Sample Active Directory configuration settings for Delegate mode


The following table lists the configuration settings required for Active Directory Delegate mode configuration.These settings are described more generically in App_Service and Admin

Whenever possible, BMC recommends that you use the security configuration tool to configure the relevant settings and java keystores.

Configuration

Description

 

jaas_config_file=jetty/ADS_DS_jaas.config

Required to configure the Java Authentication and Authorization Service (JAAS) configuration to use Active Directory Delegate mode.

The value indicates a JAAS configuration file, relative to the install directory. The JAAS configuration file itself requires no change.

ldap_schema=Delegate

Required to configure Active Directory Delegate mode.

ads_domainname

The domain name of the Active Directory domain.

Example: sample.com

This is only used when configuring Active Directory security.

ads_hostname

The Active Directory host name.

Example: ad.sample.com

The fully qualified host names of one or more Active Directory Domain Controllers (space separated), or if the Active Directory Domain Controllers are referenced by the domain name, that domain name. 

ads_base_fqdn

Active Directory Fully Qualified Domain Name

Example: DC=ad,DC=sample,DC=com

This must match the distinguishedName of your Active Directory Domain.

ads_port=636

The LDAP(S) port of the Active Directory server.

  • If using SSL to connect to Active Directory, set to 636.
  • If not using SSL, set to 389 (configured using the ads_security setting).
ads_security=SSL

Configures the security protocol used to connect to Active Directory.

Set to NONE, SSL, SASL, or SSL+SASL (This setting impacts the ads_port setting in the previous row).

ads_trust_policy=trustNone

Configures the handling of Active Directory security certificates.

The value trustAll allows connection to Active Directory regardless of the security certificate it presents. This is the least secure option.

The value trustNone allows connection to Active Directory only if the security certificate it presents are available in the truststore (configured using the javax.net.ssl.trustStore settings). This is the most secure option.

javax.net.ssl.trustStore

A java keystore file that contains the trusted certificates for all directories.

This keystore must always contain the certificate for the internal LDAP directory. That certificate is added to the keystore when it is generated during the install (using an alias of "com.bmc.mmpa.ldaps").

If a trust policy of "trustNone" is configured, this keystore must also contain the Active Directory trusted certificates.

Those certificates can be imported using the java keytool (see Obtaining-and-installing-an-Active-Directory-server-private-certificate-on-a-client-system).

javax.net.ssl.trustStorePassword

The password for the java keystore file.

This password may be in clear text, or it may be obfuscated using "Cryptor" format encoding from mqsusertool.

ldap_port=15008

A network port used for the internal LDAP server.

The internal LDAP server is required for Active Directory Delegate mode.

ldaps_port=15011

A network port used for the internal LDAP server.

The internal LDAP server is required for Active Directory Delegate mode.

ldaps_keystore=ldapsKeystore.jks

A java keystore file that contains the keys and certificates for the internal LDAP server.

The keys and certificate are added to the keystore when they are generated during the install.

The internal LDAP server is required for Active Directory Delegate mode.

ldaps_keystore_password

The password for the java keystore file.

This password may be in clear text, or it may be obfuscated using "Cryptor" format encoding from mqsusertool.

 

tsma_ldap_*

A set of keywords that correspond to the Security values configured for TSMA LDAP_LDAP mode. See the TSMA documentation for examples.

ldap_user

A common name (CN) used to define the LDAP Manager DN Security value configured for TSMA LDAP_LDAP mode.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*