Integrating BMC Cloud Lifecycle Management with LDAP/Active Directory
This topic describes how to integrate BMC Cloud Lifecycle Management with Lightweight Directory Access Protocol (LDAP) for authentication purposes. This topic assumes that the BMC Remedy Action Request System Server is installed with the AREA LDAP plug-in and that the end user has the BMC Remedy User tool installed and Administrator privileges.
LDAP provides a standard method for accessing information from a central directory. A common use for LDAP is user authentication. AR System provides the following LDAP plug-ins:
- AR System Database Connectivity (ARDBC) LDAP - Accesses data objects stored in a directory service as if they were entries stored in a typical AR System form. For details, see Configuring the ARDBC LDAP plug-in.
- AR External Authentication (AREA) LDAP - Authenticates AR System users against external LDAP directory services. For details, see and Setting external authentication options.
This topic describes how you can configure BMC Cloud Lifecycle Management to use the AR External Authentication AREA LDAP to authenticate users to BMC Cloud Lifecycle Management.
Before you begin
Before beginning with this document, you will need the following information from the LDAP side so as to be set up in the AR System configuration forms.
AREA LDAP Config Attribute
The host name of the system on which the directory service is hosted.
The distinguished name (DN) of the user account that the AREA LDAP plug-in uses to find the user object using the User Search filter.
The password of the user account that the AREA LDAP plug-in uses to find the user object using the User Search filter.
The port number on which the directory service is listening.
Use Secure Socket Layer
Establishes a secure socket layer (SSL) connection to the directory service. The values are T (true) and F (false). If you use LDAP over SSL, then you must also specify the file name of the certificate database used to establish the connection.
The directory name of the certificate database. The cert8.db and key3.db certificate database files are in this directory. If the directory is not specified, the LDAP plug-in looks under the AR System installation directory for these files. This path is used only when ARDBC-LDAPUsingSSL is set to T (true).
Failover time out
Specifies the number of seconds that the plug-in waits to establish a connection with the directory service. The minimum value is 0, in which case, the connection must be immediate. The maximum value is the External-Authentication-RPC-Timeout setting.
If the Failover time out (AREA-LDAP-Connect-Timeout) setting is not specified, the default value is set to the value of External-Authentication-RPC-Timeout setting (the default is 30 seconds).
Enables automatic referral chasing by LDAP client. The options are T (true) and F (false). By default, referrals are not chased (F). This option is for Microsoft Active Directories only.
Base name of the search for users in the directory service (for example, o=remedy.com).
User Search Filter
The LDAP search filter used to locate the user in the directory from the base that the AREA-LDAP-User-Base option specifies. The following keywords are used to substitute runtime parameters into this option. Note that the backwards slash () is necessary.
Retrieves the group information from the LDAP server. If this parameter is not set, the group information from AR System Group form is used.
Group Search filter
The LDAP search filter used to locate the groups to which this user belongs. The following keywords are used to substitute runtime parameters into this option.
Default groups to which the user belongs if no group information is available from the directory service. If there are multiple groups, use a semicolon to separate one from another.
To configure LDAP Information in the LDAP Configuration form
From your browser, use the BMC Remedy Mid Tier URL to log on to the AR System server (in this example, clm-itsm) with the Demo credentials (for example, Demo and no password).
From the list of applications on the IT Home page, select Applications > AR System Administration > AR System Administration Console.
This link is only available for Administrator users.
- Expand the Navigation options on the left and select System > LDAP > AREA configuration.
The AREA LDAP configuration form is displayed.
Scroll down to the Configuration Detail section and provide the information related to LDAP, as shown in the table following the figure.
The following settings reflect an example implementation.
Password for the bind user
User Search Filter
Click Save Current Configuration to save the information to the AR System server.The current configuration will be displayed in the Configuration List table.
To configure AR System server to use LDAP authentication
After providing the LDAP information in the LDAP configuration form, the AR System server needs to be configured to work with the AREA LDAP plug-in for authentication, as described in the following steps.
- From the IT Home Page, select AR System Administration Console > Server Information.
- Navigate to the EA tab.
- Set the External Authentication Server RPC Program Number as 390695
- Set External Authentication Server Timeout (Seconds) to the following:
- RPC - 90
- Need to Sync - 300
- Select Authenticate Unregistered Users and Cross Reference Blank Password.
- When the Authenticate Unregistered Users option is selected, AR System first attempts to find the user in the User form. If the user exists in the User form, AR System attempts authentication through that form. If the user does not exist in the User form, AR System attempts authentication through the AREA plug-in.
- When the Cross Reference Blank Password option is selected, AR System attempts to authenticate through AREA LDAP. For this to work properly, make sure that the user’s password is set in AREA LDAP and no password is set on the User form in AR System. Then, if the user provides the password when logging in, the user will be successfully authenticated. (If the user does not enter a password, the login attempt will be rejected.)
- Set Authentication Chaining Mode as ARS-AREA, which instructs the server to authenticate the user by using the User form and then the AREA plug-in. Other Authentication chaining mode options are:
- AREA – ARS - AR System attempts to authenticate the user by using the AREA plug-in and then the User form.
- ARS - OS – AREA - AR System attempts to authenticate the user by using the User form, then Windows or UNIX authentication, and then the AREA plug-in.
- ARS - AREA – OS - AR System attempts to authenticate the user by using the User form, then the AREA plug-in, and then Windows or UNIX authentication.
- Off - Disables authentication chaining.
- Restart the AR Server for the changes to take effect.
For more information, see Configuring the AREA LDAP plug-in. and
When you provision an AWS instance with LDAP authentication, the user role enrolling the server in BMC Server Automation must be "BLAdmins" only. If the user role enrolling the server in BMC Server Automation is not "BLAdmins", AWS provisioning fails with the
Failed to auto-enroll the Virtual Guest: Error: Unable to find property with name CLM_ONBOARD_AUTO_ENROLLED in class Server message.
When the role is other than "BLAdmins" (having "BLAdmins" role permission), disable the Enroll Server option in the Providers workspace for AWS in BMC Cloud Lifecycle Management. After provisioning is successful, enroll the AWS server manually.
To configure point products to use LDAP authentication
The following table includes links for configuring various products that integrate with BMC Cloud Lifecycle Management:
|Links to component product online technical documentation
|BMC Atrium Orchestrator
|BMC Network Automation
|BMC Server Automation
To configure BMC Cloud Lifecycle Management for LDAP users of point products
Perform the following steps to configure BMC Cloud Life Cycle Management to use LDAP authentication for point products:
- Stop the CSM service.
- Update the user name for the AR system administrator in the cloudservices.json file.
- Update the user name, role, and authentication type for BMC Server Automation in the providers.json file.
- Update user names in the providers.json file for the following products:
- BMC Atrium Orchestrator
- BMC Network Automation
- Start the CSM Service.
Related BMC Communities blog entries
The following link provides supplemental information available from a blog entry in BMC Cloud Lifecycle Management Communities: