Configuring Directory Services

Configuring Directory Services

Local Directory Service

Each grid includes its own local directory service. This service is used to manage local users and groups. It is also used to store some information about global users and groups. For example, when a global user authenticates, that user’s global group membership is read from the global directory and cached in the local directory. In addition, global user profile properties are stored in the local directory.

Users and groups are managed using the CLI user and group commands.

When a grid is first created, BFC is used to create an initial local user. This user is made a member of the local group admin. The initial user name and password are provided in the BFC GUI:

Global Directory Service

A global directory service is managed outside of CA 3Tera AppLogic. A CA 3Tera AppLogic grid can be configured to use a global directory service for user authentication and for determining global group membership. There are several benefits to using a global directory service:

• There is no need to maintain grid specific users, passwords and groups.
• Organizations with multiple grids can use the same user names, passwords and group names to access their CA 3Tera AppLogic grids (even if the grids are provided by different service providers)
• User authentication is performed by an external service which may also be used by many other software systems within an organization. For example, existing corporate user accounts may be used to provide access to CA 3Tera AppLogic grids.
• CA 3Tera AppLogic object ACL entries that refer to global users or global groups can be preserved during object import, export and migration. If an object is imported or migrated to another grid which uses the same global directory service, these entries are recognized.

Configuration of the interaction of CA 3Tera AppLogic with a global directory service is performed using the backbone fabric controller (BFC). This configuration is protected and can only be changed by the maintainers of the backbone fabric controller. BFC can be used to perform this configuration at the time of grid creation or any time thereafter. CA 3Tera AppLogic supports both Active Directory and generic LDAP directory services.

The following screen shows a typical configuration that uses Active Directory as a global directory service.

The following screen shows a typical configuration that uses generic LDAP as a global directory service.

Changes made in the BFC global directory configuration interface take effect as soon as they are propagated to the grid. No controller or grid reboot is required. The follow constraints affect grid inter-operation with a global directory service:

• User and group IDs must be valid UTF-8 strings with the following limitations: / is an invalid character; all ASCII control characters are invalid; the ID may not be comprised only of the period and space character(s).
• The generic LDAP configuration recognizes the following standard LDAP user and group object classes only: person, inetOrgPerson, organizationalPerson, groupOfNames, and groupOfUniqueNames.