Configuring LTPA using an LDAP namespace

The following procedure describes how to set up LTPA for Cognos® Analytics when using IBM Tivoli Directory Server LDAP as the authentication source.

For details about configuring LDAP, see Configuring IBM Cognos components to use LDAP

Procedure

  1. In every location where you installed Content Manager, open IBM Cognos Configuration.
  2. In the Explorer window, under Security, right-click Authentication, and then click New resource > Namespace.
  3. In the Name box, type a name for your authentication namespace.
  4. In the Type list, select LDAP – General default values.
  5. In the Properties window, for the Namespace ID property, specify a unique identifier for the namespace.
  6. Specify the following properties:
    Host and port
    The fully qualified host and port of the LDAP server.
    Base distinguished name
    For example, o=organization_name.com
    User lookup
    For example, uid=${userID},ou=people
    Use External Identity
    True
    External identity mapping
    For example, uid=${environment("REMOTE_USER")},ou=people
  7. If you want the LDAP authentication provider to bind to the directory server by using a specific Bind user DN and password when you perform searches, then specify these values.

    If no values are specified, the LDAP authentication provider binds as anonymous.

    If external identity mapping is enabled, Bind user DN and password are used for all LDAP access. If external identity mapping is not enabled, Bind user DN and password are used only when a search filter is specified for the User lookup property. In that case, when the user DN is established, subsequent requests to the LDAP server are run under the authentication context of the user.

  8. If you do not use external identity mapping, use bind credentials for searching the LDAP directory server using the following steps:
    • Ensure that Use external identity is set to False.
    • Set Use bind credentials for search to True.
    • Specify the user ID and password for Bind user DN and password.

    If you do not specify a user ID and password, and anonymous access is enabled, the search is done by using anonymous.

  9. Check the mapping settings for the required objects and attributes.

    Depending on the LDAP configuration, you may have to change some default values to ensure successful communication between IBM Cognos components and the LDAP server.

    LDAP attributes that are mapped to the Name property in Folder mappings, Group mappings, and Account mappings must be accessible to all authenticated users. In addition, the Name property must not be blank.

  10. From the File menu, click Save.
  11. Create an XML file named local-server.xml and place it in the install_location/configuration directory.
  12. In the local-server.xml file, enter values that are appropriate for your environment:
    <?xml version="1.0" encoding="UTF-8"?>
    <server>
    	<featureManager>
    		<feature>ldapRegistry-3.0</feature>
    		<feature>appSecurity-2.0</feature>
    	</featureManager>
    	<ldapRegistry id="id" realm="realm" 
    		host="host" port="port" ignoreCase="true" 
    		baseDN="o=basedn" ldapType="Custom" sslEnabled="false">
    		<idsFilters 
    			userFilter="(uid=%v,ou=people)"
    			userIdMap="*:uid"
    			groupFilter='(objectclass=groupofnames)'
    			groupIdMap="*:cn" />
    	</ldapRegistry>
          <webAppSecurity allowFailOverToBasicAuth="true" displayAuthenticationRealm="true"/>
    </server>
    
  13. If Cognos Analytics is configured to use SSL, see Configuring the SSL protocol for IBM Cognos components for more information.
  14. To verify the configuration, log on to http://host:port/bi or https://host:port/bi for SSL enabled systems, where host is the fully qualified Cognos Analytics host domain.

    You should not see the Cognos Analytics logon page. Instead, you should be prompted by the browser to log on.

What to do next

If you want to configure single sign-on (SSO) between the Cognos Analytics application that was set up with LTPA authentication, and the application is deployed into a WebSphere instance, install the WebSphere key on each Cognos Analytics dispatcher where LTPA was set up, and update the local-server.xml file with the following <ltpa> element:

<ltpa keysFileName="yourLTPAKeysFileName.keys" 
keysPassword="keysPassword" expiration="120" />

For more information, see the WebSphere Liberty documentation.