Implementing the LDAP_LDAP model

Before implementing any model that includes LDAP, you must set up secure LDAP. To apply the LDAP_LDAP model, do the following:

  1. Create a user to add to the Product Administrators list. For instance, if changing from ADMIN_ADMIN to LDAP_LDAP, select a username that exists in LDAP, create a user with that username, and add the user to the Product Administrator list. Upon changing the security model to LDAP_LDAP, that user can log in and administer the product.

    If you do not perform this step you may be unable to access TrueSight Middleware Administrator.

  2. Add the new user to the Product Administrators list:
    1. Select Product Administrators from the Navigation Panel.
    2. View the Administrators List.
    3. Select the Add icon and select the new user from the dialog.
    4. Save the Product Administrators list.
    5. Confirm the action by selecting the Product Administrators object from the Navigation Panel once more to verify the new user in the table.
  3. Select the Security option (object) from the Navigation Panel. The Security Model view fills the workspace.
  4. Select LDAP_LDAP from the Security Model pulldown. LDAP_LDAP properties are displayed:

    TSMA_LDAP_Settings.png
  5. Complete the field entries by referring to the LDAP Field Descriptions below.
  6. Double-check your entries against those supplied.
  7. Shut down your TrueSight Middleware Administrator service. 
  8. Please act on the following, depending on your configuration, before restarting the TrueSight Middleware Administrator service:
    1. For those installations that connect to a secure LDAP port (ldaps://hostname:636), you must import the LDAP server's root certificate into the TrueSight Middleware Administrator truststore.
    2. For Active Directory, the root certificate is found on the domain controller (where AD runs) root drive with the name [dns name of ca]_[name of cert].crt.

    3. You can import this into the TrueSight Middleware Administrator service's truststore by entering the following string sequence:

      keytool -import -alias <alias_name> -file <path_to_server_cert> -keystore <bmm-admin_install_path>/security/truststore.jks

      For example:

      keytool -import -alias bmmadmin_ldap -file /tmp/ldap_server.crt -keystore /opt/BMC/bmm-admin/security/truststore.jks 

    4. You are asked to provide the key store password. The default is 'bmcsoftware'.
  9. Restart your TrueSight Middleware Administrator server. When the server is ready, log in using the credentials of the user you added to the Product Administrators list. The password entered must be the password that LDAP/Active Directory has recorded for your username.

LDAP Field Descriptions

The following definitions are the specific and appropriate entries for the LDAP Security Model properties that you enter when changing a Security Model. Machine names in the following sections (such as excused-ABC30L1,DC) are placeholders for your actual server/system names. You enter the specific string for your real-world machine names in each instance.

LDAP Server URL

This is the URL used by TrueSight Middleware Administrator to make the connection to the LDAP server.
AD Example:
ldaps://server5c4.happyvalleyoftware.com:636

LDAP Manager Dn

This is the DN of a user which can read entries in the LDAP directory.
AD Example:
CN=Administrator,CN=Users,DC=ixxx-ABC30L1,DC,DC=com

LDAP Manager Password

This is the password for the LDAP manager user DN.
AD Example:
secret

LDAP User Search Base

The base DN from which searches for user information occur
AD Example:
CN=Users,DC=ixxx-ABC30L1,DC,DC=com

LDAP User Search Filter

The search filter used to identify users
AD Example:
(&(objectClass=user)(sAMAccountName={0}))

LDAP Users Search Filter

The search filter used to find users within the directory.
AD Example:
(&(objectClass=user)(sAMAccountName={0}))

LDAP Username Attribute

This is used by TrueSight Middleware Administrator to identify the text to use as the username.
AD Example:
sAMAccountName

LDAP Group Search Base

This is the base DN used to search for groups. Groups should be somewhere down the sub tree rooted by this DN.
AD Example:
CN=Users,DC=ixxx-ABC30L1,DC=com

LDAP Group Search Filter

This is the search filter expression used to find groups by name.
AD Example:
(&(objectClass=group)(cn={0}))

LDAP Group Member Search Filter

This is the search filter expression used to determine members of groups.
AD Example:
(&(objectClass=group)(member={0}))

Note

We recommend using a search for uniqueMember on 2 rows.

Without this, users cannot (via Groups) obtain access to projects they were assigned to.

Example: (&(objectClass=*)(uniqueMember={0}))

LDAP Groups Search Filter

This is the search filter expression that returns group names. This is used by TrueSight Middleware Administrator to find groups to which to assign permissions.
AD Example:
(&(objectClass=group)(cn={0}))

LDAP Group Name Attribute

This is the attribute that represents the name of a group in LDAP/AD.
AD Example:
cn

LDAP Group Member Attribute

This is the attribute that represents a member of a group within LDAP/AD.
AD Example:
member 

Note

We recommend using a search for uniqueMember on 2 rows.

Without this, users cannot (via Groups) obtain access to projects they were assigned to.

Example: uniqueMember

LDAP Max Nested Group Recursion Level

Used by TrueSight Middleware Administrator to limit the amount of recursion used to find nested groups.
AD Example:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*