Configuring an LDAP namespace

You can configure IBM® Cognos® components to use an LDAP namespace when the users are stored in an LDAP user directory. The LDAP user directory may be accessed from within another server environment, such as Active Directory Server or SiteMinder.

If you are configuring an LDAP namespace for a directory server other than LDAP, see the appropriate section:

You can also use LDAP authentication with IBM Db2 and Essbase OLAP data sources by specifying the LDAP namespace when you set up the data source connection. For more information, see the IBM Cognos Analytics with Watson Administration and Security Guide.

Procedure

  1. In every location where you installed Content Manager, open IBM Cognos Configuration.
  2. In the Explorer window, under Security, right-click Authentication, and then click New resource > Namespace.
  3. In the Name box, type a name for your authentication namespace.
  4. In the Type list, click the appropriate namespace and then click OK.

    The new authentication provider resource appears in the Explorer window, under the Authentication component.

  5. In the Properties window, for the Namespace ID property, specify a unique identifier for the namespace.
  6. Specify the values for all other required properties to ensure that IBM Cognos components can locate and use your existing authentication provider.
  7. If you want the LDAP authentication provider to bind to the directory server by using a specific Bind user DN and password when you perform searches, then specify these values.

    If no values are specified, the LDAP authentication provider binds as anonymous.

    If external identity mapping is enabled, Bind user DN and password are used for all LDAP access. If external identity mapping is not enabled, Bind user DN and password are used only when a search filter is specified for the User lookup property. In that case, when the user DN is established, subsequent requests to the LDAP server are run under the authentication context of the user.

  8. If you do not use external identity mapping, use bind credentials for searching the LDAP directory server by doing the following step:
    • Ensure that Use external identity is set to False.
    • Set Use bind credentials for search to True.
    • Specify the user ID and password for Bind user DN and password.

    If you do not specify a user ID and password, and anonymous access is enabled, the search is done by using anonymous.

  9. Check the mapping settings for the required objects and attributes.

    Depending on the LDAP configuration, you may have to change some default values to ensure successful communication between IBM Cognos components and the LDAP server.

    LDAP attributes that are mapped to the Name property in Folder mappings, Group mappings, and Account mappings must be accessible to all authenticated users. In addition, the Name property must not be blank.

  10. From the File menu, click Save.
  11. Test the connection to a new namespace. In the Explorer window, under Authentication, right-click the new authentication resource and click Test.

    You are prompted to enter credentials for a user in the namespace to complete the test.

    Depending on how your namespace is configured, you can enter either a valid user ID and password for a user in the namespace or the bind user DN and password.

Results

IBM Cognos loads, initializes, and configures the provider libraries for the namespace.