Configuration Manager User Guide  7.5.0
Common Configuration Tasks > Configure Security >

Configure a Directory Server

If you installed a Sun Java System Directory Server using the IBM Cognos installer program described in the Supplementary Software Installation Guide, the directory server is already configured and you do not have to complete this section.

If you already have a supported directory server installed, you must configure it for use with IBM Cognos products. You only need to configure one directory server to use with all your IBM Cognos products and you complete this task only once. The configuration can be done on the computer where the directory server is located, or from any other computer where you installed IBM Cognos components.

The configuration process is the same regardless of which supported directory server you use. By completing this additional configuration task, you are

  • extending the directory server schema so that the directory server is compliant with IBM Cognos products.

  • creating a namespace on the directory server in which you can store IBM Cognos security data. If you already have a namespace that you want to use, you do not need to create one.

  • setting properties to locate ticket services for single signon

  • configuring ticket service failover if required

After you configure the directory server for use with IBM Cognos products, you can continue to configure your IBM Cognos environment.

The following table shows all the properties that you must verify or configure.

Property

Value

Are you sure you want to configure this directory server?

Ensure that the value is set to Yes

Schema Version

The schema version format used by the directory server to store Access Manager information.

The default is Current

If you are upgrading the directory server that was used with IBM Cognos 7.0 and earlier products, or with IBM Cognos 7.1 products where your namespace version is 15.2, you cannot use the default configuration setting of Current for the schema version. You must select the Compatible with Series 7.0 and earlier versions setting.

If you are installing directory server software for the first time, to use with IBM Cognos Series 7 Version 4 products, we recommend that you set the value to Current

Server Type

The type of directory server that you installed.

Use default setting, Auto Detect, which will automatically determine the type of directory server you are using, or select the type of directory server.

Computer

The name of the computer or IP address where the directory server is installed.

Note: To support publishing from the PowerPlay Enterprises Server to IBM Cognos ReportNet or IBM Cognos 8, you must use the same format to identify the location of the directory server when you configure IBM Cognos Series 7 and IBM Cognos ReportNet or IBM Cognos 8. For example, if you use your computer name to identify the location of the directory server in IBM Cognos Series 7, you must use your computer name when you add the IBM Cognos Series 7 namespace to IBM Cognos ReportNet or IBM Cognos 8. If you use your computer name in one location and IP address in the other, publishing from PowerPlay Enterprise Server to IBM Cognos ReportNet or IBM Cognos 8 will fail.

Port

The port that is used by the directory server.

The default is port 389

Base Distinguished Name (DN)

A distinguished name (DN) which will be the first entry in the directory tree creating a branch for your data.

The IBM Cognos default DN for Sun Java System Directory Server is o=cognos, c=ca

If you used a different base DN when you installed the directory server or if you are using another directory server, you must provide the value for your base DN.

Note: For an IBM Tivoli Directory Server, you must create the suffix DN used for storage of IBM Cognos data before completing the configuration in Configuration Manager. Also, if the suffix DN does not use the o=example, ou=example format, you must add the entry in Tivoli Directory Management. If the suffix DN is not added to Tivoli Directory Management, you will receive an error message when you apply the configuration indicating the base DN could not be created in the directory server.

Unrestricted User Distinguished Name (DN)

The distinguished name (DN) that the administrator uses to manage the contents of the directory server with unlimited privileges.

The default used by Sun Java System Directory Server is cn=Directory Manager

Unrestricted User Password

A password for the unrestricted user.

The IBM Cognos default is admin1234

Primary Ticket Service

The primary Access Manager computer name and ticket service port.

The port number must be the same as the port number specified in Service.Access Manager - Server.General.Ticket Service on the primary Access Manager Server computer.

You must specify a primary ticket service.

The default is computer_name:9010

Secondary Ticket Service (1, 2, 3, 4)

The computer names and port numbers of optional additional ticket services.

