How to integrate CA SDM with LDAP

Contents
casm172
Contents
Configure LDAP Options
You can configure CA SDM to access LDAP directory data.
Follow these steps:
  1. Manually install LDAP options using the Web Interface Options Manager.
    The options necessary for basic LDAP integration are identified as required in the Description column in the following table. Options identified as optional are features you can add only if all the required options are installed. The values you specify when installing these options are written to the $NX_ROOT/NX.env file.
  2. Restart the CA SDM service.
    The changes take effect.
Manage LDAP Servers Using the LDAP Configuration Utility
You can use the LDAP Server utility to manage multiple LDAP servers. You can perform the following tasks by using the utility:
  • Add a new LDAP server.
  • Delete an LDAP server that you no longer want to use.
  • View LDAP server details.
  • Restart LDAP virtual database.
 In an advance availability configuration, run the utility on the background server. After you add a new LDAP server, restart the CA SDM services on all the standby servers.
Follow these steps:
  1. (Optional) To specify the domain name of the default LDAP server, execute the following command:
    pdm_options_mgr -c -a pdm_option.inst -s LDAP_DOMAIN -v <Default_LDAP_DomainName> pdm_options_mgr -c -a pdm_option.inst -s LDAP_DOMAIN -v <Default_LDAP_DomainName> -t
    Configure the default LDAP server domain name in the following cases:
    • CA EEM server is configured with multiple Microsoft Active Directory domains.
    • Default LDAP server and any other LDAP server configured with CA SDM have the same user details.
    After the configuration is complete, the default LDAP users must log in to CA SDM in the format domain_name\userid.
  2. Open the windows command and navigate to the location $NX_ROOT/bin.
  3. Run the following command:
    pdm_perl pdm_ldap_config.pl
  4. Based on the task that you want to perform, select the appropriate option.
Option
Default Value
Description
ldap_domain
 
Required for configuring mulitple LDAP servers. Specifies the domain name of the LDAP server.
default_ldap_tenant
 
Required for multi-tenancy installation. Specifies the default tenant assignment for contacts imported from LDAP. You must use the tenant UUID when setting the Option Value field.
You can get the tenant UUID from a database query. For example, "SELECT * FROM ca_tenant".
ldap_enable
Yes
Required. Enables LDAP integration with CA SDM.
ldap_host
 
Required. Specifies the LDAP database server host name or IP address.
ldap_port
389
Required. Specifies the LDAP server port number.
ldap_dn
 
Required. Specifies the LDAP server logon distinguishedName.
Example
: CN=Joe, CN=Users, DC=KLAND, DC=AD, DC=com
If the LDAP server supports anonymous binds, this value can be empty.
ldap_pwd
 
Required. Specifies the password for LDAP server logon distinguishedName.
If the LDAP server supports anonymous binds, this value can be empty.
ldap_search_base
 
Required. Specifies the starting point for searches in the LDAP schema tree:
(UNIX) You must specify a starting container. For example:
CN=Users, DC=KLAND, DC=AD, DC=com
(Windows) You do not have to specify a container. You may start at the top of the schema tree. For example:
DC=KLAND, DC=AD, DC=com
ldap_filter_prefix
(&(objectClass=
user)
Specifies the prefix applied to an automatically generated filter when searching for LDAP users.
This variable has been superseded by the ldap_user_object_class option. It is not available in Options Manager, but can be set manually in the NX.env file.
ldap_filter_suffix
)
Specifies the suffix applied to an automatically generated filter when searching for LDAP users.
This variable has been superseded by the ldap_user_object_class option. It is not available in Options Manager, but can be set manually in the NX.env file.
ldap_user_object_class
person
Required. Specifies the value of the LDAP objectClass attribute applied to an automatically generated filter when searching for LDAP users.
ldap_enable_group
Yes
Optional. Enables CA SDM access type assignment based on LDAP group membership.
ldap_group_object_class
group
Required only if the ldap_enable_group is installed. Specifies the object name applied to an automatically generated filter when searching for groups.
ldap_group_filter_prefix
(&(objectClass=
group)
Specifies the prefix applied to an automatically generated filter when searching for LDAP groups.
This variable has been superseded by the ldap_group_object_class option. It is not available in Options Manager, but can be set manually in the NX.env file.
ldap_group_filter_suffix
)
Specifies the suffix applied to an automatically generated filter when searching for LDAP groups.
