The following procedure describes how to set up LTPA for Cognos®
Analytics
when using IBM Tivoli Directory Server LDAP as the authentication source.
For details about configuring LDAP, see Configuring IBM Cognos components to use LDAP
Procedure
- In every location where you installed
Content Manager, open IBM Cognos Configuration.
- In the Explorer window,
under Security, right-click Authentication,
and then click New resource > Namespace.
- In the Name box,
type a name for your authentication namespace.
-
In the Type list, select LDAP – General default
values.
- In the Properties window,
for the Namespace ID property, specify a unique
identifier for the namespace.
-
Specify the following properties:
- Host and port
- The fully qualified host and port of the LDAP server.
- Base distinguished name
- For example, o=organization_name.com
- User lookup
- For example, uid=${userID},ou=people
- Use External Identity
- True
- External identity mapping
- For example, uid=${environment("REMOTE_USER")},ou=people
-
If you want the LDAP authentication provider to bind to the directory server by using a
specific Bind user DN and password when you perform searches, then specify
these values.
If no values are specified, the LDAP authentication provider binds as anonymous.
If external identity mapping is enabled, Bind user DN and password are
used for all LDAP access. If external identity mapping is not enabled, Bind user DN and
password are used only when a search filter is specified for the User
lookup property. In that case, when the user DN is established, subsequent requests to
the LDAP server are run under the authentication context of the user.
-
If you do not use external identity mapping, use bind credentials for searching the LDAP
directory server using the following steps:
- Ensure that Use external identity is set to
False.
- Set Use bind credentials for search to True.
- Specify the user ID and password for Bind user DN and password.
If you do not specify a user ID and password, and anonymous access is enabled, the search is done
by using anonymous.
-
Check the mapping settings for the required objects and attributes.
Depending on the LDAP configuration, you may have to change some default values to ensure
successful communication between IBM
Cognos components and the LDAP server.
LDAP attributes that are mapped to the Name property in Folder
mappings, Group mappings, and Account
mappings must be accessible to all authenticated users. In addition, the
Name property must not be blank.
-
From the File menu, click Save.
-
Create an XML file named local-server.xml and place it in the
install_location/configuration directory.
-
In the local-server.xml file, enter values that are appropriate for your
environment:
<?xml version="1.0" encoding="UTF-8"?>
<server>
<featureManager>
<feature>ldapRegistry-3.0</feature>
<feature>appSecurity-2.0</feature>
</featureManager>
<ldapRegistry id="id" realm="realm"
host="host" port="port" ignoreCase="true"
baseDN="o=basedn" ldapType="Custom" sslEnabled="false">
<idsFilters
userFilter="(uid=%v,ou=people)"
userIdMap="*:uid"
groupFilter='(objectclass=groupofnames)'
groupIdMap="*:cn" />
</ldapRegistry>
<webAppSecurity allowFailOverToBasicAuth="true" displayAuthenticationRealm="true"/>
</server>
-
If Cognos
Analytics
is configured to use SSL, see Configuring the SSL protocol for IBM Cognos components for
more information.
-
To verify the configuration, log on to
http://host:port/bi or
https://host:port/bi for SSL enabled
systems, where host is the fully qualified Cognos
Analytics
host domain.
You should not see the Cognos
Analytics
logon page. Instead, you should be prompted by the browser to log on.
What to do next
If you want to configure single sign-on (SSO) between the Cognos
Analytics
application that was set up with LTPA authentication, and the application is deployed into a
WebSphere instance, install the WebSphere key on each Cognos
Analytics
dispatcher where LTPA was set up, and update the local-server.xml file with the
following <ltpa>
element:
<ltpa keysFileName="yourLTPAKeysFileName.keys"
keysPassword="keysPassword" expiration="120" />
For more information, see the WebSphere Liberty documentation.