Use LDAP Authentication to Validate CA Data Protection Reviewers

You can use LDAP authentication to validate your MCA Data Protection reviewers to BusinessObjects Enterprise. This approach is appropriate if you have many reviewers or a constantly changing pool of reviewers.

After you set up LDAP authentication, the iConsole permits reviewers to run BusinessObjects reports or launch InfoView seamlessly. That is, the iConsole does not prompt the reviewers for their BusinessObjects account details.

Full details about setting up LDAP authentication are the BusinessObjects Enterprise Administrator's Guide. See the 'Using LDAP Authentication' section in the Configuring Third-Party Authentication chapter. An augmented version of the LDAP Host Configuration instructions is included below.

Your LDAP directory must use static group membership

Before you configure the LDAP host for BusinessObjects Enterprise, verify that your LDAP directory uses static group membership. When static group membership is used, a 'memberOf' attribute identifies members of each group.

To configure the LDAP host

(Amended from the Authentication chapter of the BusinessObjects Enterprise Administrator's Guide.)

Note: We recommend that your LDAP server is already installed and running before you configure the LDAP host for BusinessObjects Enterprise.

Log on to the Central Management Console (CMC) with administrative rights.
Go to the Management, Authentication area of the CMC.
Specify your LDAP hosts(s).
1. Enter the hostname and port number of your LDAP hosts in the 'Add LDAP host (hostname:port)' field and then click Add. For example, enter uxtadc04:3268.
2. If you want to add LDAP hosts that can act as failover servers, repeat this step to add more than one LDAP host of the same server type.
3. If you want to remove an LDAP host, highlight the host name and click Delete.
4. Click Next.
Choose the type of LDAP directory that are you are using from the LDAP Server Type list.
If you want to view or change any of the LDAP server attribute mappings or LDAP default search attributes, click Show Attribute Mappings. (By default, these server attribute mappings and search attributes are already set for each LDAP server type.)

Click Next.
Enter the distinguished name that you want to use in the Base LDAP Distinguished Name field (for example, o=SomeBase).
Click Next.
Enter the LDAP Server Administration Credentials and Referral Credentials required by the LDAP host(s).
1. In the LDAP Server Administration Credentials area, specify the distinguished name and password for a user account that has read access to the directory.
  Note: Administrator credentials are not required.
  
  Note: If your LDAP Server allows anonymous binding, skip this step. These user credentials are not needed. BusinessObjects Enterprise binds to the LDAP host via anonymous logon.
2. If you have configured referrals on your LDAP host, specify a distinguished name and password in the LDAP Referrals Credentials area.
  Then enter the number of referral hops in the Maximum Referral Hops field. If you specify zero hops, no referrals are followed.
  
  Note: You must enter the LDAP Referral Credentials details if all of the following items apply:
  - The primary host has been configured to refer to another directory server that handles queries for entries under a specified base.
  - The host being referred to has been configured to not allow anonymous binding.
  - A group from the host being referred to will be mapped to BI platform.
  Note: Groups can be mapped from multiple hosts, but you can only one set of referral credentials. Therefore, if you have multiple referral hosts you must create a user account on each host that uses the same distinguished name and password.
3. Click Next.
Choose the type of Secure Sockets Layer (SSL) authentication that you want to use. Then click Next.
The options are: Basic (no SSL); Server Authentication; or Mutual Authentication.
Choose a method of LDAP single sign-on authentication. Then click Next.
The options are Basic (No SSO) or SiteMinder.
Select how aliases and users are mapped to BusinessObjects Enterprise accounts.
1. In New Alias Options, select how new aliases are mapped. You must choose this option:
  'Assign each added LDAP alias to an account with the same name'
  
  Choose this option because you need unique BusinessObjects user accounts in order for CA Data Protection to apply row level security when mapping individual BusinessObjects users to an individual CA Data Protection users.
2. In 'Alias Update Options', select how to manage alias updates for BusinessObjects users. The options are:
  - 'New aliases will be added and new users will be created'
  - 'No new aliases will be added and new users will not be created'
  We recommend that you choose the first option. Users and aliases are created when you click Finish.
  
  Choose the second option if your LDAP directory contains many users but only a few are likely to use BusinessObjects Enterprise. The system only creates aliases (and accounts, if required) for users who log on to BusinessObjects Enterprise.
3. Specify the type of new user accounts that get created. The options are:
  - 'New users are created as named users'
  - 'New users are created as concurrent users'
  Named user licenses are associated with specific users. These licenses allow users to access BusinessObjects Enterprise based on their user name and password, regardless of how many other users are connected to BusinessObjects Enterprise. If you choose this option, each user account that gets created must have a named user license.
  
  Concurrent user licenses specify the number of users that can connect to BusinessObjects Enterprise at the same time. This type of licensing is very flexible because a small concurrent license can support many users. For example, a 100 user concurrent user license could potentially support between 250 and 700 users, depending on how much your users use BusinessObjects Enterprise.
Click Finish.
You now need to do what? tbd