Integration Guide › Working with Multiple LDAP Server

Working with Multiple LDAP Server

This information in this chapter describes how a system or a database administrator configures CA ControlMinder Enterprise Management with multiple LDAP servers using CA Directory. Working with multiple LDAP servers, enables the administrator to integrate multiple LDAP user stores into a single enterprise-wide user store.

How to Configure Multiple LDAP Servers

CA Directory supports the integration of LDAP servers into a distributed directory backbone.

CA Directory provides a utility called DXlink,that enables searches over a number of LDAP directory servers.

The following diagram illustrates how to configure CA ControlMinder Enterprise Management for multiple LDAP servers using CA Directory:

You perform the following steps to configure the Enterprise Management Server for multiple LDAP servers using CA Directory:

1. Install CA Directory
2. Configure the CA Directory router
3. Customize the CA Directory router definitions
4. Populate the database with entities to create a DIT
5. Start CA Directory
6. Install the Enterprise Management Server with Active Directory as the user store

   Important! When you install the Enterprise Management Server, specify the following:

   • Host name—Specify CA Directory host name
   • Port number—Specify 25389
   • Base DN—Specify a DN that is common to all Active Directory servers in the environment. Leave this field blank if not applicable.
   • (Linux) Search Root—Specify a DN that is common to all Active Directory servers in the environment. Leave this field blank if not applicable.
   • Administrative account—Specify an administrative account from one of the Active Directory domains.

Note: When you log in to CA ControlMinder Enterprise Management, verify that you specify the domain name that the administrative account you are using is a member.

Configure the CA Directory Router

CA Directory routes requests to the Active Directory that correspond to the suffix defined in the client request to the Active Directory used by CA ControlMinder. CA Directory uses the DXlink utility to route the request.

Before you completed this procedure, you installed two Active Directory user stores, for example: acdir1 and acdir2 and CA Directory, named dsarouter.

Follow these steps:

1. From the CA Directory server, open a Command Prompt window
2. Run the following command:

   dxnewdsa -s 1 cadirhost-adrouter 25389
   

   -s 1

   Specify the database size of 1 MB

   cadirhost -adrouter

   Defines the name of the router

   25389

   Specifies the router port

3. Stop the router using the following command:

   dxserver stop cadirhost-adrouter
   

4. Install the router using the following command:

   dxserver install cadirhost-adrouter
   

5. Navigate to the following directory, where DXHOME is the name of the directory where you installed the router:

   DXHOME/config/knowledge
   

6. Duplicate the cadirhost-router.dxc file, as follows:
   1. Rename one file to acdir1-dxlink.dxc
   2. Rename the second file to acdir2-dxlink.dxc
   3. Edit the acdir1-dxlink.dxc file to appear as follows:

      set dsa "acdir1-dxlink" =
      {
          prefix            = <dc "acdir1"><dc "com">
          dsa-name          = <cn "acdir1-dxlink">
          dsa-password      = "secret"
          ldap-dsa-name     = <dc "acdir1"><dc "com"><cn "users"><cn "Administrator">
          ldap-dsa-password = "{CADIR}yKW2cVbG"
          address           = tcp "acdir1" port 389
          auth-levels       = clear-password
          trust-flags       = allow-check-password, no-server-credentials
          link-flags        = dsp-ldap, ms-ad
      };
      

      ldap-dsa-name

      Specifies the Distinguished Named (DN) used to bind to Active Directory

      ldap-dsa-password

      Defines the encrypted password for the DN

      Note: Use the dxpassword utility to encrypt the password. For example: dxpassword -P CADIR <password>.

      address

      Specifies the Active Directory domain controller address

   4. Edit the acdir2-dxlink.dxc to appear as follows:

      set dsa "aclabcail-dxlink" =
      {
          prefix            = <dc "acdir2"><dc "com">
          dsa-name          = <cn "acdir2-dxlink">
          dsa-password      = "secret"
          ldap-dsa-name     = <dc "acl"><dc "aclab"><cn "users"><cn "Administrator">
          ldap-dsa-password = "{CADIR}yKW2cVbG"
          address           = tcp "acdir2" port 389
          auth-levels       = clear-password
          trust-flags       = allow-check-password, no-server-credentials
          link-flags        = dsp-ldap, ms-ad
      };
      

You have configured the CA Directory router.

Customize the CA Directory Router Definitions

After configuring the CA Directory router, you need to customize the CA Directory router definitions.

