Use the Single Sign-On Configuration Tool to instruct registered data sources to use the same LDAP scheme to authenticate users. The Single Sign-On Configuration Tool lets you supply parameters that enable the CA server to connect securely to the LDAP server. When you use Digest-MD5 or GSSAPI to encrypt the connection to the LDAP server, a single bind operation—as the user you specify—occurs.
Using the Configuration Tool, you can also associate users in the LDAP catalog with either predefined or custom user accounts in CA Performance Center.
Follow these steps:
Log in as root or with the 'sudo' command.
[InstallationDirectory]/CA/PerformanceCenter
You are prompted to select an option. The available options correspond to CA applications running on the local server.
You are prompted to select an option.
You are prompted to specify the priority.
The Priority parameter only applies to CA Performance Center.
Refers to settings that only administrators can change. Such settings are propagated to all other CA products registered to this instance of CA Performance Center. Remote Value settings are only used if a corresponding Local Override value is not present.
Refers to settings that can be changed for all products. If a Local Override value is present, it takes precedence over both the Remote Value and default settings.
You are prompted to select a property to configure.
Defines the user ID that the login server uses to connect to the LDAP server. This LDAP user name is used to bind to the server. A service account is not typically required for a connection that uses an authentication mechanism, such as GSSAPI.
Example: If the login server uses a fixed account, enter text with the following syntax:
CN=The User,cn=Users,dc=domain,dc=com
Or you can enter the following value because the connection is using an authentication mechanism:
{0}
Complex configurations need the user principal name to identify the user. Supply '{0}' and use their email address as the domain name. For example:
{0}@domain.com
The LDAP server typically does not require a full DN for an encrypted connection.
Note: For security reasons, do not make the connection user a static account. The LDAP authentication only checks the password when binding to the server. If you use a static account, any user that exists in the LDAP tree is able to log in with any password.
Defines the password for the login server to use to connect to the LDAP server.
Example: If the login server uses a fixed account, enter text like the following example:
SomePassword
Or you can enter the following value because the connection is using an authentication mechanism:
{1}
Indicates the LDAP protocol, server, port, and initial search domain. Also identifies where searching starts when verifying user account credentials.
SSL use is independent of the authentication mechanism (such as Simple, GSSAPI, or DIGEST-MD5). However, if you are using Simple authentication (SASL), as in the case where you are using a service account, we strongly recommend enabling SSL. By contrast, with an authentication mechanism such as GSSAPI or DIGEST-MD5, SSL is not critical.
Use 'LDAPS' to secure the connection with SSL. The default port for LDAPS is 636.
Examples:
If you have an Active Directory set up as QASG.local, your search domain string would be as follows:
LDAPS://qasg.local:636/dc=qas,dc=local
Specifies the criteria that are used to locate the correct user in the directory. Works with the Search Scope parameter. If only a subset of LDAP users is allowed to log in, the search string can be used to search a record for multiple properties. The value for this parameter can include any valid LDAP search criterion.
Example:
(saMAccountName={0})
Specifies the criteria that are used to locate the correct record for the user. Used with the Search String parameter. Determines the scope of the search that the LDAP server performs for the user account. Type one of the following values:
Includes the current directory in the search. Matches objects in the current directory and prevents unexpected matches deeper in the directory.
Includes all subdirectories in the search. Recommended for most installations.
Limits the search to the base object.
Specifies whether to do an additional authentication step (bind) using the distinguished name (DN) and password of the user to validate the supplied credentials.
Default: Disabled. This value is acceptable with an encrypted connection.
Specifies the authentication mechanism to use when binding again to the LDAP server.
In this case (that is, using an authentication mechanism), enter 'GSSAPI' or 'DIGEST-MD5', based on the mechanisms of your LDAP server.
Default: Simple.
Accepted Values: Simple, GSSAPI, DIGEST-MD5.
Specifies the CA Performance Center default account to which to map validated LDAP users who lack a group membership. Works with the Account Password parameter. If a valid user does not match any group definitions, the user is logged in with the default user ID specified for this parameter.
To allow all users to log in with their own username, enter:
Note: The Account User parameter corresponds to a field from the directory entry for this user. Typically, the value matches your search filter.
Specifies a user account to clone if validated LDAP users are members of a group that is not specified for the Groups parameter.
Example: Enter 'user' if you want such users to have minimal privileges.
Note: An existing user account is required.
Lets you determine the default account handling for selected user accounts or groups of accounts.
Example: To enable all members of a group to log in using an administrator account, enter:
<LDAPGroups><Group searchTag="memberOf" searchString="CN=SEC_All Employees,CN=Users,DC=company,DC=local" user="{saMAccountName}" passwd="" userClone="admin"/></LDAPGroups>
The Configuration Tool closes.
Example Configuration
|
Copyright © 2013 CA.
All rights reserved.
|
|