Previous Topic: How To Integrate CA ControlMinder Enterprise Management with RSA SecurIDNext Topic: Integrating with CA SiteMinder


Working with Multiple LDAP Server

This information in this chapter describes how a system or a database administrator configures CA ControlMinder Enterprise Management with multiple LDAP servers using CA Directory. Working with multiple LDAP servers, enables the administrator to integrate multiple LDAP user stores into a single enterprise-wide user store.

How to Configure Multiple LDAP Servers

CA Directory supports the integration of LDAP servers into a distributed directory backbone.

CA Directory provides a utility called DXlink,that enables searches over a number of LDAP directory servers.

The following diagram illustrates how to configure CA ControlMinder Enterprise Management for multiple LDAP servers using CA Directory:

The following diagram illustrates how to configure CA Directory for multiple servers:

You perform the following steps to configure the Enterprise Management Server for multiple LDAP servers using CA Directory:

  1. Install CA Directory
  2. Configure the CA Directory router
  3. Customize the CA Directory router definitions
  4. Populate the database with entities to create a DIT
  5. Start CA Directory
  6. Install the Enterprise Management Server with Active Directory as the user store

    Important! When you install the Enterprise Management Server, specify the following:

Note: When you log in to CA ControlMinder Enterprise Management, verify that you specify the domain name that the administrative account you are using is a member.

Configure the CA Directory Router

CA Directory routes requests to the Active Directory that correspond to the suffix defined in the client request to the Active Directory used by CA ControlMinder. CA Directory uses the DXlink utility to route the request.

Before you completed this procedure, you installed two Active Directory user stores, for example: acdir1 and acdir2 and CA Directory, named dsarouter.

Follow these steps:

  1. From the CA Directory server, open a Command Prompt window
  2. Run the following command:
    dxnewdsa -s 1 cadirhost-adrouter 25389
    
    -s 1

    Specify the database size of 1 MB

    cadirhost -adrouter

    Defines the name of the router

    25389

    Specifies the router port

  3. Stop the router using the following command:
    dxserver stop cadirhost-adrouter
    
  4. Install the router using the following command:
    dxserver install cadirhost-adrouter
    
  5. Navigate to the following directory, where DXHOME is the name of the directory where you installed the router:
    DXHOME/config/knowledge
    
  6. Duplicate the cadirhost-router.dxc file, as follows:
    1. Rename one file to acdir1-dxlink.dxc
    2. Rename the second file to acdir2-dxlink.dxc
    3. Edit the acdir1-dxlink.dxc file to appear as follows:
      set dsa "acdir1-dxlink" =
      {
          prefix            = <dc "acdir1"><dc "com">
          dsa-name          = <cn "acdir1-dxlink">
          dsa-password      = "secret"
          ldap-dsa-name     = <dc "acdir1"><dc "com"><cn "users"><cn "Administrator">
          ldap-dsa-password = "{CADIR}yKW2cVbG"
          address           = tcp "acdir1" port 389
          auth-levels       = clear-password
          trust-flags       = allow-check-password, no-server-credentials
          link-flags        = dsp-ldap, ms-ad
      };
      
      ldap-dsa-name

      Specifies the Distinguished Named (DN) used to bind to Active Directory

      ldap-dsa-password

      Defines the encrypted password for the DN

      Note: Use the dxpassword utility to encrypt the password. For example: dxpassword -P CADIR <password>.

      address

      Specifies the Active Directory domain controller address

    4. Edit the acdir2-dxlink.dxc to appear as follows:
      set dsa "aclabcail-dxlink" =
      {
          prefix            = <dc "acdir2"><dc "com">
          dsa-name          = <cn "acdir2-dxlink">
          dsa-password      = "secret"
          ldap-dsa-name     = <dc "acl"><dc "aclab"><cn "users"><cn "Administrator">
          ldap-dsa-password = "{CADIR}yKW2cVbG"
          address           = tcp "acdir2" port 389
          auth-levels       = clear-password
          trust-flags       = allow-check-password, no-server-credentials
          link-flags        = dsp-ldap, ms-ad
      };
      

You have configured the CA Directory router.

Customize the CA Directory Router Definitions

After configuring the CA Directory router, you need to customize the CA Directory router definitions.

