Integrating Active Directory by using RHEL 5 and RHEL 6


This topic describes how to integrate Active Directory by using Red Hat Enterprise Linux release 5 and 6.

To integrate Active Directory by using Red Hat Enterprise Linux release 5 and 6

  1. Confirm that the /etc/httpd/conf/httpd.conf file includes the following lines:
    LoadModule ldap_module modules/mod_ldap.so
    LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
  2. Open the /etc/httpd/conf.d/gridapp.conf file and add the following lines as global configuration entries (outside of the <VirtualHost></VirtualHost> section).
    LDAPSharedCacheSize 200000
    LDAPCacheEntries 1024
    LDAPCacheTTL 600
    LDAPOpCacheEntries 1024
    LDAPOpCacheTTL 600
    # LDAPTrustedCA /etc/ssl/certs/certnew.cer
    # LDAPTrustedCAType BASE64_FILE

     The last two lines are required only when LDAP over SSL is to be implemented. The LDAPTrustedCA directive points to the file on the Manager node that contains information about the trusted Certificate Authority. LDAPTrustedCAType contains additional information defining the file format of the previously specified *.cer.
  3. Within the VirtualHost in the /etc/httpd/conf.d/gridapp.conf file, configure the URL for LDAP authentication and the ldap-status handler.
    The following example specifies ldap-status. You can use any URL you prefer. The LDAPURL, LDAPBindDN, LDAPBindPassword must be correct for your LDAP server. A dedicated domain User account should also be created for use with the AuthLDAPBind directives for security purposes.

    Note

    This User account does not need any special privileges, it can be a domain user that is not in a built-in group.

    <Location /ldap-status>
    SetHandler ldap-status
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative Off
    AuthLDAPURL
    ldap://server.domain.com/DC=domain,DC=com?sAMAccountName?sub?(objectClass=user)
    AuthLDAPBindDNbinduser@domain.com
    AuthLDAPBindPasswordpassword
    AuthType Basic
    AuthName "Domain.comActive Directory"
    Require valid-user
    </Location>

    Note

    Bold entries must be populated with information specific to customer environments before this configuration is activated.

  4. Configure the BMC Database Automation Apache module for external authentication by setting the following directives inside the VirtualHost block (but not inside any Location blocks):
    # This is the only directive that needs to be changed if you wish to
    switch back to local authentication.
    GridAppExternalAuthEnabled <on|off>
    # This will match what was chosen for the location block - in this case it would be -
    GridAppExternalAuthUri /ldap-status
    # Optional. If set, logins as ldap_user will be treated as sysadmin in Clarity. If not configured, you will need a 'sysadmin' user in the Active Directory.
    GridAppSysadminAlias <ldap-user>
  5. Reload the httpd service, and then test authentication from the Manager by using an account that exists in both the LDAP directory as well as the Manager.
  6. Depending on the mode you are using, use one of the following commands to confirm whether LDAP is configured properly. If the command finds one or more entries, each entry is written to standard output in LDAP Data Interchange Format (ldif).
    • For non-SSL mode, run the following command:
      ldapsearch -x -H ldap://<LDAPserverName> -b dc=<example>,dc=<com> -D "cn=<Smith>" -w <SmithPassword> "(&(objectClass=organizationalPerson)(isMemberOf=<cn=users,dc=groups,dc=domain,dc=com>))" uid
    • For SSL mode, run the following command:
      ldapsearch -x -H ldaps://<LDAPserverName> -b dc=<example>,dc=<com> -D "cn=<Smith>" -w <SmithPassword> "(&(objectClass=organizationalPerson)(isMemberOf=<cn=users,dc=groups,dc=domain,dc=com>))" uid
      In the commands, replace the variables enclosed in < > with actual values.

To grant Active Directory authorization to specific users in a group

Mapping Active Directory groups to BMC Database Automation groups is not supported. However, you can configure BMC Database Automation to enable and limit access to specific users in a group.

Note

Active Directory is used only for authentication, meaning that it enables users to access the BMC Database Automation GUI. It differs from capabilities, which are granted to users by configuring specific security groups in BMC Database Automation.

To enable users from certain groups to log on to BMC Database Automation, add the following lines to the <Location> section of the /etc/httpd/conf.d/gridapp.conf configuration file:

AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=infosys,ou=Group,dc=domain,dc=com

Example
<Location /ldap-status>
SetHandler ldap-status
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPURL
ldap://server.domain.com/DC=domain,DC=com?sAMAccountName?sub?(objectClass=user)
AuthLDAPBindDNbinduser@domain.com
AuthLDAPBindPasswordpassword
AuthType Basic
AuthName "Domain.comActive Directory"
Require valid-user
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=infosys,ou=Group,dc=domain,dc=com
</Location>

Note

The AuthLDAPGroupAttributeIsDN parameter can be set to on or off, depending on how auth is configured. For more information, see http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapgroupattributeisdn.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*