To support failover between ticket services, specify one or more secondary ticket services.

Enable Ticket Service Load Balance

Enables you to balance the load between multiple ticket services.

The default is No

To enable load balancing between ticket services, specify at least one secondary ticket service and select Yes

Default Namespace Name

The name of the default namespace in the directory server.

The default name is Default

Default Namespace Administrator Name

Administrator

Default Namespace Administrator Signon

Administrator

Default Namespace Administrator Password

The default is no password.

Configuring Microsoft Active Directory

You must use Configuration Manager on a Windows computer to configure Microsoft Active Directory for use with IBM Cognos products. You can configure other types of directory servers from either a UNIX or Windows computer, regardless of whether your directory is installed on a UNIX or Windows computer.

When you use Microsoft Active Directory with Windows Server 2003, anonymous binding to the directory server must be enabled before configuring the directory server for use with IBM Cognos products. For more information, see the Microsoft Knowledge Base article 326690.

Steps to Configure a Directory Server from a Windows Computer

  1. Start Configuration Manager.

  2. In the Welcome dialog box, click the Start tab.

  3. Click Open the Current Configuration.

    The Configuration Manager starts.

  4. In the Explorer window, expand the Services component and then expand Access Manager - Directory Server.

  5. Click the General category.

    The Properties window shows the default values for a Sun Java System Directory Server.

  6. Select the Are you sure you want to configure this directory server? property, and change the value to Yes.

    You must change this value to Yes even if you do not need to change any properties.

  7. Change other properties as required.

    Ensure that the Computer property contains the correct location of the directory server, especially if you are configuring a remote directory server.

  8. In the Explorer window, select the General category, and from the Actions menu, click Apply Selection.

Steps to Configure a Directory Server from a UNIX Computer

  1. To run Configuration Manager, go to the installation_location/bin directory, where installation_location is the location where you copied the IBM Cognos software.

  2. Type configure

    The command line configcp--> appears.

  3. To navigate to the proper location in the object hierarchy, type on a single line

    select "Services.Access Manager - Directory Server.General"

  4. To list all the properties for the General category, type ls

    Configuration Manager lists the default values used when you install a Sun Java System Directory Server from the Supplementary Software CD using the IBM Cognos installer option.

  5. Type on a single line

    set "Are you sure you want to configure this directory server?"=Yes

    Do not type spaces on either side of the equal sign.

  6. To change other properties as required, type:

    set "property name"=new value

    Ensure that the Computer property contains the correct location of the directory server, especially if you are configuring a remote directory server.

  7. Type apply

    This step applies all the properties within the General category.

  8. Type exit if you want to close Configuration Manager.

Configuring the ADAM application as Directory Server

After installing Active Directory Application Mode (ADAM), you must make configuration changes to configure ADAM to act as your directory server, accept anonymous requests, and add authenticated users to the Administrators group. Once these tasks are done, use Configuration Manager to select ADAM as your server type and extend the schema.

ADAM is available for use only with Microsoft 2003 and can not be used with UNIX. You must run Configuration Manager on the same machine as ADAM to configure Microsoft 2003 ADAM for use with IBM Cognos products using the Series 7 namespace.

Steps to Configure ADAM as the Directory Server

  1. Launch ADAM from the Start menu, by clicking Programs, ADAM.

    The Connection Settings dialog box appears.

  2. Type your new connection name in the Connection name field, ADAM server name in the Server name field, and port number in the Port field.

  3. Click the Distinguished name (DN) naming context radio button and set your IBM Cognos application directory DN.

    Note: Select a base distinguishing name (DN) beginning with a value of o=, ou=, or dc= to ensure you can run Configuration Manager on the same machine as ADAM.

  4. Click OK.

  5. Right-click your IBM Cognos application DN node for your connection and select New and Object.

    The Create Object dialog box appears.

  6. Select user from the list in the Select a class window and click Next.

  7. Type a new user name into the Value field and click Next and Finish.

    The new user object has been created.

