Integrating BMC Cloud Lifecycle Management with LDAP/Active Directory
This topic describes how to integrate BMC Cloud Lifecycle Management with Lightweight Directory Access Protocol (LDAP) for authentication purposes. This topic assumes that the BMC Remedy Action Rrequest server is installed with the AREA LDAP plug-in and that the end user has the BMC Remedy User tool installed and Administrator privileges.
LDAP provides a standard method for accessing information from a central directory. A common use for LDAP is user authentication. AR System provides the following LDAP plug-ins:
- AR System Database Connectivity (ARDBC) LDAP - Accesses data objects stored in a directory service as if they were entries stored in a typical AR System form.
- AR External Authentication (AREA) LDAP - Authenticates AR System users against external LDAP directory services.
This topic describes how you can configure BMC Cloud Lifecycle Management to use the AR External Authentication AREA LDAP to authenticate users to BMC Cloud Lifecycle Management.
Before you begin
Before beginning with this document, you will need the following information from the LDAP side so as to be set up in the AR System configuration forms.
AREA LDAP Config Attribute
The host name of the system on which the directory service is hosted.
The distinguished name (DN) of the user account that the AREA LDAP plug-in uses to find the user object using the User Search filter.
The password of the user account that the AREA LDAP plug-in uses to find the user object using the User Search filter.
The port number on which the directory service is listening.
Use Secure Socket Layer
Establishes a secure socket layer (SSL) connection to the directory service. The values are T (true) and F (false). If you use LDAP over SSL, then you must also specify the file name of the certificate database used to establish the connection.
The directory name of the certificate database. The cert8.db and key3.db certificate database files are in this directory. If the directory is not specified, the LDAP plug-in looks under the AR System installation directory for these files. This path is used only when ARDBC-LDAPUsingSSL is set to T (true).
Failover time out
Specifies the number of seconds that the plug-in waits to establish a connection with the directory service. The minimum value is 0, in which case, the connection must be immediate. The maximum value is the External-Authentication-RPC-Timeout setting.
If the Failover time out (AREA-LDAP-Connect-Timeout) setting is not specified, the default value is set to the value of External-Authentication-RPC-Timeout setting (the default is 30 seconds).
Enables automatic referral chasing by LDAP client. The options are T (true) and F (false). By default, referrals are not chased (F). This option is for Microsoft Active Directories only.
Base name of the search for users in the directory service (for example, o=remedy.com).
User Search Filter
The LDAP search filter used to locate the user in the directory from the base that the AREA-LDAP-User-Base option specifies. The following keywords are used to substitute runtime parameters into this option. Note that the backwards slash () is necessary.
Retrieves the group information from the LDAP server. If this parameter is not set, the group information from AR System Group form is used.
Group Search filter
The LDAP search filter used to locate the groups to which this user belongs. The following keywords are used to substitute runtime parameters into this option.
Default groups to which the user belongs if no group information is available from the directory service. If there are multiple groups, use a semicolon to separate one from another.
To configure LDAP Information in the LDAP Configuration form
Launch the BMC Remedy User tool by navigating to Start > Programs > BMC Software > BMC Remedy User.
- Enter the user name and password. In this example, the user is Demo and the password is clmAdm1n.
- Click Accounts, select the server (in this example, clm-itsm), and click OK.
- The IT Home page is displayed for the Demo user, Click on the AR System Administration Console link.
This link is only available for Administrator users. The AR System Administration Console is displayed.
- Expand the Navigation options on the left and select System > LDAP > AREA configuration.
- The AREA LDAP configuration form is displayed. Scroll down to the Configuration section and provide the information related to LDAP, as shown in the table following the figure.
The following settings reflect an example implementation.
Password for the bind user
User Search Filter
7. Click Save Current Configuration to save the information to the AR Server.The current configuration will be displayed in the Configuration List table.
To configure AR System server to use LDAP to authenticate
After providing the LDAP information in the LDAP configuration form the AR System server needs to be configured to work with the AREA LDAP plug-in for authentication, Please follow the below steps for the same.
- From the IT Home Page, select AR System Administration Console > Server Information.
- Navigate to the EA tab.
- Set the External Authentication Server RPC Program Number as 390695
- Set External Authentication Server Timeout (Seconds) to the following:
- RPC - 90
- Need to Sync - 300
- Select Authenticate Unregistered Users and Cross Reference Blank Password.
- When the Authenticate Unregistered Users option is selected, AR System first attempts to find the user in the User form. If the user exists in the User form, AR System attempts authentication through that form. If the user does not exist in the User form, AR System attempts authentication through the AREA plug-in
- When the Cross Reference Blank Password option is selected, AR System attempts to authenticate through the User form if the user provides a password. If the user and password match a record in the User form, the user passes authentication. If the user does not provide a password, AR System attempts to cross-reference the user with an external system through the AREA plug-in form.
- Set Authentication Chaining Mode as ARS-AREA which instructs server to authenticate the user by using the User form and then the AREA plug-in. Other Authentication chaining mode options which you may find suitable
- AREA – ARS - AR System attempts to authenticate the user by using the AREA plug-in and then the User form.
- ARS - OS – AREA - AR System attempts to authenticate the user by using the User form, then Windows or UNIX authentication, and then the AREA plug-in.
- ARS - AREA – OS - AR System attempts to authenticate the user by using the User form, then the AREA plug-in, and then Windows or UNIX authentication.
- Off - Disables authentication chaining.
- Restart the AR Server for the changes to take effect
For more information, refer to the BMC Remedy Action Request System online technical documentation.
Related BMC Communities blog entry
The following link provides supplemental information available from a blog entry in BMC Cloud Lifecycle Management Communities: