Synchronizing RBAC users with Active Directory

You can synchronize your TrueSight Server Automation users with users in an Active Directory server. This enables you to automatically create users in RBAC. If you perform the synchronization using BLCLI, you can synchronize with either Active Directory or LDAP users with any type of authentication. However, If you perform the synchronization from the UI, you can enable users only for Domain or Active Directory/Kerberos (ADK) type of authentication.

You can synchronize users using either of the following methods:

Method

Description

Interface used

Synchronize users in a specific base distinguished name (DN)

Synchronizes users that are created within a certain base distinguished name such as an OU.
This method can be used, If the customers want to bring in all the users from Active Directory that are in a specific location in the LDAP tree and are not organized in groups. All these users will be created in RBAC and will be assigned the role that is synchronized

Available only through CLI

Synchronize users in a group

Users are organized in groups within the Active Directory
This method can be used when customers want to synchronize Active Directory groups to the RBAC roles in TrueSight Server Automation. This method requires creation of group LDAP query and user LDAP query and role group mappings.

Available through both CLI and User Interface

Prerequisites

  • To synchronize to LDAP, ensure that the Active Directory server has a secure certificate installed and supports LDAP with startTLS extensions. TrueSight Server Automation only supports secure connections with the Active Directory server.

    You can check whether the certificate is installed on the Active Directory server by running the following commands on the Application Server:

    blcred -x ADcert.p12 cert -add -host <your AD server IP>:389 -protocol ldap
    blcred -x ADcert.p12 cert -list

    Note

    If you specify the host name as an IPv6 address, enclose the IPv6 address in square brackets. For example, [2001:db8::1:2].

    For an IPv6 address, if you run the command through the Network Shell (NSH), enclose the server:port string in double quotes. For example, "[2001:db8::1:2]:389".

  • Credentials are available for at least one Active Directory user who can browse the Active Directory tree to view the users that need to be synchronized. Typically, any Active Directory administrator can do this.
  • Either a certificate of the Active Directory server or of the CA server that issued the certificate for Active Directory server must be available in a file format on the client machine. This is required for the LDAP connection. The certificate file typically has a pem file format (typically with a .cer, .crt or .cert. extension).
  • At least one attribute of the user in an Active Directory must have the user name in the format of <user>@<domain>.com , where <user> is the user name and <domain> is the domain name of the user used for authentication.

Synchronizing the users

Perform the following steps:

  1. Create an Automation Principal:

    1. When defining an automation principal, the value you set for Principal ID must be a user's distinguished name for a directory user that has at least read access on the users that you want to synchronize. For example, you might enter CN=Administrator,CN=Users,DC=company,DC=com

      Note

      During synchronization, the Domain field of the automation principal is ignored and can be left blank.

    2. Specify the password for this user in the passphrase and confirm fields.
      To perform this from CLI, run the following command:

      Impersonation createAutomationPrincipal <Name> <Description> <Distinguished name of user> <Domain> <password for the user>

      For example,

      Impersonation createAutomationPrincipal ADSyncAdmin "Domain administrator to be used with AD Sync" "cn=administrator,cn=users,dc=sso,dc=bmc,dc=com" "" "p@$$w0rd"
  2. Create an LDAP connection:
    1. To set up an LDAP connection, you must have the host name or IP address (IPv4 or IPv6) of the Active Directory server and a certificate that can be used to validate the certificate of Active Directory server. This certificate is in the pem format. If you are using Microsoft CA issued certificate, instructions to request and install the certificate on the Active Directory server can be found at http://support.microsoft.com/kb/321051:
    2. If the Verify host name when establishing a secure connection check box is selected, the system compares the host name included in the certificate on the Active Directory server to the host name specified in the URL of the Active Directory server (entered in the Server field when creating the LDAP connection). It is recommended to use this option to verify the host name.
      However, if you are using IP address of the Active Directory server, clear this check box.
    3. Browse to the certificate file to add a certificate to the LDAP connection. This must either be the certificate of the Active Directory server or of a CA server (recommended) that issued the Active Directory server's certificate, in a pem file format (typically .crt, .cer or .cert file).

    4. To perform this from CLI, run the following command:

      Ldap createConnection <Name> <Name of the ldap server> <Certificate file path> <Description>

      For example, below we create an LDAP connection with name SSO, server engw2k8x64sso8.sso.bmc.com, and trust store file C:\p4\8_0_security\om\test\conf\ldap_trust_store.crt.

      Ldap createConnection SSO engw2k8x64sso8.sso.bmc.com C:\p4\8_0_security\om\test\conf\ldap_trust_store.crt "SSO connection"

      Hostname Verification can be modified using following command:

      Ldap setHostnameVerification <name of the connection> true/false

  3. Perform either of the following, depending on which method you are using:

    • If you are using LDAP to synchronize users in a specific Base DN
      Run the following BLCLI command as RBACAdmins or any other role that have permissions to read automation principal, read ldap connection, create users, read users, and modify the role that is synchronized.

