Changing from operating system to LDAP authentication
You can configure IBM Spectrum Control to communicate with an external LDAP repository. For example, IBM® Tivoli® Directory Server or Microsoft Active Directory. This makes IBM Spectrum Control available to a larger set of users and groups. You are able to log in to IBM Spectrum Control with one set of credentials.
Before you begin
When you change the authentication configuration, IBM Spectrum Control is available to users and groups in other repositories.
Procedure
- Back up the ldapregistry.xml file in the installation_dir/wlp/usr/servers/webServer/registry/ directory.
- Log on as an administrator to the IBM Spectrum Control GUI.
- Click Settings > User Management.
- Click Edit Authentication.
- On the Authentication Configuration page, select LDAP.
- Click Download Files.
- Save and extract the ldapExamples.zip file to the computer where you run your browser.
-
Use the information to edit the XML template file for your vendor.
For example, if your LDAP server is IBM Tivoli Directory Server, edit the IBMDirectoryServer.xml file and if your LDAP server is Microsoft Active Directory, edit the ActiveDirectoryServerDefault.xml file.Edit the following parameters:
- id
- The unique identifier for the LDAP repository, which identifies the repository in the realm, for example, LDAP1.
- host
- The hostname of the primary LDAP server. The hostname is either the IP address or the computer name in a domain name system (DNS).
- sslEnabled
- Indicates whether SSL is used to connect to the LDAP server.Important: If you set this parameter to true, and set the port parameter to the LDAP server secure communications port, when you upload the edited XML template file, IBM Spectrum Control downloads the SSL certificate from the LDAP server. Then, it is added to the Web server keystore. You must restart the Web server.
- port
- The port number for the LDAP server. By default, the port number for secure communication is
636, and for non-secure communication is 389. Tip: Depending on the configuration of your LDAP server, you can specify a different port number.
- baseDN
- The baseDN (Distinguished Name) is the starting point for searches for users in the LDAP
directory server. For example, if you have a DN value of
cn=John Doe
,ou=rochester
,o=ibm
,c=us
, you can specify the LDAP base entry as any of the following options:ou=rochester
,o=ibm
,c=us
o=ibm
,c=us
c=us
Important: The DN value that you enter in this field must be extensive enough to include all of the groups to which the users belong. For example, if a user inou=rochester
,o=ibm
,c=us
is also a member of groups that are inou=stategroups
,o=ibm
,c=us
, entero=ibm
,c=us
.If you want to set multiple baseDN parameters for your LDAP authentication configuration, then you must create a separate<ldapRegistry>
entry in the XML template file for each unique baseDN parameter. For example:<server description="IBM Web Server"> <ldapRegistry activedFilters="active_dir_server1" baseDN="ou=Marketing,dc=storage,dc=ibm,dc=com" bindDN="cn=Administrator,cn=users,dc=storage,dc=ibm,dc=com" bindPassword="password" host="ldap.storage.ibm.com" id="LDAP1"ignoreCase="true" ldapType="Microsoft Active Directory" port="389" realm="TPCRealm" sslEnabled="false"/> <activedLdapFilterProperties groupFilter="(&(cn=%v)(objectcategory=group))" groupIdMap="*:cn" groupMemberIdMap="memberof:member" id="active_dir_server1" userFilter="(&(sAMAccountName=%v)(objectcategory=user))" userIdMap="user:sAMAccountName"/> <ldapRegistry activedFilters="active_dir_server2" baseDN="ou=Sales,dc=storage,dc=ibm,dc=com" bindDN="cn=Administrator,cn=users,dc=storage,dc=ibm,dc=com" bindPassword="password" host="ldap.storage.ibm.com" id="LDAP2" ignoreCase="true" ldapType="Microsoft Active Directory" port="389" realm="TPCRealm" sslEnabled="false"/> <activedLdapFilterProperties groupFilter="(&(cn=%v)(objectcategory=group))" groupIdMap="*:cn" groupMemberIdMap="memberof:member" id="active_dir_server2" userFilter="(&(sAMAccountName=%v)(objectcategory=user))" userIdMap="user:sAMAccountName"/> <ldapRegistry activedFilters="active_dir_server3" baseDN="ou=Management,dc=storage,dc=ibm,dc=com" bindDN="cn=Administrator,cn=users,dc=storage,dc=ibm,dc=com" bindPassword="password" host="ldap.storage.ibm.com" id="LDAP3" ignoreCase="true" ldapType="Microsoft Active Directory" port="389" realm="TPCRealm" sslEnabled="false"/> <activedLdapFilterProperties groupFilter="(&(cn=%v)(objectcategory=group))" groupIdMap="*:cn" groupMemberIdMap="memberof:member" id="active_dir_server3" userFilter="(&(sAMAccountName=%v)(objectcategory=user))" userIdMap="user:sAMAccountName"/> <federatedRepository> <primaryRealm allowOpIfRepoDown="true" name="TPCRealm"> <participatingBaseEntry name="ou=Marketing,dc=storage,dc=ibm,dc=com"/> <participatingBaseEntry name="ou=Sales,dc=storage,dc=ibm,dc=com"/> <participatingBaseEntry name="ou=Management,dc=storage,dc=ibm,dc=com"/> <!-- The next two entries must NOT be changed --> <participatingBaseEntry name="o=TPCRealm"/> <participatingBaseEntry name="o=OSRealm"/> </primaryRealm> </federatedRepository> </server>
The preceding example contains the following information:- Each
<ldapRegistry>
entry contains the identical values for the host, port, sslEnabled, bindDN, and bindPassword parameters. - Each
<ldapRegistry>
entry contains a unique value for the baseDN and id parameters. - Each
<ldapRegistry>
entry references its' own unique<activedLdapFilterProperties>
entry. - The
<federatedRepository>
entry contains multiple<participatingBaseEntry>
entries, with each one matching one of the baseDN values in the<ldapRegistry>
sections.
