How to Configure and Authenticate External Directories › Manage and Track the Status of Alerts from WAC › Update Directory: Schema Tab

Update Directory: Schema Tab

The Schema tab provides configuration options for mapping directory attributes to the CA ITCM schema.

This tab contains the following fields:

Schema

Indicates the schema to be used. A number of predefined schema maps are provided for the most popular schema, including hard-coded maps for the WinNT and UnixL providers. Choose one from the drop-down list.

Information

Displays tips for selecting options or entering information in fields or dialogs.

Authenticate Using the Configured Directory

Authentication identifies members of a trusted computing base, based on the credentials provided. Add the external directories as a security authority for DSM authorization operations. CA ITCM authenticates a security object to the external directory and uses the authenticated identity or group memberships for subsequent authorization calls.

For example, if you wish to allow a Linux DSM manager to authenticate Active Directory users using LDAP, then you ensure that Active Directory is configured for the maximum security available. Use certificate services on the directory and ensure that the Linux installation trusts the certification chain provided in the directories certificate.

Add a Security Profile

Creating a security profile means mapping a new one to either a user account or group provided by the current security providers. You can select the users or groups who can access the system and add them to a security profile.

Follow these steps:

1. Select Security Profiles from the Security menu.

   The Security Profiles dialog appears.

   Note: You must have sufficient access rights to open this dialog; otherwise, a security error message is displayed. Administrators have these access rights by default.

2. Click Add.

   The Add Security Profiles dialog appears.

3. Select the security authority from the Available Directories tree, browse and click the required security principal.

   You can view the selected security authority and principal in the Container Identifier and Names fields, respectively.

4. Double-click a principal in the tree, or click Add to List.

   The security principals shown in the Names field are added to the List of security profiles.

   To add more profiles, repeat the last two steps on the Add Security Profiles dialog.

5. Click OK.

   The selected user account or group is mapped to the security profile and the Class Permissions dialog is displayed.

   Note: If you have added more than one security principal, the Class Permissions dialog is not displayed. You must select the profile in the Security Profiles dialog, and click Class Permissions.

6. In the Class Permissions dialog, select the object class to which you want to assign the rights.

   Note: You can select multiple object classes and specify the class permissions for all of them. For continuous selection, press the Shift key and then click the objects; for random selection, press the Ctrl key and then click the objects.

7. Select the permission in the Class access drop-down list, and click OK.

   The given permissions are assigned to the new security profile.

The Add Security Profiles dialog displays a list of available security authorities: Windows NT domains, UNIX authentication targets, external directories such as NDS and LDAP, and the X.509 certificate subsystem.

The manager stores the list of available security authorities. When running in a Windows NT domain environment, the manager node will automatically calculate all explicit domain trusts available. You can see the list of available security authorities from the Add Security Profiles dialog.

In some cases you may wish to use an implicitly trusted domain when creating security profiles - a domain that is not in the directly calculated list.

The Security Profiles dialog allows you to add and remove authorities, but only within the Windows NT name-space (winnt).

• To add an implicitly trusted domain, click Add and enter the domain name in the new dialog.
• To remove an implicitly trusted domain, highlight the domain you wish to remove and click Remove.

Note: Conferring trust is enforced by the operating system. You cannot add a domain and have the manager trust this domain unless the underlying operating system already trusts the domain in question.

Predefined Access Types

The following example shows the results of various access rights on the Computer object class:

Verify the Directory Authentication

To help ensure that the directory integration is successful, verify the directory authentication by logging into CA ITCM.

Follow these steps: on DSM Explorer

1. Specify the User Name and Password.

   Defines the user name to log in.

   Default: DN format.

   Important! When you want to use UID or SN formats for authentication, configure the value of configuration policy appropriately. For more information, see Modify the Policy to Use a Different Username Format.

2. Select the security authority from the following list:

   Security Provider

   Specifies the security provider. As CA ITCM uses the external directories, operating system user account and groups for granting access rights, the operating system acts as the security provider. Select the appropriate security provider, and the corresponding windows domain or directory appears.

   Windows Domain (Windows) / Directory (ldap)

   Select the domain or the computer in which you have the user account. The configured directory that can access CA ITCM appears in the drop-down list.

3. Click Log in

   Logs in to the system if the login credentials are correct.

Follow these steps: on Web Console Access

1. Select the Manager Name from the Web Console drop-down.
2. Specify the User Name and Password.

   Defines the user name to log in. You can use DN format.

   Important! When you want to use UID or SN format for authentication, configure the value of configuration policy appropriately. For more information, see Modify the Policy to Use a Different Username Format.

3. Select the security authority from the following list:

   Security Provider

   Specifies the security provider. As CA ITCM uses the external directories, operating system user account and groups for granting access rights, the operating system acts as the security provider. Select the appropriate security provider, and the corresponding windows domain or directory appears.

   Windows Domain (Windows) / Directory (ldap)

   Select the domain or the computer in which you have the user account. The configured directory that can access CA ITCM appears in the drop-down list.

4. Click Log in

   Logs in to the system if the login credentials are correct.

Note: The administrator on the domain manager authenticates the user with access rights to the configured directory.

Modify the Policy to Use a Different Username Format

Configure the value of configuration policy only when you are not using the DN format for authentication. Use the Setting Properties dialog to modify configuration policies to suit your specific requirements and environment.

Note: Before you can modify a policy, you must unseal it.

Follow these steps:

1. Navigate to Configuration, Configuration Policy, Default Computer Policy, DSM, Common Components, Security, Providers, Components, ldap.
2. Right-click Oracle ldap: Shortname Type in the pane and select Setting Properties from the context menu. Alternatively, click Setting Properties in the Tasks portlet.

   The Setting Properties dialog opens.

3. In the Value field, select one of the following values to suit your needs:

   sn

   Specifies the Short name for Oracle ldap.

   uid

   Specifies the unique id for Oracle ldap.

4. Click OK.

   The new value specifies whether the user name supplied for authentication is sn or uid.

Note: The sn must be unique for active directory-based ldap.