Setting up LDAP or Active Directory users in Remedy SSO

Before you begin

• You must have installed and configured the Remedy SSO to work with the Presentation Server and its component products. For details, see Planning to deploy Remedy SSO  and  Installing Remedy Single Sign-On.

• You must migrate the internal user data from Atrium SSO to Remedy SSO. For details, see Migrating internal user data from Atrium SSO to Remedy SSO.

• You must have set the Remedy SSO general settings. For details, see Set up the Remedy SSO server.

• You must have configured tenants to be used with the Presentation Server. For details, see Configuring-tenants-for-the-Presentation-Server-in-Remedy-SSO.

Configuring LDAP or Active Directory users in Remedy SSO

Before you begin

• Add a realm for LDAP authentication. For information about how to add a realm, see Adding-and-configuring-realms.
• You must have the LDAP server configured.
• Obtain the following information from the LDAP administrator:
  • Host name of the LDAP server
  • Port number of the LDAP server
  • Distinguished name of the bind LDAP user
  • Password of the bind LDAP user
  • Starting location within the LDAP directory for performing user searches
  • User attribute on which search is performed.

To configure the LDAP authentication

1. In the left navigation pane of the Add Realm or Edit Realm page, click Authentication.

2. In the Authentication Type field, click LDAP, and enter the following LDAP details:

   Field	Description	Example
   LDAP server information
   Server Host(s)	The IP address or host name of the LDAP sever. To use SASL, enter the host name (not the domain name). If you have LDAP failover configuration, add several LDAP server hosts. This will help to handle a situation when one of the servers is down, and the other server is up and running. If the connection to the first server fails, Remedy SSO will automatically redirect the request to another server.	Not applicable
   Server Port	Port number of the LDAP server.	389
   Use TLS connection	To enable TLS communication with the LDAP server, select this check box.	Not applicable
   User information If you plan to use SASL authentication with the LDAP server, you do not need to specify the following fields:
   Bind DN	Type the distinguished name (DN) of an LDAP user. This is the bind distinguished name for querying LDAP, and hence this account must have privileges to search the directory.	CN=User,CN=Users,DC=example,DC=com
   Bind Password	Enter the password of the LDAP user with the Bind DN.	Not applicable
   Users Base DN	Starting location within the LDAP directory for performing user searches. The search DNs should be as specific as possible for performance reasons. The depth of the search that is performed can be configured. If an object search is specified, then the Base DN should be the DN of the node containing the users.	CN=Users,DC=example,DC=com
   Server search and filtering options
   Page Size	The page size of the LDAP server. By default, this value is set to 2000 entries. If your LDAP server is configured to return less than 2000 entries, you need to modify this value accordingly.	2000
   Enable Group Retrieval	EnablesRemedy SSO to retrieve the groups list of an authenticated user as a part of the login process. Groups retrieval might be required by applications such as TrueSight Orchestration (formerly BMC Atrium Orchestrator) to support Remedy SSOauthorization.	Not applicable
   Search Scope	Specify the scope for search by selecting one of the available options.	One Level Subtree
   LDAP Filter preset	Select a preset to fill the LDAP filters with predefined values for the most common LDAP implementations. To search within nested groups, select AD Hierarchical. You can clear the filters, and type queries for User Authentication and Group Support fields.	Active Directory AD Hierarchical
   SASL configuration
   Use SASL	Select to enable SASL. Note that if you select Use SASL as the first field, after switching to the Authentication window (omitting all other fields), the fields Bind DN, Bind Password, and Users Base DN are disabled. Additionally, if Bind DN and Users Base DN are disabled, then you must manually populate the User Search Filter and Get All Users Filter filters, and do not use the Preset button. If you click the Preset button, the fields Bind DN and Bind Password are enabled and are marked as required.	Not applicable
   SASL Mechanism	Select a SASL authentication method.	DIGEST-MD5 GSSAPI
   Quality of Protection	Specify the integrity and privacy protection that SASL mechanism should support.	Authentication only Authentication with integration protection Authentication with integrity and privacy protection
   User Authentication
   User Search Filter	Enter the LDAP query to search for the user to be authenticated and if found to display the user's distinguished name. User is specified by $USER$ macro, for example - (&(objectCategory=user)(sAMAccountName=$USER$)).	Not applicable
   Identity Attribute	Enter the attribute to be used as a user name. It will be later provided as a user's name to the integrated systems with Remedy SSO. This field is not displayed if selected the Use SASL check box.	sAMAccountName
   Get All Users Filter	Enter the LDAP query to display all LDAP users. The filter can be used by integrated application for administration purposes to browse all users in LDAP to be considered as authorization subjects.	(objectCategory=user)
   Group Support
   Users of Group Filter	Enter the LDAP query to return the groups list for a particular group. The group is specified by the $GROUP$ macro. Groups information can be used by an integrated application for administration and authorization purposes.	(&(objectCategory=user)(memberOf=$GROUP$))
   Groups Base DN	Enter a Base DN for a group search. If you do not specify any value, users Base DN is used.	Not applicable
   Group Search Filter	Enter the LDAP query to display the list of all groups. The filter can be used by an integrated application for administration purposes to browse all groups to be considered as authorization subjects.	(objectCategory=group)
   Group Name Attribute	Enter the attribute to be used as group name.	cn
   Groups of User Filter	In this field, enter the LDAP query to return the list of groups for a particular user. The user is specified by the $DN$ macro. The value that you specify in this field can be used by an integrated application for administration purposes, such as browsing for groups of a particular user.	(&(objectCategory=group)(member=$USER$))

3. (Optional) Click Test to verify the settings.
4. Click Save.

To configure local authentication for use with App Visibility Manager

Add local authentication if your system includes integration with App Visibility Manager, Synthetic Monitor, or both.

1. Log in to the Remedy SSO console as an Admin user.
2. Click the Realm tab.
3. Select a tenant (realm) with LDAP authentication.
4. In the left navigation pane of the Edit Realm page, click Authentication.
5. Click Enable Chaining Mode.
6. By the List of Authentications, click Add Authentication.
7. From the Authentication Type list, select LOCAL.
8. Click Save to save the authentication type, and click Save to save the chain of authentication.

To create or edit an authorization profile with LDAP users in the Presentation Server

1. Log in to the TrueSight console as a Super Admin.
2. Navigate to Administration>Authorization Profiles.
3. Create a new authorization profile or edit an existing authorization profile to associate the user groups from Active Directory.
4. Select the tenant that you configured in Remedy Single Sign-On for Active Directory users and select Edit under User Groups.
   
5. Click Add and select the Active Directory user group from the list of user groups.
6. Select the required roles from the list roles.
7. (Optional) Select the required objects from the list of object.
8. Select OK and then Save.
9. Select Yes to confirm changes to the authorization profile.
10. Log out of the TrueSight console.
11. Log in to the TrueSight console as an Active Directory user.
12. Log in to the Infrastructure Management server as an Administrator and perform the following steps:

    1. Edit the self_collector.mrl file located at /pw/server/etc/<cellname>/kb/collectors/ and add the groups to the permissions that are needed.
       r - Read-only

       w - Write

       x - Execute

    2. Save the self_collector.mrl file.
    3. Recompile the cell using the commands
       mccomp -n <cellname>
       mcontrol -n <cell> restart