries for the namespace.