Working with Directory Services

Using CA AppLogic® › Grid Administration Guide › Role-Based Access Control › Configuring Directory Services

Configuring Directory Services

This section describes the configuration of local and global directory services.

Local Directory Service

Each grid includes a local directory service. This service is used to manage local users and groups. It is also used to store some information about global users and groups. For example, when a global user authenticates, that user’s global group membership is read from the global directory and cached in the local directory. Global user profile properties are also stored in the local directory.

Users and groups are managed using the CLI user and group commands.

When a grid is first created, BFC is used to create an initial local user. This user is made a member of the local group admin. The initial user name and password are provided in the BFC GUI:

Working with Directory Services - Controller Tab

Global Directory Service

A global directory service is managed outside of CA AppLogic®. A CA AppLogic® grid can be configured to use a global directory service for user authentication and defining global group membership. Using a global directory service has the following benefits to:

There is no need to maintain grid-specific users, passwords, and groups.
Organizations with multiple grids can use the same user names, passwords, and group names to access multiple grids (even if the grids are provided by different service providers)
User authentication is performed by an external service which may also be used by other software systems within an organization. For example, existing corporate user accounts may be used to provide access to CA AppLogic® grids.
CA AppLogic® object ACL entries that refer to global users or global groups can be preserved during object import, export, and migration. If an object is imported or migrated to another grid which uses the same global directory service, these entries are recognized.

Configuration of the interaction of CA AppLogic® with a global directory service is performed using the backbone fabric controller (BFC). This configuration is protected and can only be changed by the maintainers of the backbone fabric controller. BFC can be used to perform this configuration at the time of grid creation or any time thereafter. CA AppLogic® supports both Active Directory and generic LDAP directory services.

The following graphic shows a typical configuration that uses Active Directory as a global directory service.

BFC Active Directory Services Authentication Tab

The following graphic shows a typical configuration that uses generic LDAP as a global directory service.

Typical configuration that uses generic LDAP as a global directory service

Changes made in the BFC global directory configuration interface take effect as soon as they are propagated to the grid—no controller or grid reboot is required. The following constraints affect grid inter-operation with a global directory service:

User and group IDs must be valid UTF-8 strings with the following limitations:
- The forward slash (/) is an invalid character
- All ASCII control characters are invalid
- The ID may not contain only a period (.) and a space
The generic LDAP configuration only recognizes the following DAP user and group object classes:
- person
- inetOrgPerson
- organizationalPerson
- groupOfNames
- groupOfUniqueNames.

Note: See configuring authentication for more information.