Use the Single Sign-On Configuration Tool to instruct registered data sources to use the same LDAP scheme to authenticate users. The Single Sign-On Configuration Tool lets you supply parameters that enable the CA server to connect securely to the LDAP server. When you use Digest-MD5 or GSSAPI to encrypt the connection to the LDAP server, a single bind operation—as the user you specify—occurs.
Using the Configuration Tool, you can also associate users in the LDAP catalog with either predefined or custom user accounts in CA Performance Center.
Follow these steps:
Log in as root or with the 'sudo' command.
InstallationDirectory/CA/PerformanceCenter
You are prompted to select an option. The available options correspond to CA applications running on the local server.
You are prompted to select an option.
You are prompted to specify the priority.
The Priority parameter only applies to CA Performance Center.
Refers to settings that only administrators can change. Such settings are propagated to all other CA products registered to this instance of CA Performance Center. Remote Value settings are only used if a corresponding Local Override value is not present.
Refers to settings that can be changed for all products. If a Local Override value is present, it takes precedence over both the Remote Value and default settings.
You are prompted to select a property to configure.
Defines the user ID that the login server uses to connect to the LDAP server. This LDAP user name is used to bind to the server. A service account is not typically required for a connection that uses an authentication mechanism, such as GSSAPI.
Example: If the login server uses a fixed account, enter text with the following syntax:
CN=The User,cn=Users,dc=domain,dc=com
Or you can enter the following value because the connection is using an authentication mechanism:
{0}
Complex configurations need the user principal name to identify the user. Supply '{0}' and use their email address as the domain name. For example:
{0}@domain.com
The LDAP server typically does not require a full DN for an encrypted connection.
Note: For security reasons, do not make the connection user a static account. The LDAP authentication only checks the password when binding to the server. If you use a static account, any user that exists in the LDAP tree is able to log in with any password.
Defines the password for the login server to use to connect to the LDAP server.
Example: If the login server uses a fixed account, enter text like the following example:
SomePassword
Or you can enter the following value because the connection is using an authentication mechanism:
{1}
Identifies the LDAP server and port to which CA Single Sign-On connects. Also identifies the location in the directory tree where the search looks for users when verifying user account credentials. If you do not also supply a port number after the server in the string, Port 389 is used.
Use the following format for the search domain:
LDAP://ldap_server:port/path_to_search
Note: The search path is required.
Specifies the criteria that are used to locate the correct user in the directory. Works with the Search Scope parameter. If only a subset of LDAP users is allowed to log in, the search string can be used to search a record for multiple properties. The value for this parameter can include any valid LDAP search criterion.
Example:
(saMAccountName={0})
Specifies the criteria that are used to locate the correct record for the user. Used with the Search String parameter. Determines the scope of the search that the LDAP server performs for the user account. Type one of the following values:
Includes the current directory in the search. Matches objects in the current directory and prevents unexpected matches deeper in the directory.
Includes all subdirectories in the search. Recommended for most installations.
Limits the search to the base object.
Specifies whether to do an additional authentication step (bind) using the distinguished name (DN) and password of the user to validate the supplied credentials.
Default: Disabled. This value is acceptable with an encrypted connection.
Specifies the authentication mechanism to use when binding again to the LDAP server.
In this case (that is, using an authentication mechanism), enter 'GSSAPI' or 'DIGEST-MD5', based on the mechanisms of your LDAP server.
Default: Simple.
Accepted Values: Simple, GSSAPI, DIGEST-MD5.
Specifies the CA Performance Center default account to which to map validated LDAP users who lack a group membership. Works with the Account Password parameter. If a valid user does not match any group definitions, the user is logged in with the default user ID specified for this parameter.
To allow all users to log in with their own username, enter:
Note: The Account User parameter corresponds to a field from the directory entry for this user. Typically, the value matches your search filter.
Specifies a user account to clone if validated LDAP users are members of a group that is not specified for the Groups parameter.
Example: Enter 'user' if you want such users to have minimal privileges.
Note: An existing user account is required.
Lets you determine the default account handling for selected user accounts or groups of accounts.
Example: To enable all members of a group to log in using an administrator account, enter:
<LDAPGroups><Group searchTag="memberOf" searchString="CN=SEC_All Employees,CN=Users,DC=company,DC=local" user="{saMAccountName}" passwd="" userClone="admin"/></LDAPGroups>
Specifies the amount of time that CA Performance Center waits while making authorization checks to the LDAP server. When the authorization check times out, users who try to log in are denied access. To view the errors, open the SSOService.log file. The default timeout is 10000.
The Configuration Tool closes.
Example Configuration
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|