Previous Topic: Creating Organizations in RiskMinder RepositoryNext Topic: Searching for Organizations

CA RiskMinder Administration GuideManaging OrganizationsCreating and Activating OrganizationsCreating Organizations in LDAP Repository

Creating Organizations in LDAP Repository

To support LDAP user directories, you must create an organization in the LDAP repository and then map the RiskMinder database attributes with the LDAP attributes. To do so:

  1. Ensure that you are logged in with the required privileges and scope to create the organization.
  2. Activate the Organizations tab.
  3. Under the Manage Organizations section, click the Create Organization link to display the Create Organization page.
  4. Enter the details of the organization, as discussed in the following table.

Field

Description

Organization Information

Organization Name

Enter the unique ID for the organization that you want to create.

Note: You can use Administration Console to log in to this organization, by specifying this value, not the Display Name of the organization.

Display Name

Enter a unique descriptive name for the organization.

Note: This name appears on all other Administration Console pages and reports.

Description

Provide a description for the administrators who will manage this organization.

Note: You can provide additional details for later reference for the organization by using this field.

Administrator Authentication Mechanism

Select the mechanism that will be used to authenticate administrators who belong to this organization.

Administration Console supports the following two types of authentication mechanisms:

  • Basic User Password
    This is the in-built authentication mechanism provided by Administration Console. If you select this option, then administrators can log in to the Console by specifying their ID and plain text password.
  • LDAP User Password
    This mechanism is applicable only for LDAP organizations. The authentication policy is defined in the LDAP directory service. If you select this option, then administrators must use the credentials stored in LDAP to log in to the Console.
  • WebFort User Password
    This is the AuthMinder user name-password authentication method. If you select this option, then the administrator credentials are issued and authenticated by AuthMinder Server.
    To use this mechanism, you must have AuthMinder installed and configured. For information about deploying AuthMinder, see the CA AuthMinder Installation and Deployment Guide.

Key Label Configuration

Use Global Key

This option is selected by default. Deselect this option if you want to override the Global Key Label you specified in the bootstrap process and specify a new key label to encrypt organization-specific data.

Key Label

If you deselected the Use Global Key option, then specify the new key label that you want to use for the organization.

Storage Type

This option indicates whether the encryption key is stored in the database (Software) or the HSM (Hardware).

Localization Configuration

Use Global Configuration

Select this option to use the localization parameters that are configured at the global level.

Date Time Format

If you deselected the Use Global Configuration option, then specify the Date Time format that you want to use for this organization.

Preferred Locale

If you deselected the Use Global Configuration option, then select a preferred locale for this organization.

User Data Location

Repository Type

Select Enterprise LDAP. By specifying this option, the user details for the new organization will be stored in the LDAP repository that you will specify on the next page.

Custom Attributes

Name

Name of the custom attribute.

Value

Value of the custom attribute.
  1. Click Next.

    The Create Organization page to collect the LDAP repository details appears.

  2. Enter the details, described in the following table, to connect to the LDAP repository.

Field

Description

Host Name

Enter the host name of the system where the LDAP repository is available.

Port Number

Enter the port number on which the LDAP repository service is listening.

Schema Name

Specify the LDAP schema used by the LDAP repository. This schema specifies the types of objects that an LDAP repository can contain, and specifies the mandatory and optional attributes of each object type.

Typically, the schema name for Active Directory is user and for SunOne Directory and CA Directory Server, it is inetorgperson.

Base Distinguished Name

Enter the base Distinguished Name of the LDAP repository. This value indicates the starting node in the LDAP hierarchy to search in the LDAP repository.

For example, to search or retrieve a user with a DN of cn=rob laurie, ou=sunnyvale, o=arcot, c=us, you must specify the base DN as the following:

ou=sunnyvale, o=arcot, c=us

Note: Typically, this field is case sensitive and searches all subnodes under the provided base DN.

Redirect Schema Name

Specify the name of the schema that provides the definition of the "member" attribute.
You can search for users in the LDAP repository by using the Base DN defined for an organization. But this search returns only the users who belong to a specific Organization Unit (OU). An LDAP administrator might want to create a group of users who belong to different Organization Units for controlling access to an entire group, and might want to search for users from different groups. When the administrator creates groups, user node DNs are stored in a "member" attribute within the group node. By default, UDS does not allow search and DN resolution based on attribute values. Redirection enables you to search for users who belong to different groups within LDAP, based on specific attribute values for a particular node.

