Document 6509570

Transcription

Document 6509570
AREA LDAP Configure the AREA LDAP form 1) You should use the LDP.exe to check if LDAP is able to authenticate. Run the ldp.exe 2) You should have the user in user form with blank password. You can also create a user in people form that will add the entry of that user in user form. 3) You should log with the user that have entry in the active directory with the same password that you have in active directory for that user. 4) If that is user that you should use samAccount name =\$User$ 5) Always check in the plug-­‐in log if that particular user is able to pass or not. 6) In the USER dn you should have the same path which is parent of that user, this is called as narrow search. 7) Always use the ip address instead of name. 8) Chase referral should be no. 9) ARS-­‐AREA mean first it will check in remedy if that user is available if the user is there then it will allow that user and if that is not in the user then it will search in the AREA ( that means it will check via AREA in the active directory ) 10) Please not that the user should have same user in user form so that it can authenticate that user and uses the active directory password. 11) Change password can ( This is a default functionality of ARSERVER 7.5 )be removed my changing the default home path in server information page of administration. You can provide the document how to configured area ldap below is the information. How to configure the AREALDAP Plugin
These instructions will walk you through the most common configurations for AREA using the AREALDAP Plugin to access user information in an LDAP server for authentication. These instructions are designed to work with a utility called LDP.EXE that comes with the Support Tools on Win2000. These instructions assume that the AREALDAP Plugin was installed correctly by the ARServer installation routine. The configuration of AREA is through configuration parameters in the ar.cfg file. To make configuration easier, the installation of the AREA Plugin adds two forms, AREA LDAP Configuration and Configuration ARDBC. The Configuration ARDBC is a Vendor Form, using a separate Plugin, that reads and writes the ar.cfg file. The AREA LDAP Configuration form is a Display Only form that uses Filters to push values to the Configuration ARDBC Form and therefore the ar.cfg file. These instructions will walk the user through obtaining the appropriate values for each field in the AREA LDAP Configuration form which will become the values for the parameters in the ar.cfg file. 1. Configuring Authentication. Before setting up the Plugin Parameters, there are a few things to setup in the Administrator Tool. a.
b.
Launch the Administrator Tool, highlight the server name, click on File/Server
Information, select the ‘Server Ports and Queues’ Tab and type ‘390695’ in the
‘External Authentication Server RPC Program Number’ field. ‘390695’ is the
recommended value although any number in the range of valid Private Server
RPC program numbers can be used. You do not need to create a Private Server.
Select the Configuration tab and select one or both of ‘Cross Ref Blank
Password’ and Authenticate Unregistered Users’. More on these settings can be
found in the 5.1 manuals. AREA requires that you select at least one of these.
Note: Before turning on ‘Cross Ref Blank Passwords’, make sure you have an ARSystem Administrator account that has a password. Also note that Fixed License users will not be able to use AREA to get License information; only Read and Floating Licenses can be used. c.
If you use Cross Ref Blank Password, a user account must exist in the User form
with the exact name of a user in the LDAP server but without a password in the
User Form.
2. Configuring the Plugin a. From the User Tool, open the AREA LDAP Configuration Form in create mode b. Below is an example of a populated form. 2.c.1 – 2.c.5
c. Enter values in each field 1. Host Name: This should be the actual hostname of the LDAP server. If you are using SSL, this should match the name that the server’s certificate was issued for. 2. Port Number. This field is optional. If ‘Use Secure Socket Layer?’ is not selected, the default, port 389 is used. If Use Secure Socket Layer?’ is selected, port 636 is used. If you do specify this value, it will typically be 389 or 636. 3. Distinguished Name see Document # 10604 (attached to this document) 4. Password Type in the password for the account in the Distinguished Name field 5. Use Secure Socket Layer?’ If you plan to use SSL for this AREA Plugin, select Yes. Since SSL requires additional setup in this form and outside of AR System, you may want to experiment without SSL first and then add this option later. If you choose ‘Yes’, you will need to provide the path and file name of the Certificate Database. 2.c.6. – 2.c.7.d.1
6. Certificate Database Enter a value in this field only if you are using SSL. You will need to obtain a cert7.db file since AR System uses the Netscape LDAP SDK, which requires this. One way to obtain the cert7.db file is to install Netscape Navigator 4.7x on the AR System box. Locate the cert7.db file and provide it’s location in this field. Note: Cert7.db is location specific and cannot be moved. You must provide the original path and filename here. 7. User Base, User Search Filter, Group Base, Group Search Filter You need to provide the Base Dn that contains user and group information and the Filters that will help locate the specific user and group data. We will use LDP.EXE to obtain these values. a. Launch LDP. b. Click on Connection/Connect c. Type in the LDAP Server name. d.