This variable has been superseded by the ldap_group_object_class option. It is not available in Options Manager, but can be set manually in the NX.env file.
ldap_enable_auto
Yes
Optional. Enables auto generation of contact records from LDAP data.
ldap_sync_on_null
Yes
Optional. Overwrites existing CA SDM contact attributes with null data if the corresponding LDAP user attribute contains a null value.
ldap_service_type
Active Directory
Optional. Use this option if the CA SDM operating environment is Windows and the LDAP directory is
not
Active Directory (for example, eTrust or Novell).
On UNIX operating environment, "Non AD" functionality is used only if this option is
not
installed. If it is installed, the service type is set to Active Directory.
ldap_enable_tls
No
Optional. Specifies whether Transport Layer Security (TLS) is enabled during LDAP processing.
Verify LDAP Integration
After you have installed the necessary LDAP options, CA SDM users can import LDAP data on a case-by-case basis, eliminating the need to fill in all the contact attribute fields manually.
To verify that you can search for and import LDAP records
  1. Select File, New Contact from LDAP on the Service Desk tab.
    The LDAP Directory Search window appears.
  2. Specify filter criteria, and then click Search. For example, you could enter b% in the Last Name field to retrieve a list of the LDAP user entries with last names that begin with the letter B.
    If your LDAP directory contains thousands of entries and you do not filter your search, your request attempts to retrieve
    all
    of the LDAP user records. This can cause the request to time-out and return zero records.
    Search results matching your filter criteria are displayed.
  3. Select an entry.
    The Create New Contact window appears, populated with imported LDAP attribute values.
  4. Click Save.
    The contact record is created.
To verify that you can update a contact using LDAP data
Before performing this procedure, for test purposes you may want to use whatever LDAP editing tool you have available to change one or more attribute values in the entry you used for the previous procedure. You can verify that the contact is updated with the latest LDAP data.
  1. Select Search, Contacts on the Service Desk tab.
    The Contact Search window appears.
  2. Specify filter criteria to search for a contact that has a corresponding LDAP user entry. For example, you could search for the contact you created in the previous procedure.
    Search results matching your filter criteria are displayed.
  3. Select the contact you want to update with LDAP data.
    The Contact Detail page appears, populated with the CA SDM contact information.
  4. Click Edit.
    The Contact Update page appears.
  5. Click Merge LDAP.
    The LDAP Entry List page displays a list of any LDAP user entries that correspond with the selected CA SDM contact.
    To search the LDAP directory for other entries, you can click Show Filter, specify filter criteria, and then click Search.
    If your LDAP directory contains thousands of entries and you do not filter your search, your request attempts to retrieve
    all
    of the LDAP user records. This may cause the request to time-out and return zero records.
  6. Click the LDAP entry of interest.
    The LDAP Detail page displays the attribute values for the selected entry. Verify that you have selected the correct entry for the contact you want to update, then click Close Window.
  7. On the LDAP Entry List page, right-click the entry that best matches the contact you want to update, and then select Merge into Contact.
    The Contact Update page reappears, populated with the current LDAP attribute values. If the LDAP data has changed since you created or last updated the contact, the changes are reflected in the contact attribute fields.
    If you have installed the ldap_sync_on_null option, and the LDAP entry contains null values for any attribute fields that correspond to contact attributes that currently contain values, the values in the contact record are overwritten with null values when you save the contact data.
  8. Click Save on the Contact Update page.
    The contact is updated with the corresponding LDAP data.
Create a Contact
HID_CreateaContact
A contact is a person who uses your system regularly, such as an analyst or customer. After you have created the business structure and groups, you create contacts and map them to their respective location and organization.
You can create contacts using the following ways:
Create a Contact Using Data From LDAP
If your installation is configured to access a Lightweight Directory Access Protocol (LDAP) server such as Microsoft Windows Active Directory and has the necessary options installed, you can create and update contacts using data from the LDAP database. This method makes it easy to synchronize contacts with network user data.
Administrators can configure automated synchronization of contacts with LDAP data.
Follow these steps:
  1. Select File, New Contact from LDAP from the menu bar of the Service Desk tab.
    The LDAP Directory Search page appears.
  2. (Optional) Complete one or more of the following filter fields to limit the LDAP Entry list to the records of interest:
    • Last Name
      Specifies the last name of the user as it appears in the LDAP directory. For example, you could enter b% in the Last Name field to retrieve a list of the LDAP user entries with last names that begin with the letter B.
