Configuring UMS to connect with LDAP
Learn how to change UMS configuration file to connect with your LDAP or LDAPS identity provider.
Before you begin
- Prepare the LDAP identity provider service. To learn more about how to set up LDAP for IBM RPA, see Installing and configuring LDAP.
- Prepare your IBM RPA server environment. To use this service, you must create the UMS database.
- You must have installed the IBM RPA server. See Install the server for details.
Procedure
- On Windows Explorer, go to the
C:\ProgramData\IBM Robotic Process Automation\servers\umsServer\configDropins\overrides
directory. - Open the
openLDAPFedrated.xml
file. - Change the following attributes to match your custom LDAP user registry:
-
host
Enter the hostname or IP address of your LDAP server. The hostname is the Fully Qualified Domain Name (FQDN) of the LDAP server. -
baseDN
Enter the base domain name registry for your LDAP server. The base DN is how you configured your organization's LDAP entries. -
bindDN
Enter the manager user that you created to manage the LDAP server. For example,cn=Manager,dc=rpa,dc=ibm,dc=com
. -
bindPassword
Enter the password that you created for the Manager user. -
<searchBase></searchBase>
In thesearchBase
tags, insert the entries of your LDAP servers with their unique domain names. For example, forPersonAccount
, you must specify in which group the users are located.In this case, if the users belong to an
organizationalUnit
calledrpausers
, you must enter the domain name that points to thisorganizationalUnit
, such asou=rpausers,dc=rpa,dc=ibm,dc=com
.All the users in the server must inherit from the
inetOrgPerson
object class, and they must have thedisplayName
,uid
, anduserPassword
attributes.
-
See the following samples for configuration files for your LDAP server:
OpenLDAP
<server>
<featureManager>
<feature>ldapRegistry-3.0</feature>
<feature>appSecurity-2.0</feature>
</featureManager>
<ldapRegistry id="customId" ldapType="Custom"
host="rpa.ibm.com" port="389" ignoreCase="true"
baseDN="dc=rpa,dc=ibm,dc=com"
bindDN="cn=admin,dc=rpa,dc=ibm,dc=com"
bindPassword="rpaadmin" >
<loginProperty name="mail" />
<loginProperty name="uid" />
<groupProperties>
<memberAttribute name="uniqueMember" objectClass="groupOfUniqueNames" scope="all" />
</groupProperties>
<ldapEntityType name="PersonAccount">
<objectClass>inetOrgPerson</objectClass>
<searchBase>ou=rpausers,dc=rpa,dc=ibm,dc=com</searchBase>
</ldapEntityType>
<ldapEntityType name="Group">
<objectClass>organizationalGroup</objectClass>
<searchBase>ou=rpagroups,dc=rpa,dc=ibm,dc=com</searchBase>
</ldapEntityType>
<attributeConfiguration>
<!-- attribute name="userPassword" propertyName="password" entityType="PersonAccount" defaultValue="xyz123"/ -->
<!--attribute name="mail" propertyName="mail" syntax="String" entityType="PersonAccount" / -->
<attribute name="displayName" propertyName="cn" syntax="String" entityType="PersonAccount" />
</attributeConfiguration>
</ldapRegistry>
</server>
Active Directory
<server>
<featureManager>
<feature>ldapRegistry-3.0</feature>
<feature>appSecurity-2.0</feature>
</featureManager>
<ldapRegistry id="customId" realm="SampleLdapADRealm"
host="rpa.ibm.com" port="389" ignoreCase="true"
baseDN="dc=rpa,dc=ibm,dc=com"
bindDN="cn=Manager,dc=rpa,dc=ibm,dc=com"
bindPassword="rpapassw0rd"
ldapType="Microsoft Active Directory">
<activedFilters
userFilter="(&)|((sAMAccountName=%v)(mail=%v))(objectcategory=user)"
groupFilter="(&(cn=%v)(objectcategory=group))"
userIdMap="user:sAMAccountName"
groupIdMap="*:cn"
groupMemberIdMap="memberOf:member">
</activedFilters>
<groupProperties>
<memberAttribute name="uniqueMember" objectClass="groupOfUniqueNames" scope="all" />
</groupProperties>
<ldapEntityType name="PersonAccount">
<objectClass>user</objectClass>
<searchBase>DC=ibmrpa,DC=intra</searchBase>
</ldapEntityType>
<ldapEntityType name="Group">
<objectClass>group</objectClass>
<searchBase>DC=ibmrpa,DC=intra</searchBase>
</ldapEntityType>
<attributeConfiguration>
<attribute name="displayName" propertyName="cn" syntax="String" entityType="PersonAccount" />
</attributeConfiguration>
</ldapRegistry>
</server>
User has no email in Active Directory
If your users have no email property in Active Directory, you can use the user account name instead of the email to login.
