Configuring UMS to connect with LDAP

Learn how to change UMS configuration file to connect with your LDAP or LDAPS identity provider.

Before you begin

  1. Prepare the LDAP identity provider service. To learn more about how to set up LDAP for IBM RPA, see Installing and configuring LDAP.
  2. Prepare your IBM RPA server environment. To use this service, you must create the UMS database.
  3. You must have installed the IBM RPA server. See Install the server for details.

Procedure

  1. On Windows Explorer, go to the C:\ProgramData\IBM Robotic Process Automation\servers\umsServer\configDropins\overrides directory.
  2. Open the openLDAPFedrated.xml file.
  3. Change the following attributes to match your custom LDAP user registry:
    • host
      Enter the hostname or IP address of your LDAP server. The hostname is the Fully Qualified Domain Name (FQDN) of the LDAP server.

    • baseDN
      Enter the base domain name registry for your LDAP server. The base DN is how you configured your organization's LDAP entries.

    • bindDN
      Enter the manager user that you created to manage the LDAP server. For example, cn=Manager,dc=rpa,dc=ibm,dc=com.

    • bindPassword
      Enter the password that you created for the Manager user.

    • <searchBase></searchBase>
      In the searchBase tags, insert the entries of your LDAP servers with their unique domain names. For example, for PersonAccount, you must specify in which group the users are located.

      In this case, if the users belong to an organizationalUnit called rpausers, you must enter the domain name that points to this organizationalUnit, such as ou=rpausers,dc=rpa,dc=ibm,dc=com.

      All the users in the server must inherit from the inetOrgPerson object class, and they must have the displayName, uid, and userPassword attributes.

See the following samples for configuration files for your LDAP server:

OpenLDAP

<server>

    <featureManager>
        <feature>ldapRegistry-3.0</feature>
        <feature>appSecurity-2.0</feature>
    </featureManager>

    <ldapRegistry id="customId" ldapType="Custom"
        host="rpa.ibm.com" port="389" ignoreCase="true"
        baseDN="dc=rpa,dc=ibm,dc=com"
		bindDN="cn=admin,dc=rpa,dc=ibm,dc=com"
        bindPassword="rpaadmin" >

        <loginProperty name="mail" />
        <loginProperty name="uid" />

        <groupProperties>
            <memberAttribute name="uniqueMember" objectClass="groupOfUniqueNames" scope="all" />
        </groupProperties>
        
		<ldapEntityType name="PersonAccount">
			<objectClass>inetOrgPerson</objectClass>
			<searchBase>ou=rpausers,dc=rpa,dc=ibm,dc=com</searchBase>
		</ldapEntityType>

		<ldapEntityType name="Group">
			<objectClass>organizationalGroup</objectClass>
			<searchBase>ou=rpagroups,dc=rpa,dc=ibm,dc=com</searchBase>
		</ldapEntityType>
		
		 <attributeConfiguration>
             <!-- attribute name="userPassword" propertyName="password" entityType="PersonAccount" defaultValue="xyz123"/ -->
			 <!--attribute name="mail" propertyName="mail" syntax="String" entityType="PersonAccount"  / -->
			<attribute name="displayName" propertyName="cn" syntax="String" entityType="PersonAccount" />
		 </attributeConfiguration>	

     </ldapRegistry> 

</server>

Active Directory

<server><featureManager>
        <feature>ldapRegistry-3.0</feature>
        <feature>appSecurity-2.0</feature>
    </featureManager><ldapRegistry id="customId"  realm="SampleLdapADRealm"
        host="rpa.ibm.com" port="389" ignoreCase="true"
		baseDN="dc=rpa,dc=ibm,dc=com"
		bindDN="cn=Manager,dc=rpa,dc=ibm,dc=com"
		bindPassword="rpapassw0rd"
		ldapType="Microsoft Active Directory"><activedFilters
            userFilter="(&)|((sAMAccountName=%v)(mail=%v))(objectcategory=user)"
            groupFilter="(&(cn=%v)(objectcategory=group))"
            userIdMap="user:sAMAccountName"
            groupIdMap="*:cn"
            groupMemberIdMap="memberOf:member">
        </activedFilters>

    
        <groupProperties>
            <memberAttribute name="uniqueMember" objectClass="groupOfUniqueNames" scope="all" />
        </groupProperties>
        
        <ldapEntityType name="PersonAccount">
            <objectClass>user</objectClass>
            <searchBase>DC=ibmrpa,DC=intra</searchBase>
        </ldapEntityType><ldapEntityType name="Group">
            <objectClass>group</objectClass>
            <searchBase>DC=ibmrpa,DC=intra</searchBase>
        </ldapEntityType>
        
        <attributeConfiguration>
            <attribute name="displayName" propertyName="cn" syntax="String" entityType="PersonAccount" />
        </attributeConfiguration>

    </ldapRegistry>

</server> 

User has no email in Active Directory

If your users have no email property in Active Directory, you can use the user account name instead of the email to login.