Follow these steps:

1. Navigate to the following directory, where DXHOME is the directory where CA Directory is installed:

   DXHOME/config/limits
   

2. Do the following:
   1. Create a copy of the default.dxc file and renames the original file to dsarouter-adrouter.dxc
   2. Remove the ReadOnly flag from the file
   3. Open the dsarouter-adrouter.dxc file and modify the following fields as follows:

      # size limits
      set max-users = 255;
      set max-local-ops = 100;
      set max-op-size = 0;
      
      # time limits
      set max-bind-time = none;
      set bind-idle-time = 3600;
      set max-op-time = 600;
      

      Save and close the file.

3. Navigate to the following directory:

   DXHOME/config/settings
   

4. Do the following:
   1. Create a copy of the default.dxc file and rename the original file to dsarouter-adrouter.dxc
   2. Remove the ReadOnly flag from the file
   3. Open the dsarouter-adrouter.dxc file and modify the following fields as follows:

      # directory information base
      set alias-integrity = true;
      # distribution controls
      set multi-casting = true;
      set always-chain-down = false;
      # security controls
      set min-auth = clear-password;
      set allow-binds = true;
      set ssl-auth-bypass-entry-check = false;
      # general controls
      set op-attrs = true;
      set transparent-routing = true;
      

      Save and close the file

5. Navigate to the following directory:

   DXHOME/config/knowledge
   

6. Open, or create, the dsarouter-adrouter.dxc file and remove the auth-levels string value "anonymous" to enable clear password login only. For example:

   set dsa "cadirhost-adrouter" =
   {
   

       prefix        = <>
       dsa-name      = <cn "cadirhost-adrouter">
       dsa-password  = "secret"
       address       = tcp "cadirhost" port 25389
       disp-psap     = DISP
       snmp-port     = 25389
       console-port  = 25390
   

    auth-levels   = clear-password
   

   Save and close the file.

   Important! If you installed CA Directory on a server where both IPv4 and IPv6 addresses are defined, specify IPv6 and IPv4 address types in the tcp value. For example: address = tcp "fe80::20d:56ff:fed4:8300%5" port 19389, tcp "192.168.1.1" port 19389

7. Create a file named adrouter.dxa and add the following lines, then save and close the file:

   source "dsarouter-adrouter.dxc";
   source "acdir1-dxlink.dxc";
   source "acdir2-dxlink.dxc";
   

8. Navigate to the following directory:

   DXHOME/config/logging
   

9. Do the following:
   1. Create a copy of the default.dxc file
   2. Rename the original file to dsarouter-adrouter.dxc
   3. Remove the ReadOnly tag.
10. Navigate to the following directory:

    DXHOME/config/servers
    

11. Do the following:
    1. Edit the cadirhost-adrouter.dxi, modify the following lines as follows then save and close the file:

       #
       # Initialization file written by DXnewdsa
       #
       # logging and tracing
       source "../logging/cadirhost-adrouter.dxc";
       # schema
       clear schema;
       source "../schema/default.dxg";
       # knowledge
       clear dsas;
       source "../knowledge/adrouter.dxg";
       # operational settings
       source "../settings/cadirhost-adrouter.dxc";
       # service limits
       source "../limits/cadirhost-adrouter.dxc";
       # access controls
       clear access;
       source "../access/default.dxc";
       # ssl
       source "../ssld/default.dxc";
       # replication agreements (rarely used)
       # source "../replication/";
       # multiwrite DISP recovery
       set multi-write-disp-recovery = false;
       # grid configuration
       set dxgrid-db-location = "data";
       set dxgrid-db-size = 1;
       set cache-index = all-attributes;
       set lookup-cache = true;
       

Note: Replace cadirhost with the CA Directory host name.

You have customized the CA Directory router definitions.

Populate the CA Directory Database to Create a DIT

You can choose to populate the CA Directory database with entities to create a Directory Informational Tree (DIT). A DIT enables you to browse the organizational hierarchy from the top down.

Follow these steps:

1. On the server hosting the CA Directory router, create a file named input.ldif and enter the following entities, for example:

   dn: dc=com
   objectClass: domain
   objectClass: top
   dc: com
   
   dn: dc=company,dc=com
   objectClass: domain
   objectClass: top
   dc: company
   
   dn: dc=demo
   objectClass: domain
   objectClass: top
   dc: demo
   

2. Save and close the file.
3. Open a Command Prompt window and run the following command:

   dxloaddb cadirhost-adrouter input.ldif
   

4. Run the following command to start up the CA Directory router:

   dxserver start cadirhost-adrouter
   

   Note: Replace cadirhost with the CA Directory host name.

You have populated the CA Directory database with entities to create a DIT.