Integrating Active Directory by using RHEL 4


This topic describes how to integrate Active Directory by using Red Hat Enterprise Linux release 4.

To integrate Active Directory by using Red Hat Enterprise Linux release 4

  1. Confirm that the /etc/httpd/conf/httpd.conf file includes the following lines:
    LoadModule ldap_module modules/mod_ldap.so
    LoadModule auth_ldap_module modules/mod_auth_ldap.so
  2. Open the /etc/httpd/conf.d/gridapp.conf file and add the following lines as global configuration entries (outside of the <VirtualHost></VirtualHost> section).
    LDAPSharedCacheSize 200000
    LDAPCacheEntries 1024
    LDAPCacheTTL 600
    LDAPOpCacheEntries 1024
    LDAPOpCacheTTL 600
    # LDAPTrustedCA /etc/ssl/certs/certnew.cer
    # LDAPTrustedCAType BASE64_FILE

    The last two lines are required only when LDAP over SSL is to be implemented. The LDAPTrustedCA directive points to the file on the Manager node that contains information about the trusted Certificate Authority. LDAPTrustedCAType contains additional information defining the file format of the previously specified *.cer. If necessary, additional information can be provided for setting up secure LDAP.
  3. Within the VirtualHost in the /etc/httpd/conf.d/gridapp.conf file, configure the URL for LDAP authentication and the ldap-status handler.
    The following example specifies ldap-status. You can use any URL you prefer. The LDAPURL, LDAPBindDN, LDAPBindPassword must be correct for your LDAP server. A dedicated domain User account should also be created for use with the AuthLDAPBind directives for security purposes.

    Note

    This User account does not need any special privileges, it can be a domain user that is not in a built-in group.

    <Location /ldap-status>
    SetHandler ldap-status
    AuthLDAPEnabled on
    AuthLDAPURL
    ldap://server.domain.com/DC=domain,DC=com?sAMAccountName?sub?(objectClass=user)
    AuthLDAPBindDN binduser@domain.com
    AuthLDAPBindPassword password
    AuthType Basic
    AuthName "Domain.com Active Directory"
    Require valid-user
    </Location>

    Note

    Bold entries must be populated with information specific to customer environments before this configuration is activated.

  4. Configure the BMC Database Automation Apache module for external authentication by setting the following directives inside the VirtualHost block but not inside any Location blocks:
    # This is the only directive that needs to be changed if you wish to
    switch back to local authentication.
    GridAppExternalAuthEnabled <on|off>
    # This will match what was chosen for the location block - in this case it would be -
    GridAppExternalAuthUri /ldap-status
    # Optional. If set, logins as ldap_user will be treated as sysadmin in Clarity. If not configured, you will need a 'sysadmin' user in the Active Directory.
    GridAppSysadminAlias <ldap-user>
  5. Reload the httpd service, and then test authentication from the Manager by using an account that exists in both the LDAP directory as well as the Manager.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*