Enable Login with LDAP

The Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over an IP network.
uim901
Login_LDAP
The
Lightweight Directory Access Protocol
(LDAP) is an application protocol for accessing and maintaining distributed directory information services over an IP network.
The LDAP solution:
  • Makes it possible to log in to the management consoles using LDAP rather than the login method
  • Allows the primary hub to check all login requests against the LDAP server before trying the standard login method
  • Is supported on Windows and Linux
  • Requires certain configuration tasks on the hub and in Infrastructure Manager
Supported LDAP software:
  • Active Directory
  • eDirectory
  • Red Hat Directory Server (RHDS) 10
Supported LDAP versions:
  • V2
  • V3
Contents
Basic LDAP Configuration
Configure your hub to forward login requests to an LDAP server and to access the container with the user groups.
Follow these steps:
  1. On the hub system, start Infrastructure Manager.
  2. Select the hub probe for the domain (domain/hub/robot/hub probe).
  3. Right-click the hub probe and select
    Configure
    to open the hub configuration window.
  4. On the
    General
    tab, click
    Settings
    . Go to the
    LDAP
    tab and specify the following settings.
    • Direct LDAP
      Select this if the hub connects directly to the LDAP server.
    • Nimsoft Proxy Hub
      Select this if the hub does not connect directly to the LDAP server.
    • Server Name
      Hostname or IP for the LDAP server to which the hub will connect (click Lookup to test the communication).
    • Server Type
      LDAP server type, Active Directory, eDirectory, or RHDS 10.
    • Authentication Sequence
      Specify the order in which
      Unified Infrastructure Management
      authenticates users.
    • Use SSL
      Select to use SSL during LDAP communication (most LDAP servers are configured to use SSL).
    • User/Password
      Name and password for an account on the LDAP server that the hub will use to when accessing the LDAP server. How you specify it depends on the server type:
      • Active Directory
        -- ordinary user name
      • eDirectory
        -- path to the user in the format CN=
        username
        ,O=
        organization
        , where
        username
        and
        organization
        are replaced by appropriate values
      Note:
      This account does not need administrative privileges but does need the appropriate lookup privileges.
    • Group Container (DN)
      Location in the LDAP structure where you want to search for users (click
      Test
      to check if the container is valid).
    • User Container (DN)
      Location in the Group Container where you want to search for users.
  5. Click
    Test
    to verify that the user/password and container settings are valid.
Advanced LDAP Configuration
If you do not want to use the default configuration values, you can add tree keys to the hub configuration. These keys are read by the hub LDAP engine and affect how the hub communicates with the LDAP protocol.
  1. On the hub system, start Infrastructure Manager.
  2. Select the hub robot's hub probe (domain/hub/robot/hub probe).
  3. Shift-right-click the hub probe to open the
    Raw Configure
    window.
  4. In the left pane, navigate to
    ldap > server
    .
  5. Click
    New Key
    and enter the following tree keys and values:
    • Timeout
      Number of seconds to spend on each searching or binding (authentication) LDAP operation.
      Accepted values are:
      • 10 (default)
      • Desired number
    • codepage
      Specifies which codepage to use when translating characters from UTF-8 encoding to ANSI (which all CA Unified Infrastructure Management components use internally). Text in the LDAP library is encoded as UTF-8. Because CA Unified Infrastructure Management products do not have true Unicode support, all characters are translated into ANSI using this codepage.
      Accepted values are:
      • 28591* (Windows default)
      • Valid codepage number (Windows)
      • ISO-8859-1* (Linux default)
      • Text string that is passed to the iconv_open function (Linux)
      * ISO 8859-1 Latin 1; Western European (ISO)
  6. Click
    OK
    .
The tree key is added.
Codepage Values
The hub LDAP library uses these functions.
  • Windows:
    MultibyteToWideChar
    and
    WideCharToMultiByte
    These functions translate to and from ANSI/UTF-8. Both take a code page as a parameter. For a list of Windows code page numbers, go to http://www.microsoft.com
    (not affiliated with CA)
    and search for
    Code Page Identifiers
    .
  • Linux:
    iconv functions
    For further reference, go to http://www.gnu.org/software/libiconv
    (not affiliated with CA).
The code page key is not shipped with the hub configuration file.
Connecting Access Control Lists to LDAP Users
You can create Access Control Lists (ACLs) and can associate them with specific LDAP groups. The users in the LDAP group are then assigned the privileges for the associated ACL.
For example, if an LDAP user logs in to a UIM component, the request is directed to the LDAP server for authentication. If the user name is found in a group that is attached to an ACL, the user is assigned privileges as defined in the ACL. If the user belongs to multiple groups, privileges are assigned from the ACL with the most extended privileges.
LDAP users must be direct members of the group that you are connecting to an ACL. UIM does not support the use of Nested or
Role Based
groups. Bus users should not share an ACL with LDAP users, or bus users will inherit LDAP accounts..
Follow these steps:
  1. In Infrastructure Manager, select
    Security > Manage Access Control List
    .
  2. To create an ACL:
    1. Click
      New
      under
      Access Control List
      .
    2. Name the new ACL, then select an ACL (if any exist) to copy its settings. Click
      OK
      .
    3. Select the desired options in the
      Permissions
      area.
  3. To associate a group with an ACL:
    1. Select the new or existing ACL.
    2. Click
      Set LDAP Group
      . All groups in the container are listed.
    3. Select a group and click
      OK.
  4. Click
    OK
    in the
    Manage Access Control List
    dialog.
The new setting is active. To verify the configuration, start Infrastructure Manager and log in as an LDAP user who is not a CA Unified Infrastructure Management user. Verify that you have the appropriate privileges and can access the expected contents.