Unsupported content

 

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Configuring LDAP authentication

Use this procedure to configure the Authentication Server so that it can perform LDAP authentication. For information about configuring LDAP with different types of directory servers, see the following topics:

To configure the Authentication Server for LDAP authentication

  1. On the reports server, to set up a trust store for X.509 certificates, navigate to the BDSSAInstallationDirectory\bin (Windows) and BDSSAInstallationDirectory/br (UNIX) directory, and do the following:
    1. Provision a trust store with X.509 certificates, either by adding certificates from individual LDAP servers or by importing a certificate from a PEM file. To provision a trust store, use the blcred utility.
      For example, to add the certificate for an LDAP server called ldap1.mycompany.com with a port number of 389, use the following blcred command:

      blcred -x ldapTrustStore.pkcs12 cert -add -host ldap1.mycompany.com:389 -protocol ldap
    2. To identify the PKCS#12 trust store containing trusted certificates, enter the following command:

      set Ldap TrustStore <storeLocation>


      <storeLocation> is the local path to a trust store.

    3. To check that common name (CN) of the certificate matches the fully qualified domain name (FQDN) of the LDAP server, enter the following command:

      set Ldap IsHostValidationEnabled True


      Setting this value to true causes the Authentication Server to reject X.509 certificates if the FQDN of the LDAP server is not contained in one of the alternative names or the CN.
      For more information about X.509 certificates and setting up trust stores, see Certificate trust store.

      Note

      The Authentication Server only reads its certificate store when it starts. If you change the certificate trust store, be sure to restart the Authentication Service.

  2. Start the Application Server Administration console (the blasadmin  utility) as follows.
    • (Windows) Navigate to the BDSSAInstallationDirectory\bin directory and enter the following command: blasadmin.
    • (UNIX) Navigate to the BDSSAInstallationDirectory/br directory and enter the following command: blasadmin.
  3. To identify LDAP servers, including any servers used for high availability configurations, do the following steps:
    1. To specify URLs of LDAP servers, enter the following command:

      set Ldap LdapServerURLs <serverList>


      <serverList> is a list of one or more URLs. URLs must point to LDAPv3 servers that support the StartTLS extension. Separate URLs with commas or other delimiters.

    2. To specify the amount of time to wait for an LDAP server to respond before terminating the connection, enter the following command:

      set Ldap ConnectionTimeoutMs <#>

      <#> is the number of milliseconds to wait. In a high availability configuration, this time is the amount of time that the service waits for a response from one URL before trying the next URL in the list you provided in step 2a.
      For more information about high availability configurations in LDAP, see High availability configurations.

  4. To define an LDAP distinguished name template, enter the following command:

    set AuthServer LdapUserDnTemplate "<text> {0}<text>"


    <text> represents any distinguished name objects that should be included in the template. See Distinguished names for more information about using a distinguished name template.

  5. To enable LDAP authentication, enter the following commands:

    set AuthServer IsLdapAuthEnabled true


    By default LDAP authentication is not turned on.

  6. Restart the Authentication Service.

    Note

    On UNIX, if umask is not set to 022, the Authentication Service will not start. Run the following commands from BDSSAInstallationDirectory and start the authentication service:

    #chmod –R 775 br/
    #umask 022
    #cd br
    #./blauthservice start

Where to go from here

Configuring the Authentication Server to refresh LDAP session credentials

Was this page helpful? Yes No Submitting... Thank you

Comments