IBM Operations Analytics - Log Analysis, Version 1.3.2

Configuring LDAP authentication with IBM Tivoli Directory Server or Microsoft Active Directory

You can use the ldapRegistryHelper.sh command to help you to create and enable an IBM® Tivoli® Directory Server or Microsoft Active Directory server for IBM Operations Analytics - Log Analysis user authentication.

Before you begin

  • The unityadmin user must be a member of the UnityAdmins group in the LDAP registry. Other users must be members of the UnityUsers group.
  • To use other LDAP groups, update the unityConfig.xml file to map the groups to security roles in IBM Operations Analytics - Log Analysis.

About this task

Only one LDAP server can be configured by using the utility.

Procedure

  1. To stop the IBM Operations Analytics - Log Analysis server, use the following command: 
    ./ unity.sh -stop
  2. To specify the LDAP server details, edit the ldapRegistryHelper.properties file that is in the <HOME>/IBM/LogAnalysis/utilities/ directory. For more information about the ldapRegistryHelper properties, see the ldapRegistryHelper.properties topic in the Configuration guide.
  3. Navigate to the <HOME>/IBM/LogAnalysis/utilities directory and run the following command: 
    ./ldapRegistryHelper.sh config
  4. Run the following command: 
    ./ldapRegistryHelper.sh enable
  5. If the UnityAdmins or UnityUsers groups are not in your LDAP server, you can map other groups in the LDAP registry to security roles in IBM Operations Analytics - Log Analysis. To map groups to security roles, edit the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity/unityConfig.xml file. For example:
     <security-role name="UnityUser">
           <group name="UnityUsers" />
           <group name="UnityAdmins" />
           <group name="TestLANonAdmin"/>
           <group name="TestLAAdmin"/>
       </security-role>
       <security-role name="UnityAdmin">
           <group name="UnityAdmins" />
            <group name="TestLAAdmin"/>
       </security-role>
  6. To start the IBM Operations Analytics - Log Analysis server, use the following command: 
    <HOME>/IBM/LogAnalysis/utilities/unity.sh -start
  7. To add LDAP users to IBM Operations Analytics - Log Analysis, log in as unityadmin.
    Note: You can delete the LDAP user registered with IBM Operations Analytics - Log Analysis but you cannot edit or delete the actual LDAP users.
  8. To add roles and permissions to LDAP users, open the IBM Operations Analytics - Log Analysis UI and click Administrative Settings. For more information about adding roles and permissions, see the Adding users to roles and Adding permissions to roles topics in the Users and roles section of the Configuring guide.
  9. Users who are deleted from the LDAP registry must be removed from IBM Operations Analytics - Log Analysis by the unityadmin user to prevent storage of obsolete information in the IBM Operations Analytics - Log Analysis Derby database.

Results

Basic LDAP authentication between IBM Operations Analytics - Log Analysis and the IBM Tivoli Directory Server or the Microsoft Active Directory server is enabled.

What to do next

After you configure LDAP, you must update the password in the configuration files. For more information, see Updating passwords in the configuration files.

Parent topic: LDAP configuration

Feedback