- bindDN
- The distinguished name that WebSphere
Application Server
Liberty uses when it binds to the LDAP repository. If no name is specified, WebSphere
Application Server Liberty binds anonymously to the LDAP
repository. In most cases, the bindDN and bindPassword
values are required. However, when an anonymous bind satisfies all of the required functions, the
bindDN and bindPassword values can be left blank except
for the double quotes, which must have no spaces between them.For example:If you are not sure whether an anonymous bind satisfies the required functions, contact your LDAP server administrator.
bindDN="" bindPassword=""
Attention: No single value for the bindDN parameter is correct for every Active Directory Server or for every LDAP server. The correct value for the bindDN parameter depends on the configuration of your Active Directory Server or your LDAP server. If you are unsure about the correct value to use for the bindDN parameter, contact your LDAP server administrator.If you are using Active Directory as your LDAP repository and you know the Active_Directory_user's_samAccountName_value, but you want the Active Directory user full distinguished name in order to use that value as the bindDN parameter, run the following command on the Active Directory machine:dsquery user -samid Active_Directory_user's_samAccountName_value
Example:C:\Users\Administrator>dsquery user -samid SCAdministratorMSAD "CN=SCAdministratorMSAD,CN=Users,DC=vcloud101dc,DC=local"
For more information about the dsquery command, see https://social.technet.microsoft.com/wiki/contents/articles/2195.active-directory-dsquery-commands.aspx?PageIndex=3
- bindPassword
- The password that WebSphere
Application Server Liberty uses
when it binds to the LDAP repository.If the bindPassword parameter is already encrypted in the XML file, enter only an LDAP user name and password to test the pending LDAP authentication configuration. After your LDAP credentials are validated, you must immediately map an LDAP group to an IBM Spectrum Control role in the GUI before you log out with your Local OS credentials.Note:
- The password value can be provided as plain text or as an XOR-encoded representation.
- To encrypt a password, use the
securityUtility
command. For example, run the following command
For more information, refer to the WebSphere documentation at IBM WebSphere Liberty.securityUtility encode mypassword
- participatingBaseEntry
- You must set this value to the same value as you set for the baseDN
parameter or the federation for the LDAP repository fails. For example, if you set the
baseDN parameter to
ou=rochester
,o=ibm
,c=us
, you must set the participatingBaseEntry parameter to:<participatingBaseEntry name="ou=rochester, o=ibm, c=us" />
.Important: Do not change these participatingBaseEntry parameters in the XML template file:<participatingBaseEntry name="o=TPCRealm" /> <participatingBaseEntry name="o=OSRealm" />
- Save the XML template file.
- On the Authentication Configuration page, click Browse.
-
On the File Upload page, select the XML template file that you previously
edited and click Open.
The XML template file is then uploaded to the IBM Spectrum Control server.
-
After IBM
Spectrum Control downloads the SSL
certificate from the LDAP server and adds it to the Web server keystore, click Restart
Web Server.
Note: While the Web server is restarting, do not refresh your browser or attempt to navigate to another part of the GUI.
-
When the Web server is back online, on the LDAP Settings page, enter your
LDAP user name, password, group name and click Save.
Note: The user name must be a member of the group.
If your change from Local OS authentication to LDAP authentication is successful, you are logged out of the IBM Spectrum Control GUI. You can log into the GUI using your LDAP credentials. You cannot log into the GUI using your operating system credentials.
If your change from Local OS authentication to LDAP authentication is not successful, click Discard. After the confirmation, your previous Local OS authentication is restored and you are returned to the User Management page.
Tip:If you encounter any issues with above mentioned procedure, see Configuring user authentication alternatives .