Configuring UMS to connect with LDAP

Learn how to change UMS configuration file to connect with your LDAP or LDAPS identity provider.

Before you begin

  1. Prepare the LDAP identity provider service. To learn more about how to set up LDAP for IBM RPA, see Installing and configuring LDAP.
  2. Prepare your IBM RPA server environment. To use this service, you must create the UMS database.
  3. You must have installed the IBM RPA server. See Install the server for details.

Procedure

  1. On Windows Explorer, go to the C:\ProgramData\IBM Robotic Process Automation\servers\umsServer\configDropins\overrides directory.
  2. Open the openLDAPFedrated.xml file.
  3. Change the following attributes to match your custom LDAP user registry:
    • host
      Enter the hostname or IP address of your LDAP server. The hostname is the Fully Qualified Domain Name (FQDN) of the LDAP server.

    • baseDN
      Enter the base domain name registry for your LDAP server. The base DN is how you configured your organization's LDAP entries.

    • bindDN
      Enter the manager user that you created to manage the LDAP server. For example, cn=Manager,dc=rpa,dc=ibm,dc=com.

    • bindPassword
      Enter the password that you created for the Manager user.

    • <searchBase></searchBase>
      In the searchBase tags, insert the entries of your LDAP servers with their unique domain names. For example, for PersonAccount, you must specify in which group the users are located.

      In this case, if the users belong to an organizationalUnit called rpausers, you must enter the domain name that points to this organizationalUnit, such as ou=rpausers,dc=rpa,dc=ibm,dc=com.

      All the users in the server must inherit from the inetOrgPerson object class, and they must have the displayName, uid, and userPassword attributes.

See the following samples for configuration files for your LDAP server:

OpenLDAP

<server>

    <featureManager>
        <feature>ldapRegistry-3.0</feature>
        <feature>appSecurity-2.0</feature>
    </featureManager>

    <ldapRegistry id="customId" ldapType="Custom"
        host="rpa.ibm.com" port="389" ignoreCase="true"
        baseDN="dc=rpa,dc=ibm,dc=com"
		bindDN="cn=admin,dc=rpa,dc=ibm,dc=com"
        bindPassword="rpaadmin" >

        <loginProperty name="mail" />
        <loginProperty name="uid" />

        <groupProperties>
            <memberAttribute name="uniqueMember" objectClass="groupOfUniqueNames" scope="all" />
        </groupProperties>
        
		<ldapEntityType name="PersonAccount">
			<objectClass>inetOrgPerson</objectClass>
			<searchBase>ou=rpausers,dc=rpa,dc=ibm,dc=com</searchBase>
		</ldapEntityType>

		<ldapEntityType name="Group">
			<objectClass>organizationalGroup</objectClass>
			<searchBase>ou=rpagroups,dc=rpa,dc=ibm,dc=com</searchBase>
		</ldapEntityType>
		
		 <attributeConfiguration>
             <!-- attribute name="userPassword" propertyName="password" entityType="PersonAccount" defaultValue="xyz123"/ -->
			 <!--attribute name="mail" propertyName="mail" syntax="String" entityType="PersonAccount"  / -->
			<attribute name="displayName" propertyName="cn" syntax="String" entityType="PersonAccount" />
		 </attributeConfiguration>	

     </ldapRegistry> 

</server>

Active Directory

<server>
​
    <featureManager>
        <feature>ldapRegistry-3.0</feature>
        <feature>appSecurity-2.0</feature>
    </featureManager>
​
    <ldapRegistry id="customId"  realm="SampleLdapADRealm"
        host="rpa.ibm.com" port="389" ignoreCase="true"
		baseDN="dc=rpa,dc=ibm,dc=com"
		bindDN="cn=Manager,dc=rpa,dc=ibm,dc=com"
		bindPassword="rpapassw0rd"
		ldapType="Microsoft Active Directory">
​
    <activedFilters
		userFilter="(&amp;)|((sAMAccountName=%v)(mail=%v))(objectcategory=user))"
		groupFilter="(&amp;(cn=%v)(objectcategory=group))"
		userIdMap="user:sAMAccountName"
		groupIdMap="*:cn"
		groupMemberIdMap="memberOf:member" >
	</activedFilters>
   </ldapRegistry>
   
