Integrating BMC Cloud Lifecycle Management with LDAP/Active Directory

This topic was edited by a BMC Contributor and has not been approved.  More information.

 

This topic describes how to integrate BMC Cloud Lifecycle Management with Lightweight Directory Access Protocol (LDAP) for authentication purposes. This topic assumes that the BMC Remedy Action Request System Server is installed with the AREA LDAP plug-in and that the end user has the BMC Remedy User tool installed and Administrator privileges.


Overview

LDAP provides a standard method for accessing information from a central directory. A common use for LDAP is user authentication. AR System provides the following LDAP plug-ins:

This topic describes how you can configure BMC Cloud Lifecycle Management to use the AR External Authentication AREA LDAP to authenticate users to BMC Cloud Lifecycle Management. 

Before you begin

Before beginning with this document, you will need the following information from the LDAP side so as to be set up in the AR System configuration forms.

AREA LDAP Config Attribute

Description

Host Name

The host name of the system on which the directory service is hosted.

Bind-User

The distinguished name (DN) of the user account that the AREA LDAP plug-in uses to find the user object using the User Search filter.

Bind-Password

The password of the user account that the AREA LDAP plug-in uses to find the user object using the User Search filter.

Port Number

The port number on which the directory service is listening.

Use Secure Socket Layer

Establishes a secure socket layer (SSL) connection to the directory service. The values are T (true) and F (false). If you use LDAP over SSL, then you must also specify the file name of the certificate database used to establish the connection.

Certificate Database

The directory name of the certificate database. The cert8.db and key3.db certificate database files are in this directory. If the directory is not specified, the LDAP plug-in looks under the AR System installation directory for these files. This path is used only when ARDBC-LDAPUsingSSL is set to T (true).

Failover time out

Specifies the number of seconds that the plug-in waits to establish a connection with the directory service. The minimum value is 0, in which case, the connection must be immediate. The maximum value is the External-Authentication-RPC-Timeout setting.

If the Failover time out (AREA-LDAP-Connect-Timeout) setting is not specified, the default value is set to the value of External-Authentication-RPC-Timeout setting (the default is 30 seconds).

Chase Referrals

Enables automatic referral chasing by LDAP client. The options are T (true) and F (false). By default, referrals are not chased (F). This option is for Microsoft Active Directories only.

User Base

Base name of the search for users in the directory service (for example, o=remedy.com).

User Search Filter

The LDAP search filter used to locate the user in the directory from the base that the AREA-LDAP-User-Base option specifies. The following keywords are used to substitute runtime parameters into this option. Note that the backwards slash () is necessary.

  • $\USER$—The user's login name.

    As suggested in To configure LDAP Information in the LDAP Configuration form below, make sure that the filter is set to:

      

    "sAMAccountName=$\USER$"

     
  • Name and User Search Filter.
  • $\AUTHSTRING$—The value that the user enters into the Authentication String field at the time they log in.
  • $\NETWORKADDR$—The IP address of the AR System client accessing the AR System server.

Group

Retrieves the group information from the LDAP server. If this parameter is not set, the group information from AR System Group form is used.

Group Search filter

The LDAP search filter used to locate the groups to which this user belongs. The following keywords are used to substitute runtime parameters into this option.

Default Group

Default groups to which the user belongs if no group information is available from the directory service. If there are multiple groups, use a semicolon to separate one from another.

To configure LDAP Information in the LDAP Configuration form

  1. From your browser, use the BMC Remedy Mid Tier URL to log on to the AR System server (in this example, clm-itsmwith the Demo credentials (for example, Demo and no password). 

  2. From the list of applications on the IT Home page, select Applications > AR System Administration > AR System Administration Console.
    This link is only available for Administrator users.

  3. Expand the Navigation options on the left and select System > LDAP > AREA configuration.

    The AREA LDAP configuration form is displayed. 
  4. Scroll down to the Configuration Detail section and provide the information related to LDAP, as shown in the table following the figure.

