Previous Topic: Additional Configurations to Support LDAP Repository in AuthMinderNext Topic: Resolving Credential Types for LDAP Organization

CA Adapter Windows Installation GuideAdditional Configurations to Support LDAP Repository in AuthMinderCreating Organization in LDAP Repository

Creating Organization in LDAP Repository

You must use CA Administration Console to support LDAP user directories. You must do this after you have successfully configured AuthMinder Server and Administration Console for AuthMinder.

  1. Log in to Administration Console as Master Administrator by using the following URL:

    http[s]://host_name:port_number/arcotadmin/masteradminlogin.htm

    In the preceding URL, host_name indicates the host name or the IP address of the application server where you configured the Administration Console and port_number indicates the port at which the server listens to incoming requests.

  2. Create a Global Administrator account and assign only the DEFAULTORG to this administrator.
  3. Log out of Administration Console.
  4. Access AuthMinder Administration Console for the Global Administrator by using the following URL:

    http[s]://host_name:port_number/arcotadmin/adminlogin.htm

  5. Provide the organization name as DEFAULTORG and the username and password assigned to the global user account that you created in Step 2.

    You will be prompted to reset your password and login again to the Administration Console.

  6. Click the Organizations tab.
  7. Under the Manage Organizations section, click the Create Organization link to display the Create Organization page.
  8. Enter the details of the organization, as described in the following table.

Field

Description

Organization Information

Organization Name

Enter a unique ID for the organization that you want to create. Ensure that you specify this organization name in the Name (Mapped to LDAP) field described in the "Configuring Adapter by Using the Wizard" section.

Note: You can use Administration Console to log in to this organization, by specifying this value, not the Display Name of the organization.

Display Name

Enter a descriptive name for the organization.

Note: This name appears on all other Administration Console pages and reports.

Description

Provide a description for the administrators who will manage this organization.

Note: You can provide additional details for later reference for the organization by using this field.

Administrator Authentication Mechanism

Select the Basic User Password mechanism to authenticate administrators belonging to this organization.

User Data Location

Repository Type

Select Enterprise LDAP. By specifying this option, the user and administrator details for the new organization will be stored in the LDAP repository that you will specify on the next page.
  1. Click Next.

    The Create Organization page to collect the LDAP repository details opens.

  2. Enter the details, listed in the following table, to connect to the LDAP repository.

Field

Description

Host Name

Enter the host name of the system where the LDAP repository is available.

Port Number

Enter the port number on which the LDAP repository service is listening.

Schema Name

Specify the LDAP schema used by the LDAP repository. This schema specifies the types of objects that an LDAP repository can contain, and specifies the mandatory and optional attributes of each object type.

Typically, the schema name for Active Directory is user and for SunOne Directory server it is inetorgperson.

Base Distinguished Name

Enter the base Distinguished Name of the LDAP repository. This value indicates the starting node in the LDAP hierarchy to search in the LDAP repository.

For example, for SunOne Directory server to search or retrieve a user with a DN of cn=rob laurie, dc=Test,dc=Pvt, you must specify the Base Distinguished Name as:

dc=Test,dc=Pvt

 

Note: Typically, this field is case sensitive and searches all sub-nodes under the provided base DN.

Redirect Schema

Name

Specify the name of the schema that provides the definition of the "member" attribute.

You can search for users in the LDAP repository using the Base DN defined for an organization. But this search only returns users belonging to the specific Organization Unit (OU). An LDAP administrator might want to create a group of users belonging to different Organization Units for controlling access to an entire group, and might want to search for users from different groups. When the administrator creates groups, user node DNs are stored in a "member" attribute within the group node. By default, UDS does not allow search and DN resolution based on attribute values. Redirection enables you to search for users belonging to different groups within LDAP, based on specific attribute values for a particular node.

Typically, the redirect schema name for Active Directory is group and for SunOne directory it is groupofuniquenames.

Connection Type

Select the type of connection that you want to use between Administration Console and the LDAP repository. Supported types are:

  • TCP
  • One-way SSL
  • Two-way SSL

Login Name

 

Enter the complete distinguished name of the LDAP repository user who has the privilege to log into the repository server and manage the Base Distinguished Name. The following example shows how to specify the Login Name for SunOne Directory server:

cn=Directory Manager

Login Password

Enter the password of the user provided in the Login Name.

Server Trusted Root Certificate

 

Enter the path for the trusted root certificate who issued the SSL certificate to the LDAP server by using the Browse button, if the required SSL option is selected.

Client Key Store Path

Enter the path for the key store that contains the client certificate and the corresponding key by using the Browse button, if the required SSL option is selected.

Note: You must upload either PKCS#12 or JKS key store type.

Client Key Store Password

Enter the password for the client key store, if the required SSL option is selected.
  1. Click Next to proceed.

    The page to map the repository attributes opens.

  2. On this page:
    1. Select an attribute from the Arcot Database Attributes list, then select the appropriate attribute from the Enterprise LDAP Attributes list that needs to be mapped with the Arcot attribute, and click Map.

      Important! Mapping of the USERNAME, EMAILADDR, and TELEPHONENUMBER attributes is compulsory. If you are using SunOne Directory, then map USERNAME to uid, EMAILADDR to mail, and TELEPHONENUMBER to telephoneNumber.

    2. Repeat the process to map multiple attributes, until you finish mapping all the required attributes.

      Note: You do not need to map all the attributes in the Arcot Database Attributes list. You only need to map the attributes that you will use.

      The attributes that you have mapped will be moved to the Mapped Attributes list.

      If required, you can unmap the attributes. If you want to unmap a single attribute at a time, then select the attribute and click Unmap. However, if you want to clear the Mapped Attribute list, then click Reset to unmap all the mapped attributes.

  3. Click Next to proceed.

    The Select Attribute(s) for Encryption page opens.

  4. Select the attributes that you want to encrypt, and click Next.

    The Add Administrators page opens.

    Note: This page is not displayed, if all the administrators currently present in the system have scope to manage all organizations.

  5. From the Available Administrators list, select the administrators who will manage the organization and click the > button to add the administrator to the Managing Administrators list.

    Note: Assigning organization to administrators can be done at any time by updating the scope of existing administrators or by creating new administrators to manage the organization.

    The Available Administrators list displays all the administrators who can manage the new organization.

    Note: If some administrators have scope to manage all organizations in the system, then you will not see the corresponding entries for those administrators in this list.

  6. The Managing Administrators list displays the administrators that you have selected to manage this organization.
  7. Click Next to proceed.

    The Activate Organization page opens.

    Note: The username attribute cannot be changed or updated after the organization is activated.

  8. Click Enable to activate the new organization.

    A message box opens prompting whether you want to activate the selected organization.

  9. Click OK to complete the process.
  10. Refresh the AuthMinder cache for changes to take effect.

    Now if you perform a search for organizations, in the search result, you will see the LDAP-based organization you created.

  11. Create a user in this organization.
  12. Search for the user created in the preceding step and promote that user to Global Administrator (GA).

    Book: Refer to the Promoting Users to Administrators section in Chapter 9, "Managing Users and Their Credentials" of CA AuthMinder Administration Guide for more information.

    You will need the details of this GA to resolve the credential types for the LDAP-based organization. See "Resolving Credential Types for LDAP Organization" for more information.

  13. Log out of the Administration Console.