    • First Name
      Specifies the first name of the user as it appears in the LDAP directory.
    • Middle Name
      Specifies the middle name of the user as it appears in the LDAP directory.
    • User ID
      Specifies the user name for logging in to the system.
  3. Click Search.
    The LDAP Entry List page displays the records that match your search criteria.
    To see the information contained in an LDAP record without creating a contact, right-click the record of interest and select View. The LDAP Entry Detail page appears.
    All fields on the LDAP Entry Detail page are self-explanatory except for the following:
    • User ID
      Specifies the ID the user enters to log in to the system.
    • Distinguished Name
      Specifies the fully qualified LDAP login name. For example, CN=Joe, CN=Users, DC=KLAND, DC=AD, DC=com.
  4. Click the LDAP entry to create a contact.
    The Create New Contact page appears and is partially populated with LDAP information.
  5. Enter additional information as necessary.
  6. Click Save.
    The contact record is saved and the Contact Detail page appears. The following buttons are now available for configuring the contact:
    • Update Environment
      -- Displays the Configuration Item/Asset Search window for the contact or organization, where you can specify search criteria for the assets you want to consider. When you click Search, the Environment Update window is displayed, where you can add and remove assets for this contact or organization.
      Update Groups
      -- Displays the Group Search window, where you can specify search criteria for the groups you want to consider for this contact. When you click Search, the Groups Update window is displayed, where you can add and remove groups for this contact.
Create a Contact Automatically
You can configure CA SDM to create a contact automatically from a corresponding LDAP user record whenever a new user logs in to CA SDM.
To enable this feature, install all of the required LDAP options plus the ldap_enable_auto option.
The contact record is automatically created as follows:
  1. If a user logging in to CA SDM does not yet have a contact record, but the user’s login name exists in an LDAP record, the LDAP data is automatically imported and a contact record is created.
  2. The automatically created contact record inherits the defaultaccess type security settings.
  3. The contact can then be assigned an access type explicitly, or the access type can be assigned based on the user’s membership in an LDAP Group.
This process is completely transparent to the user, appearing as any other login session.
Create Contacts Manually
If you do not want to use an active directory such as LDAP for your contacts information, you can create the contacts manually in CA SDM.
If multi-tenancy is enabled, select the appropriate tenant from the drop-down list.
Follow these steps:
  1. Select File, New Contact from the menu bar on the Scoreboard.
    The Create New Contact window opens.
  2. Complete the contact fields .
  3. Click Save. 
    The contact information is saved.
Contact Fields
Tenant
Specifies the tenant that is associated with the contact (for multi-tenancy installations).
Contact ID
Specifies a unique identifier for the contact. If the default user authentication is being used, the value in this field is used as the password when the user logs in.
User ID
Specifies the user name of the contact. The contact uses this value to log in to the system.
Service Type
Specifies the level of support that is received by the contact.
Data Partition
Specifies the data partition for this contact. This value determines the records that this contact can access.
Access Type
Specifies the access type. The access type determines the system functions the contact can access.
Available
Indicates whether the contact is available for ticket assignments.
Confirm Self-Service Save
Indicates whether the contact receives a confirmation when saving a record from the self-service interface.
Analyst's Tenant Group
(Analyst Contact Type Only) Specifies the tenant group that the analyst is responsible for.
To configure the contact, use the following controls available on the tabs.
Notification
Defines the contact information and method for notifying the contact.
    • Select the notification method from the drop-down list (Email, Notification, Pager_Email, xMatters/Email, xMatters/Notification, and xMatters/Pager_Email) that you want to use for each message urgency level for this contact.
      CA SDM supports only one notification method at a time. If you are using Email, then you cannot use Notification at the same time. This applies to all out of the box notification methods like Email, Notification, Pager_Email, xMatters/Email, xMatters/Notification, and xMatters/Pager_Email.
      CA SDM Administrators must update the notification method manually in the contact details page if the xMatters and CA SDM integration is disabled. For more information, see Create a Notification Method and Options Manager, xMatters.
    • Select the workshift that is valid for each notification urgency level.
For example, you may assign a Regular workshift (five-day week, eight-hours a day) to the normal level notification, but a 24 hour workshift to the emergency level notification.
Address
Specifies the location of the contact.
