Configuring Windows Active Directory for platform authentication

If you are running Integrated Analytics System (IAS) Version 1.0.6 or later, you can set up authentication through Microsoft Windows Active Directory to enable your Active Directory users to log in to the IAS platform.

Before you begin

Before configuring authentication through Active Directory in the appliance, prepare the following information:
Windows Active Directory attributes
All Active Directory users who need to access IAS must have the following attributes set in the Active Directory server:
  • objectclass: posixAccount
  • uid: username
  • uidNumber: user id number (must be greater than 1000)
  • gidNumber: group id number
  • loginShell: /bin/bash
  • unixHomeDirectory: /home/username
Host of the Active Directory server and port
For example: myadserver.com and 389
Important: Make sure that the host of the Active Directory server is pingable from all IAS nodes.
Distinguished Name/Domain Name (dn) of the Active Directory server
For example: myadserver.org.com
Bind User information
The user id and password for the LDAP domain user that has access to query all user/group info. For example: myuseradmin and myadminpasswd

In addition, you should decide whether to use SSL or TLS to connect to the Active Directory server. If any SSL method is chosen, fetch the CA-Certificate from your Active Directory server that is to be used by the appliance to encrypt communication with the server. For example: myca-cert.crt

Procedure

  1. Log in to the first (node0101) or second (node0102) node of IAS as apuser or as another member of the ibmapadmin OS group.
  2. If you are using the SSL ldaps or starttls method, use the scp command to copy the CA-Certificate from your external machine into the appliance and keep it in a /tmp directory.
  3. If you are using the default SSL none method, run the ap_external_ldap.pl utility using the following argument:
    ap_external_ldap.pl enable
       --host myserver.com --port 389 --ldap-type ad --search-base-dn "dc=myldaporg,dc=com"
       --searcher-dn "myuseradmin" --searcher-password "myadminpasswd"
    If you want to use the SSL ldaps method, run the ap_external_ldap.pl utility using the following argument. Make sure you specify the SSL port of your LDAP server in the port option (For example: 636):
    ap_external_ldap.pl enable
       --host myserver.com --port 636 --ldap-type ad --search-base-dn "dc=myldaporg,dc=com"
       --searcher-dn "myuseradmin" --searcher-password "myadminpasswd"
       --ssl-method ldaps --ca-cert /tmp/ myca-cert.pem
    If you want to use the SSL starttls method, run the ap_external_ldap.pl utility using the following argument. Make sure you specify the non-SSL port of your LDAP server in the port option (For example: 389):
    ap_external_ldap.pl enable
       --host myserver.com -port 389 --ldap-type ad --search-base-dn "dc=myldaporg,dc=com"
       --searcher-dn "myuseradmin" --searcher-password "myadminpasswd"
       --ssl-method starttls --ca-cert /tmp/ myca-cert.pem
  4. Once the command runs successfully, verify your setting by using the id command.
    For example, if user1 is a user ID from your LDAP database, the following command returns the ID and group info of this user successfully:
    id user1
  5. In order for any users from your Active Directory server to log in to IAS, the users from the directory need to be added to one of the OS groups of the appliance (if they were not already added to an OS group):
    ap_external_ldap.pl usermod --group ibmapadmin|ibmapusers|none username
    For example, to add a user named myaduser to the OS local group ibmadmin, run the following command:
    ap_external_ldap.pl usermod --group ibmapadmin myaduser

Results

Integrated Analytics System is now configured to use your organization's Active Directory server. Any valid user of your directory can log in to any of the nodes of the appliance using SSH. You can now remove the certificate that you may have uploaded into the /tmp directory of IAS.