    The following settings reflect an example implementation.

    AttributeValue

    Server

    10.6.10.13

    Port

    389

    Bind User

    Production\ARAdmin

    Bind Password

    Password for the bind user

    Domain Component

    dc=prod,dc=abc,dc=lan

    User Search Filter

    sAMAccountName=$\USER$

    Use SSL

    No

    Chase Referral

    No

    Group Membership

    None

  5. Click Save Current Configuration to save the information to the AR System server.The current configuration will be displayed in the Configuration List table.

To configure AR System server to use LDAP authentication

After providing the LDAP information in the LDAP configuration form, the AR System server needs to be configured to work with the AREA LDAP plug-in for authentication, as described in the following steps.

  1. From the IT Home Page, select AR System Administration Console > Server Information. 
  2. Navigate to the EA tab.
  3. Set the External Authentication Server RPC Program Number as 390695
  4. Set External Authentication Server Timeout (Seconds) to the following:
    • RPC - 90
    • Need to Sync - 300
  5. Select Authenticate Unregistered Users and Cross Reference Blank Password
    • When the Authenticate Unregistered Users option is selected, AR System first attempts to find the user in the User form. If the user exists in the User form, AR System attempts authentication through that form. If the user does not exist in the User form, AR System attempts authentication through the AREA plug-in.
    • When the Cross Reference Blank Password option is selected, AR System attempts to authenticate through AREA LDAP. For this to work properly, make sure that the user’s password is set in AREA LDAP and no password is set on the User form in AR System. Then, if the user provides the password  when logging in, the user will be successfully authenticated. (If the user does not enter a password, the login attempt will be rejected.)
  6. Set Authentication Chaining Mode as ARS-AREA, which instructs the server to authenticate the user by using the User form and then the AREA plug-in. Other Authentication chaining mode options are:
    • AREA – ARS - AR System attempts to authenticate the user by using the AREA plug-in and then the User form.
    • ARS - OS – AREA - AR System attempts to authenticate the user by using the User form, then Windows or UNIX authentication, and then the AREA plug-in.
    • ARS - AREA – OS - AR System attempts to authenticate the user by using the User form, then the AREA plug-in, and then Windows or UNIX authentication.
    • Off - Disables authentication chaining.
  7. Restart the AR Server for the changes to take effect.

For more information, see Creating user instructions and  Configuring the AREA LDAP plug-in.

Note

When you provision an AWS instance with LDAP authentication, the user role enrolling the server in BMC Server Automation must be "BLAdmins" only. If the user role enrolling the server in BMC Server Automation is not "BLAdmins", AWS provisioning fails with the Failed to auto-enroll the Virtual Guest: Error: Unable to find property with name CLM_ONBOARD_AUTO_ENROLLED in class Server message.

Workaround:

When the role is other than "BLAdmins" (having "BLAdmins" role permission), disable the Enroll Server option in the Providers workspace for AWS in BMC Cloud Lifecycle Management. After provisioning is successful, enroll the AWS server manually.

To configure point products to use LDAP authentication

The following table includes links for configuring various products that integrate with BMC Cloud Lifecycle Management:

To configure BMC Cloud Lifecycle Management for LDAP users of point products

Perform the following steps to configure BMC Cloud Life Cycle Management to use LDAP authentication for point products:

  1. Stop the CSM service.
  2. Update the user name for the AR system administrator in the cloudservices.json file.
  3. Update the user name, role, and authentication type for BMC Server Automation in the providers.json file.
  4. Update user names in the providers.json file for the following products:
    1. BMC Atrium Orchestrator
    2. BMC Network Automation
  5. Start the CSM Service.

Related BMC Communities blog entries

The following link provides supplemental information available from a blog entry in BMC Cloud Lifecycle Management Communities:

Using AREA LDAP to simplify account authentication in BMC Cloud Lifecycle Management

Was this page helpful? Yes No Submitting... Thank you

Comments