To support LDAP user directories, create an organization in CA AuthMinder repository and then map the CA AuthMinder attributes with the LDAP attributes.
Follow these steps:
Enter the unique ID for the organization that you want to create.
Note: You can use the Administration Console to log in to this organization, by specifying this value, not the Display Name of the organization.
Enter a unique descriptive name for the organization.
Note: This name appears on all other Administration Console pages and reports.
Provide a description for the administrators who will manage this organization.
Note: You can provide additional details for later reference for the organization by using this field.
Select the mechanism that will be used to authenticate administrators belonging to this organization.
Administration Console supports the following three types of authentication mechanisms:
Basic User Password
This is the in-built authentication mechanism that is provided by Administration Console. If you select this option, then administrators log in to the Console by specifying their ID and plain text password.
LDAP User Password
The authentication policy is defined in the LDAP directory service. If you select this option, then administrators must use the credentials that are stored in LDAP to log in to the Console.
WebFort Password
This is the WebFort password authentication method. If you select this option, then the administrator credentials are issued and authenticated by CA AuthMinder Server.
This option is selected by default. Deselect this option if you want to override the Global Key Label you specified in the bootstrap process and specify a new label for software-based encryption.
If you deselected the Use Global Key option, then specify the new key label that you want to use for the organization.
Indicates whether the encryption key is stored in the database (Software) or the HSM (Hardware).
Select this option to use the localization parameters that are configured at the global level.
If you deselected the Use Global Configuration option, then specify the Date Time format that you want to use.
If you deselected the Use Global Configuration option, then select a preferred locale.
Select Enterprise LDAP. By specifying this option, the user and administrator details for the new organization will be stored in the CA AuthMinder repository.
Name of the custom attribute.
Value of the custom attribute.
The Create Organization page to collect the LDAP repository details appears.
Enter the host name of the system where the LDAP repository is available.
Enter the port number on which the LDAP repository service is listening.
Specify the LDAP schema used by the LDAP repository. This schema specifies the types of objects that an LDAP repository can contain, and specifies the mandatory and optional attributes of each object type.
Typically, the schema name for Active Directory is user and for SunOne Directory it is user and inetorgperson.
Enter the base Distinguished Name of the LDAP repository. This value indicates the starting node in the LDAP hierarchy to search in the LDAP repository.
For example, to search or retrieve a user with a DN of cn=rob laurie, ou=sunnyvale, o=arcot, c=us, you must specify the base DN as the following:
ou=sunnyvale, o=arcot, c=us
Note: Typically, this field is case-sensitive and searches all sub-nodes under the provided base DN.
Specify the name of the schema that provides the definition of the "member" attribute.
This is an optional field.
You can search for users in the LDAP repository using the Base DN defined for an organization. But this search only returns users belonging to the specific Organization Unit (OU). An LDAP administrator might want to create a group of users belonging to different Organization Units for controlling access to an entire group, and might want to search for users from different groups. When the administrator creates groups, user node DNs are stored in a "member" attribute within the group node. By default, UDS does not allow search and DN resolution based on attribute values. Redirection enables you to search for users belonging to different groups within LDAP, based on specific attribute values for a particular node.
Typically, the redirect schema name for Active Directory is group and for SunOne directory it is groupofuniquenames.
Select the type of connection that you want to use between the Administration Console and the LDAP repository. Supported types are:
Enter the complete distinguished name of the LDAP repository user who has the permission to log in to the repository server and manage the Base Distinguished Name.
For example, uid=gt,dc=arcot,dc=com
Enter the password of the user provided in the Login Name.
Enter the path for the trusted root certificate who issued the SSL certificate to the LDAP server, by using the Browse button.
This field is applicable if you selected One-way SSL or Two-way SSL in the Connection Type field.
Enter the path for the key store that contains the client certificate and the corresponding key by using the Browse button.
This field is applicable only if you selected Two-way SSL in the Connection Type field.
Note: Upload either PKCS#12 or JKS key store type.
Enter the password for the client key store, if the required SSL option is selected.
This field is applicable only if you selected Two-way SSL in the Connection Type field.
The page to map the repository attributes appears.
Important! Mapping of the UserName attribute is compulsory. If you are using Active Directory, then map UserName to sAMAccountName. If you are using SunOne Directory, then map UserName to uid.
For Active Directory, you must map STATUS to userAccountControl.
Note: You do not need to map all the attributes in the Arcot Database Attributes list. Map only the attributes that you will use.
The attributes that you have mapped are moved to the Mapped Attributes list.
If required, you can unmap the attributes. If you want to unmap a single attribute at a time, then select the attribute and click Unmap. However, if you want to clear the Mapped Attribute list, then click Reset to unmap all the mapped attributes.
Typically, the attribute for Active Directory is member and for SunOne directory, it is uniquemember.
The Select Attribute(s) for Encryption page appears.
Click the > button to move selected attributes to the desired list. You can also click the >> button to move all attributes to the desired lists.
Note: Hold the Ctrl key to select more than one attribute at a time.
The Add Administrators page appears.
Note: This page is not displayed, if all the administrators currently present in the system have scope to manage all organizations.
From the Available Administrators list, select the administrators who will manage the organization and click the > button to add the administrator to the Managing Administrators list.
The Available Administrators list displays all the administrators who can manage the new organization.
Note: If some administrators have scope to manage all organizations in the system, then the corresponding entries for those administrators are not displayed in this list.
The Managing Administrators list displays the administrators that you have selected to manage this organization.
The Configure Account Type page appears only if the logged-in administrator has account types to manage. If the logged-in administrator does not have any account types to manage, then the Configure Email/Telephone Type page appears.
The Configure Account Custom Attributes page appears.
The Activate Organization page appears.
A warning message appears.
Information! If you have configured the attribute encryption set, account types, and email and telephone types while creating the organization, ensure that you refresh both the system configuration and organization cache. If you do not refresh the organization-level cache, the system gets into an unrecoverable state.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|