Organizational Info
Specifies the functional or administrative organization, department, cost center, or vendor information of the contact.
Environment
Specifies the environment of the contact, such as equipment, software, and services.
Groups
Assigns a contact to a group (a collection of contacts with a common area of responsibility).
Roles
Assigns the contact to one or more roles.
Service Contracts
Displays any service contracts that have been associated with the contact.
Special Handling
Lists the special handing contacts and lets you search for and associate a contact to a special handling type, such as a visitor or security risk type.
Event Log
Lists events that are associated with the contact, such as self service and knowledge activities.
Activities
Lists the activity log for the contact.
Merge Contacts Using LDAP
You can synchronize existing contacts with the current LDAP data.
Follow these steps:
  1. Select Search, Contacts on the Scoreboard.
    The Contact Search page appears.
  2. Fill in the filter fields as desired (or leave all filter fields blank to see a listing of all contacts), then click Search.
    The Contact List page appears.
  3. Click the contact you want to edit.
    The contact's Detail page appears.
  4. Click Edit.
    The contact's Update page appears.
  5. Click Merge LDAP.
    The LDAP Entry List page appears. If the contact you are editing has a corresponding LDAP record, it appears on this page.
  6. Click the LDAP entry.
    The LDAP Detail page appears.
  7. Click Close Window after you have verified that the LDAP Detail page contains the data for the correct user.
  8. Right-click the entry on the LDAP Entry List page for the contact you are updating and select Merge Into Contact.
  9. Click Save on the contact's Update page.
Assign Access Type Using LDAP Groups
HID_AssignAccessTypesLDAPGroup
Assign Access Types values to contacts automatically with a Lightweight Directory Access Protocol (LDAP) server.
To enable this feature, install the ldap_enable_group and ldap_group_object_class options.
Follow these steps:
  1. Select Security and Role Management, Access Types on the Administrator tab.
  2. Select the Access Type you want to associate with an LDAP Group. For example, select Administration.
    If the ldap_enable_group option is installed, the LDAP Access Group field appears on the Web Authentication tab.
    If an LDAP Group is already associated with the selected Access Type, a link to the LDAP Group Detail appears. Click the link for a read-only description of the LDAP Group and a listing of its members.
  3. Click Edit on the Access Type Detail page to associate an Access Type with an LDAP Group.
  4. Click the LDAP Access Group link.
  5. (Optional) Enter filter criteria to limit the search to the LDAP groups of interest.
  6. Select the LDAP Group that you want to associate with this Access Type.
  7. Click Save.
    Association of the selected LDAP Group with the Access Type is complete.
Attribute Mapping
CA SDM contact record attribute values are synchronized with LDAP user attribute values based on the attribute mapping definitions in the $NX_ROOT/bopcfg/majic/ldap.maj file.
The following excerpt from ldap.maj illustrates mapping. Attribute names in the left column (id) are the CA SDM contact attribute names. The center column (distinguishedName) contains the corresponding LDAP attribute names.
id distinguishedName STRING 512; last_name sn,pzLastName STRING ; first_name givenName,pzFirstName STRING ; middle_name initials,pzMiddleName STRING ; userid uid,sAMAccountName,pzUserName STRING ; phone_number telephoneNumber,pzWorkPhoneNumber STRING ;
If an SREL (a single relationship or foreign key in another database table) exists on CA SDM, the contact attribute value is synchronized with the corresponding LDAP value. If the SREL does not exist, it is not created automatically during LDAP synchronization processing.
By default, attribute mapping is configured for the Microsoft Active Directory LDAP schema. If necessary, you can change the mapping by using a mod file.
How to Modify Attribute Mapping
You can change the default attribute mapping.
To change the default attribute mapping, do the following steps:
  1. Navigate to $NX_ROOT/site/mods/majic and open the mod file.
  2. Use MODIFY statements in the mod file as follows.
    • MODIFY statements must always be stated first in the file.
    • Following the MODIFY statements, any additional fields that are not in the ldap.maj file should be stated using the syntax shown in the following example.
    • If you define a field that contains a hyphen character in the attribute name, you must enclose the name in single quotes; otherwise, when you build the mod file, the attribute fails with a syntax error. For example, the following attribute name must be enclosed in single quotes:
      c_nx_string1 'swsd-secret-question' STRING ;
  3. Save and close the mod file.
  4. Restart the CA SDM service.
    The web engine does not start if there is a discrepancy in the syntax or case.
