Integrating Active Directory by using RHEL 5 and RHEL 6
This topic describes how to integrate Active Directory by using Red Hat Enterprise Linux release 5 and 6.
To integrate Active Directory by using Red Hat Enterprise Linux release 5 and 6
- Confirm that the /etc/httpd/conf/httpd.conf file includes the following lines:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so - Open the /etc/httpd/conf.d/gridapp.conf file and add the following lines as global configuration entries (outside of the <VirtualHost></VirtualHost> section).
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
# LDAPTrustedCA /etc/ssl/certs/certnew.cer
# LDAPTrustedCAType BASE64_FILE
The last two lines are required only when LDAP over SSL is to be implemented. The LDAPTrustedCA directive points to the file on the Manager node that contains information about the trusted Certificate Authority. LDAPTrustedCAType contains additional information defining the file format of the previously specified *.cer. Within the VirtualHost in the /etc/httpd/conf.d/gridapp.conf file, configure the URL for LDAP authentication and the ldap-status handler.
The following example specifies ldap-status. You can use any URL you prefer. The LDAPURL, LDAPBindDN, LDAPBindPassword must be correct for your LDAP server. A dedicated domain User account should also be created for use with the AuthLDAPBind directives for security purposes.<Location /ldap-status>
SetHandler ldap-status
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPURL
ldap://server.domain.com/DC=domain,DC=com?sAMAccountName?sub?(objectClass=user)
AuthLDAPBindDNbinduser@domain.com
AuthLDAPBindPasswordpassword
AuthType Basic
AuthName "Domain.comActive Directory"
Require valid-user
</Location>- Configure the BMC Database Automation Apache module for external authentication by setting the following directives inside the VirtualHost block (but not inside any Location blocks):
# This is the only directive that needs to be changed if you wish to
switch back to local authentication.
GridAppExternalAuthEnabled <on|off>
# This will match what was chosen for the location block - in this case it would be -
GridAppExternalAuthUri /ldap-status
# Optional. If set, logins as ldap_user will be treated as sysadmin in Clarity. If not configured, you will need a 'sysadmin' user in the Active Directory.
GridAppSysadminAlias <ldap-user> - Reload the httpd service, and then test authentication from the Manager by using an account that exists in both the LDAP directory as well as the Manager.
- Depending on the mode you are using, use one of the following commands to confirm whether LDAP is configured properly. If the command finds one or more entries, each entry is written to standard output in LDAP Data Interchange Format (ldif).
- For non-SSL mode, run the following command:
ldapsearch -x -H ldap://<LDAPserverName> -b dc=<example>,dc=<com> -D "cn=<Smith>" -w <SmithPassword> "(&(objectClass=organizationalPerson)(isMemberOf=<cn=users,dc=groups,dc=domain,dc=com>))" uid - For SSL mode, run the following command:
ldapsearch -x -H ldaps://<LDAPserverName> -b dc=<example>,dc=<com> -D "cn=<Smith>" -w <SmithPassword> "(&(objectClass=organizationalPerson)(isMemberOf=<cn=users,dc=groups,dc=domain,dc=com>))" uid
In the commands, replace the variables enclosed in < > with actual values.
- For non-SSL mode, run the following command:
To grant Active Directory authorization to specific users in a group
Mapping Active Directory groups to BMC Database Automation groups is not supported. However, you can configure BMC Database Automation to enable and limit access to specific users in a group.
To enable users from certain groups to log on to BMC Database Automation, add the following lines to the <Location> section of the /etc/httpd/conf.d/gridapp.conf configuration file:
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=infosys,ou=Group,dc=domain,dc=com