Follow these steps to enable this property:
-
Add the following configuration under the
attributeConfiguration
tag:
```sql {: codeblock}
USE [automation]
GO
```
-
Find the users that you want to update by running the following query:
SELECT * FROM [dbo].[User]
-
Run the following query in SQL Server to update the existing user information for each user that you want to update:
declare @username nvarchar(max) = 'your_samaccountname' UPDATE [dbo].[User] SET [Email] = @username , [UserName] = @username , [NormalizedUserName] = UPPER(@username) , [NormalizedEmail] = UPPER(@username) WHERE Id = 'your_user_id'
Replace
your_samaccountname
with the value of the sAMAccountName, and replaceyour_user_id
with the ID of the user in the database.
Configuring a secured LDAP connection (LDAPS)
If you use a secured connection to LDAP on your server (LDAPS), follow these steps to configure UMS to connect to your LDAPS:
-
Open PowerShell.
-
Extract the certificate chain information for the LDAPS connection, replacing
YOUR_LDAP_HOST
with the hostname of your LDAP server:keytool -printcert -sslServer YOUR_LDAP_HOST:636 -rfc > ldap_cert.pem
-
Convert the extracted chain to a PKCS12 store, replacing
YOUR_LDAP_STORE_PASSWORD
with a password of your choice for the key store:keytool -importcert -keystore ldap_cert.p12 -storetype PKCS12 -storepass YOUR_LDAP_STORE_PASSWORD -alias ldap -file ldap_cert.pem -noprompt
-
Move the generated ldap_cert.p12 file to
C:\ProgramData\IBM Robotic Process Automation\servers\umsServer\resources\security
-
Open
C:\ProgramData\IBM Robotic Process Automation\servers\umsServer\configDropins\overrides\openLdapFedrated.xml
file and configure your LDAP registry to use SSL. -
Run the following command on PowerShell, replacing
YOUR_LDAP_STORE_PASSWORD
with the password chosen in step 2 to encode your password:"C:\Program Files\IBM Robotic Process Automation\ums\wlp\bin\securityUtility.bat" encode YOUR_LDAP_STORE_PASSWORD
-
Add the keystore element, replacing
YOUR_LDAP_STORE_PASSWORD_ENCODED
with the output of step 4a.<keyStore id="ldapTruststore" password="YOUR_LDAP_STORE_PASSWORD_ENCODED" location="ldap_cert.p12" />
-
Add the
ssl
element<ssl id="ldapSSLConfig" sslProtocol="TLSv1.2" enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" keyStoreRef="defaultKeyStore" trustStoreRef="ldapTruststore" />
-
Enable
ssl
in your ldapRegistry element<ldapRegistry sslEnabled="true" sslRef="ldapSSLConfig" host="YOUR_LDAP_HOST" port="636">
-
Your
openLdapFedrated.xml
file should look like this:<server> <featureManager> <feature>ldapRegistry-3.0</feature> </featureManager> <keyStore id="ldapTruststore" password="YOUR_ENCODED_LDAP_STORE_PASSWORD" location="ldap_cert.p12" /> <ssl id="ldapSSLConfig" sslProtocol="TLSv1.2" enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" keyStoreRef="defaultKeyStore" trustStoreRef="ldapTruststore" /> <ldapRegistry (…) sslEnabled="true" sslRef="ldapSSLConfig" host="YOUR_LDAP_HOST" port="636"> <!--Rest of the configuration file/--> </ldapRegistry>
-
Restart the
umsServer
service.
What to do next
After the configuration, you are ready to import your LDAP users. For more information, see Managing LDAP users.