    <groupProperties>
        <memberAttribute name="uniqueMember" objectClass="groupOfUniqueNames" scope="all" />
    </groupProperties>
    
    <ldapEntityType name="PersonAccount">
        <objectClass>user</objectClass>
        <searchBase>DC=ibmrpa,DC=intra</searchBase>
    </ldapEntityType>
​
    <ldapEntityType name="Group">
        <objectClass>group</objectClass>
        <searchBase>DC=ibmrpa,DC=intra</searchBase>
    </ldapEntityType>
    
    <attributeConfiguration>
        <attribute name="displayName" propertyName="cn" syntax="String" entityType="PersonAccount" />        
    </attributeConfiguration>	

</server>

Configuring a secured LDAP connection (LDAPS)

If you use a secured connection to LDAP on your server (LDAPS), follow these steps to configure UMS to connect to your LDAPS:

  1. Open PowerShell.

  2. Extract the certificate chain information for the LDAPS connection, replacing YOUR_LDAP_HOST with the hostname of your LDAP server:

    keytool -printcert -sslServer YOUR_LDAP_HOST:636 -rfc > ldap_cert.pem
    
  3. Convert the extracted chain to a PKCS12 store, replacing YOUR_LDAP_STORE_PASSWORD with a password of your choice for the key store:

    keytool -importcert -keystore ldap_cert.p12 -storetype PKCS12 -storepass YOUR_LDAP_STORE_PASSWORD -alias ldap -file ldap_cert.pem -noprompt
    
  4. Move the generated ldap_cert.p12 file to C:\ProgramData\IBM Robotic Process Automation\servers\umsServer\resources\security

  5. Open C:\ProgramData\IBM Robotic Process Automation\servers\umsServer\configDropins\overrides\openLdapFedrated.xml file and configure your LDAP registry to use SSL.

  6. Run the following command on PowerShell, replacing YOUR_LDAP_STORE_PASSWORD with the password chosen in step 2 to encode your password:

    "C:\Program Files\IBM Robotic Process Automation\ums\wlp\bin\securityUtility.bat" encode YOUR_LDAP_STORE_PASSWORD
    
  7. Add the keystore element, replacing YOUR_LDAP_STORE_PASSWORD_ENCODED with the output of step 4a.

    <keyStore id="ldapTruststore" password="YOUR_LDAP_STORE_PASSWORD_ENCODED" location="ldap_cert.p12" />
    
  8. Add the ssl element

    <ssl  
        id="ldapSSLConfig"  
        sslProtocol="TLSv1.2"       
        enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"  
        keyStoreRef="defaultKeyStore"       
        trustStoreRef="ldapTruststore" /> 
    
  9. Enable ssl in your ldapRegistry element

    <ldapRegistry
        sslEnabled="true" 
        sslRef="ldapSSLConfig" 
        host="YOUR_LDAP_HOST" 
        port="636">
    
  10. Your openLdapFedrated.xml file should look like this:

    <server> 
        <featureManager> 
            <feature>ldapRegistry-3.0</feature> 
        </featureManager> 
    
        <keyStore id="ldapTruststore" password="YOUR_ENCODED_LDAP_STORE_PASSWORD" location="ldap_cert.p12" /> 
    
        <ssl 
            id="ldapSSLConfig" 
            sslProtocol="TLSv1.2" 
            enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" 
            keyStoreRef="defaultKeyStore" 
            trustStoreRef="ldapTruststore" /> 
    
        <ldapRegistry (…) 
            sslEnabled="true" 
            sslRef="ldapSSLConfig" 
    host="YOUR_LDAP_HOST"
    port="636"> 
    
    <!--Rest of the configuration file/-->
    </ldapRegistry>
    
  11. Restart the umsServer service.

What to do next

After the configuration, you are ready to import your LDAP users. For more information, see Managing LDAP users.