IBM Operations Analytics - Log Analysis, Version 1.3.2

Manually configuring LDAP authentication

If you want to manually configure LDAP authentication, you can manually configure the settings in your own XML file or you can modify the ldapRegistry.xml that is output by the ldapRegistryHelper.sh command to meet your requirements.

About this task

The following procedure describes the steps that are automated by the ldapRegistryHelper.sh command. Read this procedure to help you understand the necessary steps for configuring LDAP authentication. For more information, see Configuring an LDAP user registry with the Liberty profile.

Procedure

  1. Manually create an LDAP configuration file that is named ldapRegistry.xml and save it in the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity directory or modify the ldapRegistry.xml that is output by the ldapRegistryHelper.sh command.
  2. Update the ldapRegistry.xml with the appropriate configuration information:
    • For IBM® Tivoli® Directory Server, add the text:
      <ldapRegistry id="IBMDirectoryServerLDAP" realm="SampleLdapIDSRealm"
        host="host.domain.com" port="389" ignoreCase="true"
        baseDN="o=domain,c=us"
        bindDN="cn=root"
        bindPassword="password"
        ldapType="IBM Tivoli Directory Server">
        <idsFilters
            userFilter="(&amp;(uid=%v)(objectclass=ePerson))"
            groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfNames)
(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))"
            userIdMap="*:uid"
            groupIdMap="*:cn"
            groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:
uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember" />
    </ldapRegistry>
    • For Microsoft Active Directory, add the text:
      <ldapRegistry id="ActiveDirectoryLDAP" realm="SampleLdapADRealm"
        host="host.domain.com" port="389" ignoreCase="true"
        baseDN="cn=users,dc=domain,dc=com" 
        bindDN="cn=myuser,cn=users,dc=domain,dc=com"
        bindPassword="password"
        ldapType="Microsoft Active Directory" />
  3. Update these attributes to reflect your LDAP server configuration:
    • ID
    • realm
    • host
    • port
    • baseDN
    • bindDN
  4. AD users must run the securityUtility command that is in the <HOME>/IBM/LogAnalysis/bin directory to encode the bindPassword password. This step is optional for TDS users as they do not require the bindPassword password.

    After you run the command, copy the encrypted value that is output by the command to the bindPassword property.

    For more information about this command, see unity_securityUtility.sh command

  5. (Optional) If your implementation uses a Microsoft Active Directory LDAP that uses different object classes to define users and groups, update the userFilter and groupFilter attributes as required.
  6. (Optional) If your implementation uses Microsoft Active Directory, update the user and group mapping attributes as required for your LDAP environment.
  7. Open the server.xml file in the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity directory and add these lines:
    1. Only one type of user registry can be configured for authentication, therefore you must disable the database-managed custom user registry to enable LDAP. Comment out the following lines in the server.xml file that reference the database-managed custom user registry:
      <!-- Include the basic registry predefined with default users 
and groups -->
<!--    <include optional="true" location="${server.config.dir}/
unityUserRegistry.xml"/>
-->

      If you do not remove this reference, an error message is displayed.

    2. Add an include tag to replace the reference to the custom user registry with a reference to the ldapRegistry.xml file. For example:
      <!-- Include the LDAP registry for user and groups -->
    <include optional="true" location="${server.config.dir}/
ldapRegistry.xml"/>
  8. If the UnityAdmins or UnityUsers groups are not in your LDAP server, you can map other groups in the LDAP registry to security roles in IBM Operations Analytics - Log Analysis. To map groups to security roles, edit the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity/unityConfig.xml file. For example:
     <security-role name="UnityUser">
           <group name="UnityUsers" />
           <group name="UnityAdmins" />
           <group name="TestLANonAdmin"/>
           <group name="TestLAAdmin"/>
       </security-role>
       <security-role name="UnityAdmin">
           <group name="UnityAdmins" />
            <group name="TestLAAdmin"/>
       </security-role>
  9. To start the IBM Operations Analytics - Log Analysis server, use the following command: 
    <HOME>/IBM/LogAnalysis/utilities/unity.sh -start
  10. To add LDAP users to IBM Operations Analytics - Log Analysis, log in as unityadmin.
    Note: You can delete the LDAP user registered with IBM Operations Analytics - Log Analysis but you cannot edit or delete the actual LDAP users.
  11. To add roles and permissions to LDAP users, open the IBM Operations Analytics - Log Analysis UI and click Administrative Settings. For more information about adding roles and permissions, see the Adding users to roles and Adding permissions to roles topics in the Users and roles section of the Configuring guide.
  12. Users who are deleted from the LDAP registry must be removed from IBM Operations Analytics - Log Analysis by the unityadmin user to prevent storage of obsolete information in the IBM Operations Analytics - Log Analysis Derby database.

What to do next

After you configure LDAP user registry, you must update the unityadmin password in the IBM Operations Analytics - Log Analysis configuration files. For more information, see Updating passwords in the configuration files.

Parent topic: LDAP configuration

Feedback