LDAP configuration
You can implement an LDAP user registry in place of the database-managed custom user registry that is provided in IBM® Operations Analytics - Log Analysis.
IBM Operations Analytics - Log Analysis uses database-managed custom user registry as the default setting for user authentication. This setting is configured in the server.xml file in the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity directory.
You can modify the user registry XML file yourself or you can use the ldapRegistryHelper.sh command that is in the <HOME>/IBM/LogAnalysis/utilities directory to generate an XML file that you can use to enable basic authentication.
Before you begin
- Configure LDAP immediately after IBM Operations Analytics - Log Analysis is installed.
- When LDAP is configured, you cannot revert to database-managed custom user registry.
- The IBM Operations Analytics - Log Analysis administrator, or unityadmin user, must be present in the LDAP repository.
- After the unityadmin user logs in to IBM Operations Analytics - Log Analysis for the first time, they must register other LDAP users with IBM Operations Analytics - Log Analysis by adding users from the UI.
- LDAP must be registered by the unityadmin user to use the IBM Operations Analytics - Log Analysis functions.
- If your LDAP environment is configured to interact with other security software, Log Analysis might have to interact with this software to complete authentication. You must consider any user ID or password restrictions that this other security software imposes. For example, if one of the other LDAP applications requires an 8-character password, the password that you specify in Log Analysis must meet that requirement.
Using the ldapRegistryHelper.sh command
You can use the ldapRegistryHelper.sh command to generate the ldapRegistry.xml file. This file is in the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity directory. It contains the minimum properties that are required to enable a basic connection to an LDAP directory server. You can use the file to enable a basic LDAP authentication or as an example to guide you setting up your own LDAP.
- To set up LDAP authentication with an IBM Tivoli® Directory Server or Microsoft Active Directory server, use the ldapRegistryHelper.sh command to generate the ldapRegistry.xml file. Use this file to enable a basic connection to an LDAP directory server. See Configuring LDAP authentication with IBM Tivoli Directory Server or Microsoft Active Directory
- To set up LDAP authentication with a Tivoli Directory Server (TDS) or Microsoft Active Directory (AD) server, you must create your own XML file or modify the ldapRegistry.xml file to enable a basic connection to an LDAP directory server. See Manually configuring LDAP authentication.
Manually enabling LDAP authentication
Use the ldapRegistryHelper.sh command to generate the ldapRegistry.xml file.
Modify the ldapRegistry.xml file in the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity directory manually.
<!--Include the basic registry predefined with default users and groups -->
<include optional='true' location="${server.config.dir}/unityUserRegistry.xml"/> --><!--Include the LDAP registry -->
<include optional='true' location="${server.config.dir}/ldapRegistry.xml"/> -->User group names
The valid IBM Operations Analytics - Log Analysis user group names for LDAP are UnityAdmins and UnityUsers. These group names are mapped to security roles in the unityConfig.xml file that is in the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity directory.
To use other LDAP groups, update the unityConfig.xml file to map the groups to security roles in IBM Operations Analytics - Log Analysis.
Compatible LDAP directories
IBM Operations Analytics - Log Analysis supports Tivoli Directory Server (TDS) and Microsoft Active Directory (AD) LDAP servers.