Typically, the redirect schema names are as follows:

  • Active Directory: group
  • SunOne Directory: groupofuniquenames
  • CA Directory Server: groupOfUniqueNames

Connection Type

Select the type of connection that you want to use between Administration Console and the LDAP repository. Supported types are:

  • TCP
  • One-way SSL
  • Two-way SSL

Login Name

Enter the complete distinguished name of the LDAP repository user who has the privilege to log in to repository sever and manage the Base Distinguished Name.

For example,

uid=gt,dc=arcot,dc=com

Login Password

Enter the password of the user provided in the Login Name.

Server Trusted Root Certificate

Enter the path for the trusted root certificate who issued the SSL certificate to the LDAP server by using the Browse button, if One-way SSL or Two-way SSL: option is selected.

Client Key Store Path

Enter the path for the key store that contains the client certificate and the corresponding key by using the Browse button, if the Two-way SSL option is selected.

Note: You must upload either PKCS#12 or JKS key store type.

Client Key Store Password

Enter the password for the client key store, if the Two-way SSL option is selected.
  1. Click Next to proceed.

    The page to map the repository attributes appears.

  2. On this page:
    1. Select an attribute from the Arcot Database Attributes list, then select the appropriate attribute from the Enterprise LDAP Attributes list that needs to be mapped with the RiskMinder database attribute, and click Map.

      Important! Mapping of the UserName attribute is compulsory. Ensure that you map the UserName attribute to an LDAP attribute that uniquely identifies the user. If you are using Active Directory, then map UserName to sAMAccountName. If you are using SunOne Directory Server, then map UserName to uid. If you are using CA Directory Server, then map UserName to cn.

      For Active Directory, you must map STATUS to userAccountControl.

    2. Repeat the process to map multiple attributes, until you finish mapping all the required attributes.

      Note: You do not need to map all the attributes in the Arcot Database Attributes list. You only need to map the attributes that you will use.

      The attributes that you have mapped will be moved to the Mapped Attributes list.

      If required, you can unmap the attributes. If you want to unmap a single attribute at a time, then select the attribute and click Unmap. However, if you want to clear the Mapped Attribute list, then click Reset to unmap all the mapped attributes. You cannot unmap the UserName attribute after you have activated the organization.

    3. If you specified the Redirect Schema Name in the previous page, you must select the search attribute from the Redirect Search Attribute list.

      Typically, the attributes are as follows:

      • Active Directory: member
      • SunOne Directory: uniquemember
      • CA Directory Server: uniqueMember
  3. Click Next to proceed.

    The Select Attribute(s) for Encryption page appears.

  4. In the Attribute(s) for Encryption section, do one of the following:
    1. Select Use Global Configuration if you want to use the global settings for your attribute encryption set configuration.

      or

    2. Select the attributes that you want to encrypt from the Attributes Available for encryption list and move them to the Attributes Selected for encryption list.

      Click the > or < buttons to move selected attributes to the desired list. You can also click the >> or << buttons to move all attributes to the desired lists.

  5. Click Next.

    The Add Administrators page appears.

    Note: This page is not displayed, if all the administrators currently present in the system have the scope to manage all organizations.

  6. From the Available Administrators list, select the administrators who will manage the organization and click the > button to add the administrator to the Managing Administrators list.

    Note: Assigning organization to administrators can be done at any time by updating the scope of existing administrators or by creating new administrators to manage the organization.

    The Available Administrators list displays all the administrators who can manage the new organization.

    Note: If some administrators have the scope to manage all organizations in the system, then you will not see the corresponding entries for those administrators in this list.

    The Managing Administrators list displays the administrators that you have selected to manage this organization.

  7. Click Next to proceed.

    The Configure Account Type page appears.

    Note: This page is not displayed if you have not created any account types.

  8. In the Assign Account Types section, select account types from the Available list and click the > button to move them to the Selected list.
  9. Click Next to proceed.

    The Configure Account Custom Attributes page appears.

    Note: This page is not displayed if you did not select any account types on the previous page.

  10. Provide Custom Attributes for your Account Type, and click Next.

    The Activate Organization page appears.

    Note: The UserName mapping cannot be changed or updated after the organization is activated.

  11. Click Enable to activate the new organization.

    A warning message appears.

  12. Click OK to complete the process.
  13. Refresh all deployed RiskMinder Server instances.

    See "Refreshing the Cache" for instructions on how to do this.

    Caution: If you have configured the attribute encryption set, account types, and email and telephone types while creating the organization, ensure that you refresh both the system configuration and the organization cache. If you do not refresh the organization-level cache, the system gets into an unrecoverable state.