    Your changes take effect.
Example: Use MODIFY Statements
The following example shows how to modify two existing fields and add a new field.
// // Map CA SDM userid attribute to ADAM Userid // MODIFY ldap userid cn ; MODIFY ldap middle_name middleName ; OBJECT ldap LDAP { ATTRIBUTES LDAP_Entry{ contact_num employeeNumber STRING ; }; } ;
How CA SDM Uses LDAP Data to Communicate
Lightweight Directory Access Protocol
 (LDAP) is a network communications protocol for querying and modifying directory services running over a TCP/IP network. An LDAP directory is a tree structure that contains entries for managing users, groups, computers, printers, and other entities on a network.
CA SDM can be configured to access an LDAP directory, which allows you to use LDAP data in several ways:
  • Synchronize contacts with LDAP user records. Synchronization can occur in the following ways:
    • At login
       -- When a user logs in to the product, if an LDAP record exists for that user but a corresponding contact record does not exist, a contact record is automatically created based on the LDAP information.
    • New Contact
       -- 
      When you manually create a contact record, you can select an LDAP record and can merge its attribute values with their corresponding fields in the new contact record.
    • Batch Update
       -- You can run batch jobs to automate the processes of importing and updating contact records with information from the corresponding LDAP records.
      Synchronization with LDAP is a one-way process. The LDAP data can be used to create and update contacts, but the product does not support updates to the LDAP directory.
  • Assign CA SDM access types that are based on LDAP group membership.
  • Implement an alternative method of performing CA SDM authentication.
The ldap_virtb component provides LDAP integration functionality on the following servers depending on your CA SDM configuration, regardless of operating system type:
  • Conventional: Primary or secondary server.
  • Advanced Availability: Background or application server.
The $NX_ROOT/bopcfg/majic/ldap.maj file specifies the mapping between LDAP attributes and contact record attributes.
CA SDM requires that LDAP records have an entry in the last name field in order to facilitate search, view, and import the LDAP data.
CA SDM supports
paged searching
, which searches all records in your LDAP directory. Paged searching also enables you to import new contact records or sync existing contact records from any number of LDAP records. These capabilities are limited, however, if you are using Sun Java System Directory Server or Novell eDirectory because these LDAP servers do not support paged searching. In that case, you can only search, import, and sync with the number of LDAP records specified by NX_LDAP_MAX_FETCH. For more information about paged searching, see NX.env File.
Access Type Assignments From LDAP Groups
You can configure CA SDM to assign access type values to contacts automatically, based on LDAP group membership. With automatic access type assignment enabled, if an LDAP user record that was used to create a contact belongs to an LDAP group that is associated with one of the CA SDM access types, then the contact is automatically assigned that access type. Otherwise, the contact inherits the default access type.
To enable automatic access type assignment, you must install the ldap_enable_group and ldap_group_object_class options.
For more information, see Configure LDAP Options.
LDAP Authentication
You can use LDAP to authenticate users logging in to CA SDM. The LDAP authentication is available when the CA EEM authentication component is integrated with CA SDM, which replaces the default validation that is performed by the host operating system. The LDAP authentication is only applicable when CA EEM is configured to use an external LDAP directory and you have selected OS authentication for an user validation type in an access type record.
When a CA EEM feature is activated, login requests are checked with the CA EEM server. A log in request is granted only if the following occurs:
  • The specified user ID matches a CA SDM contact record.
  • The user ID matches a user profile in CA EEM.
  • The user ID and password combination is successfully validated by CA EEM.
For more information about using CA EEM for authentication and to move authentication module to external server, see How to Move the Authentication Module to an External Server. Also, see Assign Access Type Using LDAP Groups.
Transport Layer Security
You can configure CA SDM to use Transport Layer Security (TLS) during LDAP processing. TLS, a secure communications protocol, is the successor of Secure Socket Layer (SSL v3) security. You install the ldap_enable_tls option to enable TLS.
If this feature is enabled, all communications between CA SDM and the LDAP server are encrypted. If this feature is
not
enabled, all data communications (including the administrative login and password that is used to access the LDAP server) are sent in clear text.
For information about configuring TLS, refer to your LDAP server and operating system documentation. Manually install the LDAP options using the Web Interface Options Manager. For more information, see Configure LDAP Options.