Click on OK and observe the output. Note the Bolded
areas, which are the recommended naming context. The
bolding was added to this document to draw your attention
to the text.
You will typically see the ‘namingContext’ specified as a
list. If there are multiple semi-colon delimited values,
choose either the shortest or the one that looks most
obvious. If the namingContext is not specified, you may
need to ask the LDAP admin for the namingContext.
1. Example Netscape Server (Centaur) ld = ldap_open("centaur", 389);
Established connection to centaur.
Retrieving base DSA information...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn:
1> objectClass: top;
2> namingContexts: dc=Remedy,dc=COM; o=NetscapeRoot;
6> supportedExtension: 2.16.840.1.113730.3.5.7; 2.16.840.1.113730.3.5.8; 2.16.840.1.113730.3.5.3;
2.16.840.1.113730.3.5.5; 2.16.840.1.113730.3.5.6; 2.16.840.1.113730.3.5.4;
15> supportedControl: 2.16.840.1.113730.3.4.2; 2.16.840.1.113730.3.4.3; 2.16.840.1.113730.3.4.4;
2.16.840.1.113730.3.4.5; 1.2.840.113556.1.4.473; 2.16.840.1.113730.3.4.9; 2.16.840.1.113730.3.4.16; 2.16.840.1.113730.3.4.15;
2.16.840.1.113730.3.4.17; 2.16.840.1.113730.3.4.19; 2.16.840.1.113730.3.4.14; 1.3.6.1.4.1.1466.29539.12;
2.16.840.1.113730.3.4.13; 2.16.840.1.113730.3.4.12; 2.16.840.1.113730.3.4.18;
2> supportedSASLMechanisms: EXTERNAL; DIGEST-MD5;
2> supportedLDAPVersion: 2; 3;
1> vendorName: Netscape Communications Corp.;
1> vendorVersion: Netscape-Directory/6.01 B2002.028.2020;
1> dataversion: 020020801222413020020801222413;
ld = ldap_open("astro", 389);
Established connection to astro.
Retrieving base DSA information...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn:
1> currentTime: 8/13/2002 13:43:5 Pacific Standard Time Pacific Daylight Time;
1> subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=jetsons,DC=remedy,DC=com;
1> dsServiceName: CN=NTDS Settings,CN=ASTRO,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=jetsons,DC=remedy,DC=com;
3> namingContexts: CN=Schema,CN=Configuration,DC=jetsons,DC=remedy,DC=com;
CN=Configuration,DC=jetsons,DC=remedy,DC=com; DC=jetsons,DC=remedy,DC=com;
1> defaultNamingContext: DC=jetsons,DC=remedy,DC=com;
1> schemaNamingContext: CN=Schema,CN=Configuration,DC=jetsons,DC=remedy,DC=com;
1> configurationNamingContext: CN=Configuration,DC=jetsons,DC=remedy,DC=com;
1> rootDomainNamingContext: DC=jetsons,DC=remedy,DC=com;
16> supportedControl: 1.2.840.113556.1.4.319; 1.2.840.113556.1.4.801; 1.2.840.113556.1.4.473;
1.2.840.113556.1.4.528; 1.2.840.113556.1.4.417; 1.2.840.113556.1.4.619; 1.2.840.113556.1.4.841; 1.2.840.113556.1.4.529;
2. Example Active Directory server (Astro) 1.2.840.113556.1.4.805; 1.2.840.113556.1.4.521;
1.2.840.113556.1.4.970;
1.2.840.113556.1.4.1338;
1.2.840.113556.1.4.474;
1.2.840.113556.1.4.1339; 1.2.840.113556.1.4.1340; 1.2.840.113556.1.4.1413;
2> supportedLDAPVersion: 3; 2;
12> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout;
MaxConnections; MaxConnIdleTime; MaxActiveQueries; MaxPageSize; MaxQueryDuration; MaxTempTableSize;
e. Click on Connection/Bind to login (bind) to the LDAP server MaxResultSetSize; MaxNotificationPerConn;
1> highestCommittedUSN: 66752;
2> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO;
1> dnsHostName: astro.jetsons.remedy.com;
1> ldapServiceName: jetsons.remedy.com:astro$@JETSONS.REMEDY.COM;
1> serverName: CN=ASTRO,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=jetsons,DC=remedy,DC=com;
