Integrating BMC Cloud Lifecycle Management with LDAP/Active Directory

This topic describes how to integrate BMC Cloud Lifecycle Management with Lightweight Directory Access Protocol (LDAP) for authentication purposes. This topic assumes that the BMC Remedy Action Request System Server is installed with the AREA LDAP plug-in and that the end user has the BMC Remedy User tool installed and Administrator privileges.

Overview

LDAP provides a standard method for accessing information from a central directory. A common use for LDAP is user authentication. AR System provides the following LDAP plug-ins:

AR System Database Connectivity (ARDBC) LDAP - Accesses data objects stored in a directory service as if they were entries stored in a typical AR System form. For details, see Configuring the ARDBC LDAP plug-in.

AR External Authentication (AREA) LDAP - Authenticates AR System users against external LDAP directory services. For details, see Configuring the AREA LDAP plug-in and Setting-external-authentication-options.

This topic describes how you can configure BMC Cloud Lifecycle Management to use the AR External Authentication AREA LDAP to authenticate users to BMC Cloud Lifecycle Management.

Before you begin

Before beginning with this document, you will need the following information from the LDAP side so as to be set up in the AR System configuration forms.

AREA LDAP Config Attribute	Description
Host Name	The host name of the system on which the directory service is hosted.
Bind-User	The distinguished name (DN) of the user account that the AREA LDAP plug-in uses to find the user object using the User Search filter.
Bind-Password	The password of the user account that the AREA LDAP plug-in uses to find the user object using the User Search filter.
Port Number	The port number on which the directory service is listening.
Use Secure Socket Layer	Establishes a secure socket layer (SSL) connection to the directory service. The values are T (true) and F (false). If you use LDAP over SSL, then you must also specify the file name of the certificate database used to establish the connection.
Certificate Database	The directory name of the certificate database. The cert8.db and key3.db certificate database files are in this directory. If the directory is not specified, the LDAP plug-in looks under the AR System installation directory for these files. This path is used only when ARDBC-LDAPUsingSSL is set to T (true).
Failover time out	Specifies the number of seconds that the plug-in waits to establish a connection with the directory service. The minimum value is 0, in which case, the connection must be immediate. The maximum value is the External-Authentication-RPC-Timeout setting. If the Failover time out (AREA-LDAP-Connect-Timeout) setting is not specified, the default value is set to the value of External-Authentication-RPC-Timeout setting (the default is 30 seconds).
Chase Referrals	Enables automatic referral chasing by LDAP client. The options are T (true) and F (false). By default, referrals are not chased (F). This option is for Microsoft Active Directories only.
User Base	Base name of the search for users in the directory service (for example, o=remedy.com).
User Search Filter	The LDAP search filter used to locate the user in the directory from the base that the AREA-LDAP-User-Base option specifies. The following keywords are used to substitute runtime parameters into this option. Note that the backwards slash () is necessary. $\USER$—The user's login name. As suggested in To configure LDAP Information in the LDAP Configuration formbelow, make sure that the filter is set to: "sAMAccountName=$\USER$" Name and User Search Filter. $\AUTHSTRING$—The value that the user enters into the Authentication String field at the time they log in. $\NETWORKADDR$—The IP address of the AR System client accessing the AR System server.
Group	Retrieves the group information from the LDAP server. If this parameter is not set, the group information from AR System Group form is used.
Group Search filter	The LDAP search filter used to locate the groups to which this user belongs. The following keywords are used to substitute runtime parameters into this option.
Default Group	Default groups to which the user belongs if no group information is available from the directory service. If there are multiple groups, use a semicolon to separate one from another.

To configure LDAP Information in the LDAP Configuration form

From your browser, use the BMC Remedy Mid Tier URL to log on to the AR System server (in this example, clm-itsm) with the Demo credentials (for example, Demo and no password).
From the list of applications on the IT Home page, select Applications > AR System Administration > AR System Administration Console.
This link is only available for Administrator users.

Expand the Navigation options on the left and select System > LDAP > AREA configuration.

The AREA LDAP configuration form is displayed.

Scroll down to the Configuration Detail section and provide the information related to LDAP, as shown in the table following the figure.

