Configuring the LDAP Domain

Domains control the user login, authentication method and access privileges to AAI's functions. If your company is using LDAP for user login and authentication, any user who is defined and has an ID and a password in the LDAP domain can log in to AAI. As an AAI administrator, you add and configure the LDAP domain in AAI. When you later add schedulers to AAI, you assign them a domain. If you select LDAP, the LDAP definitons will be honored for those schedulers.

The LDAP domain supports two user roles only:

  • Admin

    These users have unrestricted access to the entire user interface. They can add, edit and delete objects.

  • (Application) User

    These users have read-only access to certain areas of the user interface AAI. The areas that pertain to administrative tasks are hidden from them.

    They can only monitor jobstreams with all execution details and history, and create reports.

AAI and LDAP Users

When LDAP is integrated with AAI, there is no need to create users explicitly in AAI. The first time that an LDAP user logs in to AAI, a user with the User role (read-only privileges) is created for them automatically.

To grant AAI/ LDAP users admin rights, an already admin user must change their user definition from User to Admin.

To Add an LDAP Domain

  1. Go to the Admin - Users page.

  2. Open the Domains tab and select Add Domain.

  3. On the Add Domain dialog, enter the following:

    Name

    This is the name that the users will see in the login dialog when they log in to AAI. It must be unique.

    Type

    Type of domain, in this case LDAP.

  4. In the Directory Connection section enter the data to identify the servers to which you want to connect with this domain.

    • LDAP Servers

      You can enter a list of hostname/port pairs here. AAI will try to reach them in the order that you define in this list.

      1. In LDAP Servers enter the hostname and port of the AAI server.

      2. Click Save to include the server in the list. Use the pencil and trash button to edit or delete this entry.

      3. To add more server pairs to the list, click Add Server.

    • User Authorized to Search the Directory

      Specify the user that will access LDAP. Enter the complete distinguished name for the user node and its password.

  5. In the Directory Details section enter the following:

    • User Attribute

      Name of the attribute that is used to identify users when logging in. When a user enters a user name and password when logging in, Automic Automation Intelligence searches for a node with an attribute with this type and the user name as its value.

    • Domains Distinguished Name

      LDAP DN (distinguished name) that specifies where to find user nodes within the LDAP directory. All users should be found in the sub-tree identified by this name.

    • Advanced Filter (LDAP Compliant

      Use this filter to restrict the users who can log in to AAI to specific LDAP groups.

      Example:

      The following users and user groups are defined in LDAP:

      • jawsuser01 (user), who is authorized to query the directory. This is the ID that AAI uses to log on to the LDAP server and authorize the end user.

      • JAWSUSERS(user group)

      • SCHEDULERS (user group)

      This is the attribute in the LDAP environment:

      memberOf=CN=JAWSUSERS, CN=SCHEDULERS, DC=TERMALABS, DC=NET

      You create the following advanced filter to allow members of either group to log on to AAI:

      memberOf=CN=JAWSUSERS, CN=SCHEDULERS, DC=TERMALABS, DC=NET

      AAI appends this filter with "&" at the beginning to the login attribute filter. Your users will have to specify this attribute filter at login.

      The filter string will look like this:

      (&(samaccountname=jawsuser01) 
(memberOf=CN=JAWSUSERS,CN=SCHEDULERS,DC=TERMALABS,DC=NET))

      This filter will only allow users in the JAWSUSER group to log in to AAI.

      Note:

      • The opening and closing parenthesis when creating advanced filters are necessary for LDAP.

      • Make sure that your users have the attribute you are filtering on.

  6. In the Options section do the following:

    Select Allow null password if you want to allow users to log in to AAI without entering a password.

    Select SSL to if you want to use SSL for LDAP authentication.

    Important !

    To use SSL, AAI needs a certificate for the LDAP server.

    1. Export the certificate to a certificate file, for example domain1.cer. The certificate admin should know how to do this. For a Windows 2003 server with Certification services installed take the following actions:

      1. From Administrative Tools select Certification Authority.

        In the CA interface Expand the Certificate menu on left side.

        Go to Issued Certificates. Right click on the LDAP server certificate and go toAll Tasks->Export Binary Data...

      2. Select Save Binary Data to file and give a file name like domain1.cer.

    2. Copy this file to the Automic Automation Intelligence server.

      On the Automic Automation Intelligence server run the following command:

      keytool -import -v -file domain1.cer -keystore <PATH TO STORE>/jawsKeys -storepass <PASS- WORD> -noprompt

      This will create a file called jawsKeys under the specified path.

      Repeat these steps for all the SSL LDAP servers that Automic Automation Intelligence should use.

    3. Modify the .vmoptions file and add the following two lines:

      -Djavax.net.ssl.trustStore=<PATH TO STORE>/jawsKeys
-Djavax.net.ssl.trustStorePassword=<PASSWORD>

    4. Restart JBoss.

  7. Save your configuration.

  8. Click the Test Configuration button at the top of the dialog. AAI tries to connect to the LDAP server with the information that you have provided. If there is any configuration error, AAI indicates it.

    Use this feature whenever you make changes, since for security reasons subsequent login errors contain little or no information.

See also:

Domains