Follow these steps to enable this property:

  1. Add the following configuration under the attributeConfiguration tag:

``` 1. For existing users, the IBM RPA database administrator must update the user information in the database. For more information on how to run queries in SQL Server, see [Run Queries (Visual Database Tools)](https://learn.microsoft.com/sql/ssms/visual-db-tools/run-queries-visual-database-tools?view=sql-server-ver16){: external}. 1. Enter the `automation` database:
```sql {: codeblock}
USE [automation]
GO
```
  1. Find the users that you want to update by running the following query:

    SELECT * FROM [dbo].[User]
    
  2. Run the following query in SQL Server to update the existing user information for each user that you want to update:

    declare @username nvarchar(max) = 'your_samaccountname'
    
    UPDATE [dbo].[User]
    SET [Email] = @username
    , [UserName] = @username
    , [NormalizedUserName] = UPPER(@username)
    , [NormalizedEmail] = UPPER(@username)
    WHERE Id = 'your_user_id' 
    

    Replace your_samaccountname with the value of the sAMAccountName, and replace your_user_id with the ID of the user in the database.

Configuring a secured LDAP connection (LDAPS)

If you use a secured connection to LDAP on your server (LDAPS), follow these steps to configure UMS to connect to your LDAPS:

  1. Open PowerShell.

  2. Extract the certificate chain information for the LDAPS connection, replacing YOUR_LDAP_HOST with the hostname of your LDAP server:

    keytool -printcert -sslServer YOUR_LDAP_HOST:636 -rfc > ldap_cert.pem
    
  3. Convert the extracted chain to a PKCS12 store, replacing YOUR_LDAP_STORE_PASSWORD with a password of your choice for the key store:

    keytool -importcert -keystore ldap_cert.p12 -storetype PKCS12 -storepass YOUR_LDAP_STORE_PASSWORD -alias ldap -file ldap_cert.pem -noprompt
    
  4. Move the generated ldap_cert.p12 file to C:\ProgramData\IBM Robotic Process Automation\servers\umsServer\resources\security

  5. Open C:\ProgramData\IBM Robotic Process Automation\servers\umsServer\configDropins\overrides\openLdapFedrated.xml file and configure your LDAP registry to use SSL.

  6. Run the following command on PowerShell, replacing YOUR_LDAP_STORE_PASSWORD with the password chosen in step 2 to encode your password:

    "C:\Program Files\IBM Robotic Process Automation\ums\wlp\bin\securityUtility.bat" encode YOUR_LDAP_STORE_PASSWORD
    
  7. Add the keystore element, replacing YOUR_LDAP_STORE_PASSWORD_ENCODED with the output of step 4a.

    <keyStore id="ldapTruststore" password="YOUR_LDAP_STORE_PASSWORD_ENCODED" location="ldap_cert.p12" />
    
  8. Add the ssl element

    <ssl  
        id="ldapSSLConfig"  
        sslProtocol="TLSv1.2"       
        enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"  
        keyStoreRef="defaultKeyStore"       
        trustStoreRef="ldapTruststore" /> 
    
  9. Enable ssl in your ldapRegistry element

    <ldapRegistry
        sslEnabled="true" 
        sslRef="ldapSSLConfig" 
        host="YOUR_LDAP_HOST" 
        port="636">
    
  10. Your openLdapFedrated.xml file should look like this:

    <server> 
        <featureManager> 
            <feature>ldapRegistry-3.0</feature> 
        </featureManager> 
    
        <keyStore id="ldapTruststore" password="YOUR_ENCODED_LDAP_STORE_PASSWORD" location="ldap_cert.p12" /> 
    
        <ssl 
            id="ldapSSLConfig" 
            sslProtocol="TLSv1.2" 
            enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" 
            keyStoreRef="defaultKeyStore" 
            trustStoreRef="ldapTruststore" /> 
    
        <ldapRegistry (…) 
            sslEnabled="true" 
            sslRef="ldapSSLConfig" 
    host="YOUR_LDAP_HOST"
    port="636"> 
    
    <!--Rest of the configuration file/-->
    </ldapRegistry>
    
  11. Restart the umsServer service.

What to do next

After the configuration, you are ready to import your LDAP users. For more information, see Managing LDAP users.