  8. Right-click the new user and select Reset Password.

    The Reset Password dialog box appears.

  9. Set your new password, confirm the password, and click OK.

  10. Right-click the new user and select Properties.

    The User Properties dialog box appears.

  11. Select msDS-UserAccountDisabled from the list in the Attributes window and click Edit.

    The Boolean Attribute Editor dialog box appears.

  12. If the True value is currently selected, select False and then click OK.

    The Boolean Attribute Editor dialog box disappears.

  13. Click OK to close the User Properties dialog box.

  14. Go to the CN=Administrators Properties window by expanding the CN-Roles node.

  15. Right-click CN=Administrators to expand this node before selecting Properties.

    The CN=Administrators Properties window appears.

  16. Select member from the list in the Attributes window and click Edit.

    The Multi-valued Distinguished Name With Security Principal Editor dialog box appears.

  17. Click Add ADAM Account.

    The Add ADAM Account dialog box appears.

  18. Type your Distinguish Name (DN) and click OK.

  19. Click OK until you close all the remaining windows.

    Note: You should leave ADAM default settings in the member attribute. By default, ADAM adds the Administrators role in this location. They should not be removed.

Steps to Enable ADAM Anonymous Binds

  1. Launch ADAM from the Start menu by clicking Programs, ADAM.

    The Connection Settings dialog box appears.

  2. Type your new connection name in the Connection name field, ADAM server name in the Server name field, and port number in the Port field.

  3. Click the Well-known naming context radio button and select Configuration from the drop-down menu.

  4. Click OK.

  5. Go to the CN=Directory Service Properties window by expanding the CN=Directory Services nodes.

  6. Select Properties.

    The CN=Directory Service Properties window appears.

  7. Select dSHeuristics from the list in the Attributes window and click Edit.

    The String Attribute Editor dialog box appears.

  8. Type 0000002001001 in the Value field and click OK.

Steps to Add Authenticated Users to the Administrators Group

  1. Launch ADAM from the Start menu by clicking Programs, ADAM.

    The Connection Settings dialog box appears.

  2. Type your new connection name in the Connection name field, ADAM server name in the Server name field, and port number in the Port field.

  3. Click the Well-known naming context radio button and select Configuration from the drop-down menu.

  4. Click OK.

  5. Go to the CN=Administrators Properties window by expanding the CN=Administrators node.

  6. Select Properties.

    The CN=Administrators Properties window appears.

  7. Select member from the list in the Attributes window and click Edit.

    The Multi-valued Distinguished Name With Security Principal Editor dialog box appears.

  8. Click Add Windows Account.

    The Select Users or Groups window appears.

  9. Click Locations and then select your local host name from the menu.

  10. Click OK before clicking Advanced.

    The Advanced window appears.

  11. Click Find Now and click Authenticated Users.

  12. Click OK until all the open windows are closed.

Note: Microsoft has a patch (838342) that will remove the requirement that authenticated users be added to the Administrators role. Eliminating this requirement is important as most companies will want to either create an IBM Cognos Admin account or designate an existing account. This patch must be obtained from Microsoft: it is not distribute directly to IBM Cognos customers.

Steps to Configure ADAM Using Configuration Manager

  1. Start Configuration Manager.

  2. In the Welcome dialog box, click the Start tab.

  3. Click Open the Current Configuration.

    The Configuration Manager opens.

  4. In the Explorer window, expand the Services component and then expand Access Manager - Directory Server.

  5. Click the General category.

  6. Select ADAM from the list of Server Types.

  7. Set Yes for Are you sure you want to configure this directory server?

  8. Ensure that the Computer property contains the correct location of the directory server.

    Change other properties as required.

  9. Set the Unrestricted User Distinguished Name (DN) and Unrestricted User Password with the user you added when you specified ADAM as a directory server .

  10. Select General in the Explorer window.

  11. Click Apply Selection from the Actions menu.