1> supportedCapabilities: 1.2.840.113556.1.4.800;
1> isSynchronized: TRUE;
1> isGlobalCatalogReady: TRUE; 2.c.7.d.2 – 2.c.7.e.2
1. The User and Password should be provided to you by the LDAPAdministrator. a. For Active Directories and Exchange Server 5.5, check the Domain box and provide a domain to login to. b. For most LDAP servers the Domain box should be unselected. 2. 2.c.7.f – 2.c.7.g.1
If you logged in successfully you should see a message in the right-­‐hand pane such as “Authenticated as dn:'administrator'.” f. Click on View/Tree and type in the value you noted as the NamingContext from step 2.c.7.d g. Once you click on OK, the left pane of LDP should give you an expanding list. Click on the + (or double-­‐click on an item) to expand the list to the 2nd or 3rd level. If you like, browse the entire tree to see what data is available. Example Netscape Server (Centaur): Example Active Directory Server (Astro): 1.
. Identify the item on the list that most resembles a
list of users. This is the Base Dn for User or the
‘User Base’. Enter this value on the form in the
In the above examples: a. Netscape Server (Centaur):
b. Active Directories (Astro):
ou=People, dc=Remedy, dc=com
CN=Users, DC=Jetsons, DC=Remedy, DC=COM
User Base field.
or
2.c.7.g.2 – 2.c.7.i.4
OU=Remedy-Users, DC=Jetsons, DC=Remedy, DC=COM
2. Identify the item on the list that most resembles a list of Group This is the Base Dn for User or the ‘Group Base’. Enter this value on the form in the Group Base field. In the above examples: a. Netscape Server (Centaur):
ou=Groups,dc=Remedy,dc=com
b. Active Directories (Astro):
CN=Builtin,DC=Jetsons,DC=Remedy,DC=COM
h. Identify the User Search Filter. 1. Double-­‐click on the item you identified in 2.c.7.g.1. You should obtain a list of users. 2. Identify one of the users that you know to be a valid user and double-­‐click on it. 3. Look for a line in the right-­‐hand pane that contains the name of the user, such as: “1> cn:ARAdmin” 4. The attribute, ‘cn’ in this case, that identifies this user will be used to generate the search filter. When AREA searches for this user, it will use the string ‘$\USER$’ to replace the user name. So if ‘cn’ is the attribute name that stores the username the User Search Filter would be: cn=$\USER$ When a user, Demo, logs into the user tool, $\USER$ is replaced with ‘Demo’ and the search filter, cn=Demo, is used to locate Demo in the LDAP server. So if ‘cn’ is the attribute name, type ‘cn=$\USER$’ into the User Search Filter field. i. Identify the Group Search Filter. 1. Double-­‐click on the item you identified in 2.c.7.g.2. You should obtain a list of groups. 2. Identify one of the groups that you know to be a valid group and double-­‐click on it. 3. Look for a line in the right-­‐hand pane that contains the list of users that belong to this group, such as: “2> member: CN=Administrator,CN=Users,DC=jetsons,DC=remedy,DC
=com; CN=Mail User,CN=Users,DC=jetsons,DC=remedy,DC=com;” or “2> uniqueMember: uid=FFrontline,ou=People,dc=Remedy,dc=com; uid=BBackline,ou=People,dc=Remedy,dc=com” 4. The attribute, ‘member’ or ‘uniqueMember’ as the case may be, that identifies this group will be used to generate the group search filter. When AREA searches for this group, it will use the string ‘$\DN$’ to replace the group name. So if ‘member’ is the attribute name that stores the group name, the Group Search Filter would be: member=$\DN$ When a group notification to a group such as ‘QA Managers’ occurs, ARServer replaces $\DN$ with ‘QA Managers’ and the search filter, member=QA Managers, is used to locate QA Managers in the LDAP server. If ‘member’ is the attribute name, type ‘member=$\DN$’ into the Group Search Filter field. 