Follow these steps:

  1. Navigate to the following directory, where DXHOME is the directory where CA Directory is installed:
    DXHOME/config/limits
    
  2. Do the following:
    1. Create a copy of the default.dxc file and renames the original file to dsarouter-adrouter.dxc
    2. Remove the ReadOnly flag from the file
    3. Open the dsarouter-adrouter.dxc file and modify the following fields as follows:
      # size limits
      set max-users = 255;
      set max-local-ops = 100;
      set max-op-size = 0;
      
      # time limits
      set max-bind-time = none;
      set bind-idle-time = 3600;
      set max-op-time = 600;
      

      Save and close the file.

  3. Navigate to the following directory:
    DXHOME/config/settings
    
  4. Do the following:
    1. Create a copy of the default.dxc file and rename the original file to dsarouter-adrouter.dxc
    2. Remove the ReadOnly flag from the file
    3. Open the dsarouter-adrouter.dxc file and modify the following fields as follows:
      # directory information base
      set alias-integrity = true;
      # distribution controls
      set multi-casting = true;
      set always-chain-down = false;
      # security controls
      set min-auth = clear-password;
      set allow-binds = true;
      set ssl-auth-bypass-entry-check = false;
      # general controls
      set op-attrs = true;
      set transparent-routing = true;
      

      Save and close the file

  5. Navigate to the following directory:
    DXHOME/config/knowledge
    
  6. Open, or create, the dsarouter-adrouter.dxc file and remove the auth-levels string value "anonymous" to enable clear password login only. For example:
    set dsa "cadirhost-adrouter" =
    {
    
        prefix        = <>
        dsa-name      = <cn "cadirhost-adrouter">
        dsa-password  = "secret"
        address       = tcp "cadirhost" port 25389
        disp-psap     = DISP
        snmp-port     = 25389
        console-port  = 25390
    
     auth-levels   = clear-password
    

    Save and close the file.

    Important! If you installed CA Directory on a server where both IPv4 and IPv6 addresses are defined, specify IPv6 and IPv4 address types in the tcp value. For example: address = tcp "fe80::20d:56ff:fed4:8300%5" port 19389, tcp "192.168.1.1" port 19389

  7. Create a file named adrouter.dxa and add the following lines, then save and close the file:
    source "dsarouter-adrouter.dxc";
    source "acdir1-dxlink.dxc";
    source "acdir2-dxlink.dxc";
    
  8. Navigate to the following directory:
    DXHOME/config/logging
    
  9. Do the following:
    1. Create a copy of the default.dxc file
    2. Rename the original file to dsarouter-adrouter.dxc
    3. Remove the ReadOnly tag.
  10. Navigate to the following directory:
    DXHOME/config/servers
    
  11. Do the following:
    1. Edit the cadirhost-adrouter.dxi, modify the following lines as follows then save and close the file:
      #
      # Initialization file written by DXnewdsa
      #
      # logging and tracing
      source "../logging/cadirhost-adrouter.dxc";
      # schema
      clear schema;
      source "../schema/default.dxg";
      # knowledge
      clear dsas;
      source "../knowledge/adrouter.dxg";
      # operational settings
      source "../settings/cadirhost-adrouter.dxc";
      # service limits
      source "../limits/cadirhost-adrouter.dxc";
      # access controls
      clear access;
      source "../access/default.dxc";
      # ssl
      source "../ssld/default.dxc";
      # replication agreements (rarely used)
      # source "../replication/";
      # multiwrite DISP recovery
      set multi-write-disp-recovery = false;
      # grid configuration
      set dxgrid-db-location = "data";
      set dxgrid-db-size = 1;
      set cache-index = all-attributes;
      set lookup-cache = true;
      

Note: Replace cadirhost with the CA Directory host name.

You have customized the CA Directory router definitions.

Populate the CA Directory Database to Create a DIT

You can choose to populate the CA Directory database with entities to create a Directory Informational Tree (DIT). A DIT enables you to browse the organizational hierarchy from the top down.

Follow these steps:

  1. On the server hosting the CA Directory router, create a file named input.ldif and enter the following entities, for example:
    dn: dc=com
    objectClass: domain
    objectClass: top
    dc: com
    
    dn: dc=company,dc=com
    objectClass: domain
    objectClass: top
    dc: company
    
    dn: dc=demo
    objectClass: domain
    objectClass: top
    dc: demo
    
  2. Save and close the file.
  3. Open a Command Prompt window and run the following command:
    dxloaddb cadirhost-adrouter input.ldif
    
  4. Run the following command to start up the CA Directory router:
    dxserver start cadirhost-adrouter
    

    Note: Replace cadirhost with the CA Directory host name.

You have populated the CA Directory database with entities to create a DIT.