Configuring the system for external authentication

Infrastructure Management supports both LDAP and Windows Active Directory for centralized user authentication. Both server certificate and client certificate authentication are supported.

Basic LDAP and Active Directory configuration

Though the labels in the operator console UI display configuration for LDAP, you can use the same procedure to configure Active Directory.

To configure a LDAP or Active Directory integration, perform the following steps:

From the operator console, navigate to Options > Administration.
Under Integrations with other BMC Products, click Edit.
The Configure Infrastructure Management Integrations dialog box displays the available integrations. Under Integrations, select LDAP.
To add a new LDAP or Active Directory integration, click Add LDAP Server.

Note
You must ensure that the LDAP Integration is Active check box is selected. It allows you to activate and deactivate the LDAP server after it is integrated successfully. If it is not selected, neither the configuration is saved, nor the system is informed to use LDAP or Active Directory as external authentication.

Provide the following details:

Input field	Description
LDAP Alias	Alias name for the LDAP or Active Directory Server that is generated automatically by the system. You can also modify the name.
LDAP Protocol Version	LDAP protocol version number. The most recent version is 3. Note BMC recommends that you use the default LDAP version unless you have a very old LDAP implementation.
Hostname	Fully qualified host name or the IP address of the LDAP or Active Directory server. You can verify the connection between the LDAP/ Active Directory server and the Infrastructure Management Server by using the ping command.
Port	Port number to connect to the LDAP or Active Directory server. The default non-secure port number is 389. The default secure (SSL) port number is 636.
Base DN	The top-level directory of the LDAP or Active Directory structure. This is the base fully qualified Distinguished Name (DN). The Distinguished Name represents an object and a path to the object in the directory hierarchical namespace. Objects are ordered from the most specific to the least specific.
User DN	Fully qualified distinguished name of the user which connects to the LDAP or Active Directory server.
Password	Authentication password (encrypted) that is used to connect to the LDAP or Active Directory server. Note Set the encrypted attribute to false and then enter the password in plain text. Restart TrueSight Infrastructure Management server. When Internet Authentication Service (IAS) restarts, it encrypts the password and changes the encrypted attribute value from false to true. You can open the ldap_configuration.xml file and verify that the encrypted attribute is set to true and the encrypted password is in the file.
User SSL	Indicates whether the LDAP or Active Directory authentication is using the SSL protocol. Note For SSL connection, you must perform additional configuration steps before testing or saving this configuration. For more information on the additional configuration steps, see SSL authentication.
User ID Attribute	LDAP or Active Directory attribute in the user entry that contains the login ID.
User Search Filter	Search filter that the LDAP or Active Directory server uses to look up a user entry.
Group Search Filter	Search filter that the LDAP or Active Directory server uses to look up a user group entry.
Delete LDAP Server	Deletes the current LDAP or Active Directory server.

Click Test to test the LDAP integration status. A result window appears, indicating the integration status. It also gives information on errors and warnings. Warnings provide additional feedback on optimizing the configuration; however, they do not cause any issues to the system for connecting and communicating with the LDAP or Active Directory servers. The following tables list the possible errors and warnings:

The [confluence_table-plus] macro is a standalone macro and it cannot be used inline. Click on this message for details.
This macro generates standalone content. As a consequence you need to make sure to use a syntax that separates your macro from the content before and after it so that it's on a line by itself. For example in XWiki Syntax 2.0+ this means having 2 newline characters (a.k.a line breaks) separating your macro from the content before and after it.

The [confluence_table-plus] macro is a standalone macro and it cannot be used inline. Click on this message for details.
This macro generates standalone content. As a consequence you need to make sure to use a syntax that separates your macro from the content before and after it so that it's on a line by itself. For example in XWiki Syntax 2.0+ this means having 2 newline characters (a.k.a line breaks) separating your macro from the content before and after it.
Click Apply for the changes to take effect and save your configuration.

Basic group configuration for LDAP and Active Directory

Every user must belong to a group which maps to the groups in Infrastructure Management Server. Groups assign the user’s roles and responsibilities to each other. That is, the external authentication system must be able to identify and authenticate the user but must also be able to identify which group that user belongs to. Following methods ensure proper functionality and identification between systems:

Add the Infrastructure Management Server groups to your LDAP system
This method allows to take the desired Infrastructure Management Server groups and create them in your LDAP or Active Directory system. You must ensure that the users that you want to allow to log in, are members of those groups.
Add the LDAP groups to your Infrastructure Management Server
This method allows to create the desired LDAP or Active Directory groups and create them in the Infrastructure Management Server.

Warning

All group names are case sensitive. You must spell and ensure the correct case of the group names while implementing any of the methods.