2.c.8. – 2.c.10.b.1. 8. Group Membership a. If LDAP users belong to a group, select Group Container; otherwise, select None. (When None is selected, the Group Base, Group Search Filter, and Default Groups fields are disabled.) 9. Default Groups a. If no group is obtained from LDAP, users using AREA will be assigned to this default Group. For example, if AR System has a group called ‘Public’ and any user in LDAP that doesn’t have a group specified should be in the ‘Public’ AR System group, type ‘Public’ into the Default Groups field. 10. License Mask license. Note: in the following steps, ‘Reserved License’ refers to a Flashboards a. LDAP Attribute Name: The attribute that specifies the license mask. You should specify an LDAP attribute that contains an integer of value 0 to 7. The bits of the binary format of this integer indicates how to mask the license information returned from the AREA LDAP plug-­‐in. 0 No licenses returned from the AREA LDAP plug-­‐in are used. 1 Write License from the plug-­‐in is used. 2 Full Text Search (FTS) License from the plug-­‐in is used. 3 Write License and FTS License from the plug-­‐in are used. 4 Reserved License from the plug-­‐in is used. 5 Reserved License and Write License from the plug-­‐in are used. 6 FTS License and Reserved License from the plug-­‐in are used. 7 Write License, FTS License, and Reserved License from the plug-­‐in are used. If the license is not used from the plug-­‐in then the license information in the user's User entry is observed. If you do not have an attribute designed to hold this specific information, leave this field blank. b. Default Value if Not Found in LDAP Enter the integer value for one of the following: 0: None 2.c.10.b.2 – 2.c.15.a. 1: Write License 2: FTS License 3: Write and FTS License 4: Reserved License 5: Reserved and Write License 6: Reserved and FTS License 7: All licenses 11. Write License a. LDAP Attribute Name: Enter the LDAP attribute name that contains and integer, 0 or 1, representing whether the user requires a Read or Floating Write license, respectively. If you are not using LDAP for license info, leave this field blank b. Default Value if Not Found in LDAP License Enter 0 for a Read Only Write License or 1 for a Floating Write 12. Full Text Search License a. LDAP Attribute Name: Enter the LDAP attribute name that contains an integer, 0 or 1, representing whether the user requires no FTS License or a Floating FTS license, respectively. If you are not using LDAP for license info, leave this field blank b. Default Value if Not Found in LDAP Enter 0 for No FTS License or 1 for a Floating FTS License 13. Reserved License a. LDAP Attribute Name: Enter the LDAP attribute name that contains an integer, 0 or 1, representing whether the user requires no Reserved License or a Fixed Reserved license, respectively. If you are not using LDAP for license info, leave this field blank. Note: since Fixed Licenses are not allowed with AREA, this field should be left blank. b. Default Value if Not Found in LDAP Enter 0 for None or 2 for a Fixed Reserved License
Note: since Fixed Licenses are not allowed with AREA, this
field should be set to 0.
