If you are running Integrated Analytics System (IAS) Version
1.0.6 or later, you can set up authentication through Microsoft Windows Active Directory to enable
your Active Directory users to log in to the IAS platform.
Before you begin
Before configuring authentication through Active Directory in the appliance, prepare the
following information:
- Windows Active Directory attributes
- All Active Directory users who need to access IAS must have the following attributes set in the
Active Directory server:
- objectclass:
posixAccount
- uid: username
- uidNumber: user id number (must be greater than 1000)
- gidNumber: group id number
- loginShell: /bin/bash
- unixHomeDirectory: /home/username
- Host of the Active Directory server and port
- For example: myadserver.com and 389
Important: Make sure that the host of the Active Directory server is pingable from all IAS
nodes.
- Distinguished Name/Domain Name (dn) of the Active Directory server
- For example: myadserver.org.com
- Bind User information
- The user id and password for the LDAP domain user that has access to query all user/group info.
For example:
myuseradmin
and myadminpasswd
In addition, you should decide whether to use SSL or TLS to connect to the Active Directory
server. If any SSL method is chosen, fetch the CA-Certificate from your Active Directory server that
is to be used by the appliance to encrypt communication with the server. For example:
myca-cert.crt
Procedure
-
Log in to the first (node0101) or second (node0102) node of IAS as apuser
or as another member of the
ibmapadmin
OS group.
-
If you are using the SSL
ldaps
or starttls
method, use the scp command to copy the CA-Certificate from your external machine into the appliance and keep it in a /tmp directory.
-
If you are using the default SSL
none
method, run the ap_external_ldap.pl utility using the following argument:
ap_external_ldap.pl enable
--host myserver.com --port 389 --ldap-type ad --search-base-dn "dc=myldaporg,dc=com"
--searcher-dn "myuseradmin" --searcher-password "myadminpasswd"
If
you want to use the SSL
ldaps
method, run the
ap_external_ldap.pl utility using the following argument. Make sure you specify
the SSL port of your LDAP server in the
port
option (For example:
636
):
ap_external_ldap.pl enable
--host myserver.com --port 636 --ldap-type ad --search-base-dn "dc=myldaporg,dc=com"
--searcher-dn "myuseradmin" --searcher-password "myadminpasswd"
--ssl-method ldaps --ca-cert /tmp/ myca-cert.pem
If
you want to use the SSL
starttls
method, run the
ap_external_ldap.pl utility using the following argument. Make sure you specify
the non-SSL port of your LDAP server in the
port
option (For example:
389
):
ap_external_ldap.pl enable
--host myserver.com -port 389 --ldap-type ad --search-base-dn "dc=myldaporg,dc=com"
--searcher-dn "myuseradmin" --searcher-password "myadminpasswd"
--ssl-method starttls --ca-cert /tmp/ myca-cert.pem
-
Once the command runs successfully, verify your setting by using the
id command.
For example, if
user1 is a user ID from your LDAP database, the following command
returns the ID and group info of this user successfully:
id user1
-
In order for any users from your Active Directory server to log in to IAS, the users from the
directory need to be added to one of the OS groups of the appliance (if they were not already added
to an OS group):
ap_external_ldap.pl usermod --group ibmapadmin|ibmapusers|none username
For
example, to add a user named
myaduser
to the OS local group
ibmadmin
, run the following
command:
ap_external_ldap.pl usermod --group ibmapadmin myaduser
Results
Integrated Analytics System is now configured to use your
organization's Active Directory server. Any valid user of your directory can log in to any of the
nodes of the appliance using SSH. You can now remove the certificate that you may have uploaded into
the /tmp directory of IAS.