The following settings reflect an example implementation.

Attribute	Value
Server	10.6.10.13
Port	389
Bind User	Production\ARAdmin
Bind Password	Password for the bind user
Domain Component	dc=prod,dc=abc,dc=lan
User Search Filter	sAMAccountName=$\USER$
Use SSL	No
Chase Referral	No
Group Membership	None

Click Save Current Configuration to save the information to the AR System server.The current configuration will be displayed in the Configuration List table.

To configure AR System server to use LDAP authentication

After providing the LDAP information in the LDAP configuration form, the AR System server needs to be configured to work with the AREA LDAP plug-in for authentication, as described in the following steps.

From the IT Home Page, select AR System Administration Console > Server Information.
Navigate to the EA tab.
Set the External Authentication Server RPC Program Number as 390695
Set External Authentication Server Timeout (Seconds) to the following:
- RPC - 90
- Need to Sync - 300
Select Authenticate Unregistered Users and Cross Reference Blank Password.
- When the Authenticate Unregistered Users option is selected, AR System first attempts to find the user in the User form. If the user exists in the User form, AR System attempts authentication through that form. If the user does not exist in the User form, AR System attempts authentication through the AREA plug-in.
- When the Cross Reference Blank Password option is selected, AR System attempts to authenticate through AREA LDAP. For this to work properly, make sure that the user’s password is set in AREA LDAP and no password is set on the User form in AR System. Then, if the user provides the password when logging in, the user will be successfully authenticated. (If the user does not enter a password, the login attempt will be rejected.)

Set Authentication Chaining Mode as ARS-AREA, which instructs the server to authenticate the user by using the User form and then the AREA plug-in. Other Authentication chaining mode options are:
- AREA – ARS - AR System attempts to authenticate the user by using the AREA plug-in and then the User form.
- ARS - OS – AREA - AR System attempts to authenticate the user by using the User form, then Windows or UNIX authentication, and then the AREA plug-in.
- ARS - AREA – OS - AR System attempts to authenticate the user by using the User form, then the AREA plug-in, and then Windows or UNIX authentication.
- Off - Disables authentication chaining.
Restart the AR Server for the changes to take effect.

For more information, see Creating-user-instructions and Configuring the AREA LDAP plug-in.

Note

When you provision an AWS instance with LDAP authentication, the user role enrolling the server in BMC Server Automation must be "BLAdmins" only. If the user role enrolling the server in BMC Server Automation is not "BLAdmins", AWS provisioning fails with the Failed to auto-enroll the Virtual Guest: Error: Unable to find property with name CLM_ONBOARD_AUTO_ENROLLED in class Server message.

Workaround:

When the role is other than "BLAdmins" (having "BLAdmins" role permission), disable the Enroll Server option in the Providers workspace for AWS in BMC Cloud Lifecycle Management. After provisioning is successful, enroll the AWS server manually.

To configure point products to use LDAP authentication

The following table includes links for configuring various products that integrate with BMC Cloud Lifecycle Management:

Product	Links to component product online technical documentation
BMC Atrium Orchestrator	Configuring an external SSO connection (LDAP) Mapping external roles Sample external SSO connection (LDAP) configurations
BMC Network Automation	Installing the application server on Windows Installing the application server on Linux
BMC Server Automation	Creating automation principals Creating an LDAP connection Creating an LDAP query Role - Group Mappings Synchronizing users with LDAP servers User - General Information Configuring Domain Authentication RBAC User Synchronization with AD

To configure BMC Cloud Lifecycle Management for LDAP users of point products

Perform the following steps to configure BMC Cloud Life Cycle Management to use LDAP authentication for point products:

Stop the CSM service.
Update the user name for the AR system administrator in the cloudservices.json file.
Update the user name, role, and authentication type for BMC Server Automation in the providers.json file.
Update user names in the providers.json file for the following products:
1. BMC Atrium Orchestrator
2. BMC Network Automation
Start the CSM Service.

Related BMC Communities blog entries

The following link provides supplemental information available from a blog entry in BMC Cloud Lifecycle Management Communities:

Using AREA LDAP to simplify account authentication in BMC Cloud Lifecycle Management