Advanced LDAP and Active Directory configuration

This section explains advanced configuration for LDAP and Active Directory. Most of the elements explained in this section are not available through the UI and require modifications to the .properties file.

Warning

The following procedure requires you to modify .properties files. You should back up .properties files into a directory outside the Infrastructure Management installation directory structure before modifying them. To avoid overwriting the parameter values of a .properties file, do not copy any backup or reserved file with the .properties extension into the same directory structure as the product installation directory. The system reads the .properties files randomly and can overwrite the current values of duplicate parameters with older values. Instead, store any backup or reserved files in a separate directory outside of the Infrastructure Management installation directory structure.

SSL authentication

If you select the User SSL check box, then ensure that you have properly configured your keystore and SSL certificates to allow for authentication between the Infrastructure Management Server and the LDAP or Active Directory systems. Perform the following steps to test such connection:

Obtain and copy the SSL certificate to any local folder on your Infrastructure Management server.
Import the SSL certificate into the installationDirectory/pw/pronto/conf/pnserver.ks JServer keystore.

Reference the keytool command in the installationDirectory/pw/jre/bin directory, and enter the following commands and parameters:
keytool -import [-trustcacerts] [-alias <alias>] [-file <cert_file>] [-keystore <keystore>] [-storepass <storepass>]
For example, to import the file ldapcert.cer, enter the following command:
keytool -import -trustcacerts -alias pnetv2 -file ldapcert.cer -keystore "usr/pw/pronto/conf/pnserver.ks" -storepass get2net
Restart TrueSight Infrastructure Management server.

Custom group mappings

Perform the following steps to retain the names of LDAP or Active Directory groups and Infrastructure Management groups separately using the mapping file:

Configure the mapping file:
1. In a text editor, open the /pw/pronto/conf/ldap_ppm_group_mapping.xml file.
2. Map each LDAP group to the appropriate Infrastructure Management group using the following format:
  <entry key="<LDAPgroupName>"><ProactiveNetGroupName></entry>
  
  The following example shows multiple LDAP groups mapped to Infrastructure Management groups.
  <properties>
  <entry key="MyLdapGroup1">BPPM Administrators</entry>
  <entry key="MyLdapGroup2">BPPM Supervisors</entry>
  <entry key="MyLdapGroup3">User Defined User Group</entry>
  ...
  </properties>
  Warning
  LDAP group names must be in entered in exactly the same case. For example, if the LDAP group name is MyLDAP1, you cannot enter myldap1 into the list. You must enter MyLDAP1.
3. Save and close the ldap_ppm_group_mapping.xml file.
Update the /pw/pronto/conf/ias.properties file:
1. In a text editor, open the the /pw/pronto/conf/ias.properties file.
2. Turn off checking to determine whether the group(s) listed in com.bmc.sms.ixs.default.group.present.check are defined in Infrastructure Management by updating the following parameter:
  com.bmc.sms.ixs.default.group.present.check=FALSE
  By default this property is set to TRUE.
  
  If this property is set to TRUE, you must define a group in Infrastructure Management for the corresponding LDAP group. After the group is defined in Infrastructure Management, users can be authenticated as belonging to the group.
3. Save and close the /pw/pronto/conf/ias.properties file.
Restart TrueSight Infrastructure Management server.

Limiting group lookups

If you decide to use the default group settings and create Infrastructure Management Server groups in your LDAP system or vice versa then this method is used to help limit the group names that the system searches through during log in. It ensures that not all groups in your Infrastructure Management Server’s group lists are searched, thus allowing for a more efficient log in process as well as providing a more secure environment.

Perform the following steps to limit the authentication groups:

Update the /pw/pronto/conf/ias.properties file:
1. In a text editor, open the the /pw/pronto/conf/ias.properties file.
2. Enter a comma-separated list of LDAP groups that you need to authenticate the user against by updating the following parameter:
  com.bmc.sms.ixs.search.ldap.group=<LdapGroup1>,<LdapGroup2>,<LdapGroup3>,<LdapGroup4>
  Warning
  LDAP group names must be in entered in exactly the same case. For example, if the LDAP group name is MyLDAP1, you cannot enter myldap1 into the list. You must enter MyLDAP1.
3. Save and close the /pw/pronto/conf/ias.properties file.
Restart TrueSight Infrastructure Management server.

Configuring cell permissions

Perform the following steps to configure the cell permissions:

Edit the self_collector.mrl file located at /pw/server/etc/<cellname>/kb/collectors/ and add the groups to the permissions that are needed.
r - Read-only
w - Write
x - Execute
Save the self_collector.mrl file.
Recompile the cell using the commands
mccomp -n <cellname>
mcontrol -n <cell> restart