      RBACRole syncUsers <sync Option> <RoleName> <LDAP Connection> <Automation principal> <BASE DN> <Optional user Filter> <attribute>

      For example:

      RBACRole syncUsers ADSyncRole disableMissingUsers ADConnection ADAdmin "CN=Users,DC=sso,DC=bmc,DC=com" "(objectClass=user)" userPrincipalName

      Where:

      • <RoleName>: Role that is being synchronized
      • <sync Option>: An optional parameter to specify an action that must be performed on the users that are enabled for synchronization and exist in RBAC but do not come back in the result set of the LDAP query. If no action is needed to be performed on such users, this parameter should be omitted. Valid values for this parameter are -r, -e, -er, or -u. Full name of the option can also be specified instead of just switches. These are explained below
        • pruneMissingUsers | -r: Unassign the role that is synchronized from users that are not found in the result set of the LDAP query
        • disableMissingUsers | -e: disables users in RBAC that are not found in the result set of the LDAP query
        • disableAndPruneMissingUsers | -er| -re: performs both of the above operations
        • deleteMissingUsers | -u: deletes users from RBAC that are not found in the result set of the LDAP query
      • <LDAP Connection>: Name of the LDAP connection object that is to be used to determine which Active Directory server to contact
      • <Automation principal>: Name of the Automation Principal object that defines the user credentials that are to be used to login to Active Directory server
      • <BASE DN>: Base distinguished name from which to start searching for users.
      • <Optional user Filter>: This is an LDAP filter that can be specified to only select a filtered list of users
      • <attribute>: Contains the username in the format of <user>@<domain>.com, where <user> is the username and <domain> is the correct domain name of the user used for authentication. Typically, userPrincipalName attribute has the correct username.


    • If you are using LDAP to synchronize Active Directory groups
      1. If using LDAP to synchronize users in a specific Active Directory group, you also create two LDAP queries.

        • One query specifies the group that needs to be synchronized and an attribute that lists all the members of that group (by default Active Directory server uses the member attribute to specify this). To do this from CLI, the following command can be used:

          Ldap createQuery <Name> < DN for the group> <ldap filter to be used if any> <Attribute that lists all members> <description>

          For example, the following query is for an Active Directory group Domain Admins:

          Ldap createQuery DomainAdminsQuery "CN=Domain Admins,CN=Users,DC=sso,DC=bmc,DC=com" (objectClass=*) member "Domain Admins"

        • The second query is created to add a user filter and specify an attribute that contains the username in the format of <user>@<domain>.com, where <user> is the username and <domain> is the correct domain name of the user used for authentication. Typically, userPrincipalName attribute has the correct username. To do this from CLI, the following command can be used:

          Ldap createQuery <Name> < DN if you want to constraint member users to this DN> <ldap filter to be used if any> <Attribute to get the username from> <description>

          For example:

          Ldap createQuery UsersQuery "" (objectClass=user) userPrincipalName "User ldap query"

      2. Edit the role that needs to be synchronized with an Active Directory group and add group mapping specifying the automation principal, ldap connection, group ldap query, and user ldap query. Multiple group mappings can be specified if more than one group needs to be synchronized with the same role. Synchronizing the same role with Active Directory groups in different Active Directory servers is also supported via multiple group mappings specifying respective automation principal, ldap connection, group ldap query, and user ldap query. To do this from CLI, the following command can be used:

        RBACRole addLdapGroupMapping <Role Name> <LDAP Connection name> <Automation Principal Name> <Group Query Name> <User Query Name>

        For multiple group mappings, you can run this command multiple times with correct mappings

      3. Any options to manage the users that are synced can be specified on the same screen. These options are explained below:
        • Unassign the role that is being synchronized from users that are not found in the result set of the LDAP query
        • Disable users in RBAC that are not found in the result set of the LDAP query. This option can be selected in conjunction with the one above.

        • Delete users from RBAC that are not found in the result set of the LDAP query
          To set these options from command line, following command can be run:

          RBACRole setLdapSyncOptions <Role Name> <true/false for deleting missing users> <true/false for disabling missing users> <true/false for unassigning missing users>
      4. After saving the role, right click on the role and observe Synchronize menu option should now be available. Clicking on which synchronizes prompts for confirmation and upon confirming runs synchronization in the background.
        To do this from CLI, use one of the following commands:

        • Use the  syncUsers command if you want the option of specifying the authentication type for which synchronized RBAC users will be enabled. This enables you to override the default Active Directory authentication, and allows you to perform user synchronization on a wide range of LDAP server types. This capability is available only through the CLI, and not through the UI.

          RBACRole syncUsers <roleName> <authenticationType>

        • Use the syncUsersWithNameSuffix command if you want to specify the user name suffix to append to RBAC users during synchronization. This enables you to override the default @domainName with some other suffix (for example, @differentDomainName  or @dnsName). This capability is available only through the CLI, and not through the UI.

          RBACRole syncUsersWithNameSuffix <roleName> <userNameSuffix>

        • For more complex synchronizations with Active Directory (for example, if you want to synchronize users in groups that contain members from multiple domains), you can use the  syncUsersWithAd BLCLI command.

          RBACRole syncUsersWithAd <roleName> <domainServer> <groupDN> <userAttributeFlag> <operation> <userNameSuffix>

Note

The User participates in directory synchronization flag can be used to determine and control whether a particular user is impacted by user synchronization with Active Directory server or not. Users created manually do not have this enabled by default, whereas users created from the Active Directory synchronization process will have this flag enabled by default.

Some domains are set up so that the UserPrincipalName attribute is entered in the format: user1@sub1.domain.com . If you log on to the domain as user1@domain.com the RBAC User objects are created as user1@sub1.domain.com and TrueSight Server Automation authentication fails.
To supply the desired suffix you can change the LDAP query to return just the sAMAccountName attribute (replace userPrincipalName in your query with sAMAccountName) or another attribute that returns the user name without the domain appended. Then, setup a NSH Script Job that runs a blcli command - RBACRole-syncUsersWithNameSuffix and pass in the role name and desired domain suffix to the blcli command.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*