Use the Single Sign-On Configuration Tool to instruct registered data sources to use the same LDAP scheme to authenticate users. The Single Sign-On Configuration Tool lets you supply parameters that enable the CA server to connect securely to the LDAP server. Using the Configuration Tool, you can also associate users in the LDAP catalog with either predefined or custom user accounts in CA Performance Center.
The steps to take to enable LDAP authentication are slightly different if you are using an authentication mechanism such as GSSAPI. Without an authentication mechanism, you must use a service account to bind to the LDAP server. This account requires read and search access to the LDAP server. You must supply the full DN (distinguished name) of the connection user, and you must also enable the User Bind parameter.
Single Sign-On binds to the LDAP server using the credentials that you supply for the Connection User and Connection Password parameters. Then Single Sign-On performs a directory search that is based on the string that you supply for the Search String parameter. The search results include the DN of the user. Single Sign-On performs a second bind to the LDAP server using this DN and password.
Important! In cases where no authentication mechanism is used, we strongly recommend establishing an SSL connection to the LDAP server. Otherwise, the passwords are transmitted to the LDAP server in cleartext.
Follow these steps:
Log in as root or with the 'sudo' command.
[InstallationDirectory]/CA/PerformanceCenter
You are prompted to select an option. The available options correspond to CA applications running on the local server.
You are prompted to select an option.
You are prompted to specify the priority.
The Priority parameter only applies to CA Performance Center.
Refers to settings that only administrators can change. Such settings are propagated to all other CA products registered to this instance of CA Performance Center. Remote Value settings are only used if a corresponding Local Override value is not present.
Refers to settings that can be changed for all products. If a Local Override value is present, it takes precedence over both the Remote Value and default settings.
You are prompted to select a property to configure.
Defines the user ID (in this case, the user ID of the service account) that the login server uses to connect to the LDAP server. This LDAP username is used to bind to the server.
Important! A service account with read and search access to the LDAP server is required for this parameter if you are not using an authentication mechanism, such as GSSAPI.
Defines the password for the login server to use to connect to the LDAP server.
Example: If the login server uses a fixed account, enter text like the following example:
SomePassword
Indicates the LDAP protocol, server, and initial search domain. Also identifies where searching starts when verifying user account credentials. If you do not also supply a port number after the server in the string, Port 389 is used.
Examples:
If you have an Active Directory set up as QASG.local, your search domain string would be:
LDAP://qasg.local/dc=qas,dc=local
If you want to establish an SSL connection to the LDAP server (which is strongly recommended if you are not using an authentication mechanism), follow these steps:
LDAPS://srv:636/CN=Users,DC=company,DC=local
Specifies the criteria that are used to locate the correct record for the user. Works with the Search Scope parameter. If only a subset of LDAP users is allowed to log in, the search string can be used to search the record for multiple properties. The value for this parameter can include any valid LDAP search criterion.
Example:
(saMAccountName={0})
Specifies the criteria that are used to locate the correct record for the user. Used with the Search String parameter. Determines the scope of the search that the LDAP server performs for the user account. Type one of the following values:
Includes the current directory in the search. Matches objects in the current directory and prevents unexpected matches deeper in the directory.
Includes all subdirectories in the search. Recommended for most installations.
Limits the search to the base object.
Specifies whether to do an additional authentication step (bind) using the distinguished name (DN) and password of the user to validate the supplied credentials.
Important! This parameter must be set to Enabled if you entered a service account in Steps 1 and 2.
Default: Disabled.
Specifies the authentication mechanism to use when binding a second time to the LDAP server.
Default: Simple.
Accepted Values: Simple, GSSAPI, DIGEST-MD5.
Specifies the CA Performance Center default account to which to map validated LDAP users who lack a group membership. Works with the Account Password parameter. If a valid user does not match any group definitions, the user is logged in with the default user ID specified for this parameter.
To allow all users to log in with their own username, enter:
Note: The Account User parameter corresponds to a field from the directory entry for this user. Typically, the value matches your search filter.
Specifies a user account to clone if validated LDAP users are members of a group that is not specified for the Group parameter.
Example: Enter 'user' if you want such users to have minimal privileges.
Note: An existing user account is required.
Lets you determine the default account handling for selected user accounts or groups of accounts.
Example: To enable all members of a group to log in using an administrator account, enter:
<LDAPGroups><Group searchTag="memberOf" searchString="CN=SEC_All Employees,CN=Users,DC=company,DC=local" user="{saMAccountName}" passwd="" userClone="admin"/></LDAPGroups>
The Configuration Tool closes.
Example Configuration
|
Copyright © 2013 CA.
All rights reserved.
|
|