14. Email Address a. LDAP Attribute Name: Enter the LDAP attribute name that contains the email address for users If your LDAP server does not store email addresses, leave this field blank. b. Default Value if Not Found in LDAP Enter a default email address to use when an email address is not found is the LDAP server. 2.c.15.b. – 2.d.1.h. 15. Default Notification Mechanism a. LDAP Attribute Name: Enter the LDAP attribute name containing an integer, 0, 1, or 2, representing whether the user’s Default Notification Mechanism is ‘None’, ‘Alert’, or ‘Email’, respectively b. Default Value if Not Found in LDAP Enter 0 for None, 1 for Alert, or 2 for Email d. Check the values for each field and Save the form. 1. You should now be able to test an AREA login. a. Create a user in the User form, with no password, that exists in LDAP b. Create a Group in the Group form that exists in the LDAP server. c. Assign the new user to the new Group d. Make a least one form hidden from this group and one form visible to this group. Make sure that Public permissions are removed from these forms so they don’t obscure our results e. Verify, using LDP.exe, that the user exists and belongs to the correct group in the LDAP server f. Make sure you know the LDAP password for this user. g. Login to the User Tool and verify that the one form is invisible and the other form is visible. This should show that the User was able to login and receive the correct group information. h. If you use license information, remember that Fixed Licenses are not assignable through AREA. Document #: 10604
Last Revised Date: 07/25/02
Last Revised by: Doug Reif
How do I configure the ARDBC or AREA LDAP user name?
ARS Version 5.1
Title:
How do I configure the ARDBC or AREA LDAP user name?
Category:
Administration
Keyword(s)
ARDBC LDAP Exchange ADS Active Directories ARDBC-LDAP-User-DN AREA
Problem: (Short Description)
How do I configure the ARDBC LDAP user name?
Problem: (Long Description) How do I configure the ARDBC LDAP user name?
OS Version:
Windows NT 4.0 and Windows 2000 Solution Overview:
What value do I use for the ARDBC-LDAP-User-DN and ARDBC-LDAP-Password parameters
in ar.cfg/ar.conf. For AREALDAP, this will be the AREA-LDAP-Bind-User and AREA-LDAPBind-Password parameters.
This kb answers that question for generic LDAP such as OpenLDAP, Active Directories, and
Exchange Server 5.5
Some LDAP servers allow Anonymous connections. If your LDAP server allows Anonymous
connections, you can remove these parameters from the ar.cfg/ar.conf file and will still be able
to use some of the ARDBC functionality. By default, Active Directories does not allow
Anonymous connections.
For AREALDAP, you must Bind (login) and so must provide these values.
Exchange Server will allow Anonymous connections but unless specifically configured, not all
attributes will return data.
If you use the ARDBC-LDAP-User-DN parameter you should also provide the ARDBC-LDAPPassword parameter. The password is assumed to be encrypted so should be added via the
LDAP ARDBC Configuration Form provided.
This is also true of the AREA-LDAP-Bind-User and AREA-LDAP-Bind-Password parameters for
AREA using the AREA LDAP Configuration Form.
For OpenLDAP and most LDAP servers, you should use a standard distinguished name such
as cn=manager, dc=remedy, dc=com for the LDAP User name.
For Active Directories, the value should be the actual login name, not the distinguished name, of
a user with appropriate permissions. For example if the 'Administrator' user on the LDAP server
box will be the ARBDC login, simply use a value of 'Administrator'. If you will be using a
domain account you can use <Domain>\<account name> such as 'JETSONS\Administrator'
For Exchange Server 5.5, you should use the distinguished name format. If the server or
domain account that has the appropriate permissions does not exist in the Exchange Server
Recipients list, you may need to add it.
For example, the Exchange Server 5.5 on server WARP has a local administrator account,
'Administrator' that does not exist in the Exchange Server database. From the Exchange
Administrator program, add a new Recipient with a Display Name of 'Administrator' and use the
Primary NT account of 'Administrator'. The distinguished name for this user should be
cn=Administrator, cn=Recipients,ou=NTENSE, o=WARP. This is the value I use for the
ARBDC-LDAP-User-DN parameter. Note that Exchange Server 5.5 permissions are a bit
complex and must be configured properly.
5924 Stoneridge Dr. Pleasanton, CA 94588 USA 925.469.4000 tel 925.469.4001 fax support@remedy.com Action Request System and AR System are trademarks of Peregrine Systems, Inc.
All other trademarks or service marks mentioned in this document are
the properties of their respective companies and owners.