If you want to manually configure LDAP authentication,
you can manually configure the settings in your own XML file or you
can modify the ldapRegistry.xml that is output
by the ldapRegistryHelper.sh command to meet your
requirements.
About this task
The following procedure describes the steps that are automated
by the ldapRegistryHelper.sh command. Read this procedure
to help you understand the necessary steps for configuring LDAP authentication.
For more information, see Configuring an LDAP user registry with the Liberty
profile.
Procedure
- Manually create an LDAP configuration file that is named ldapRegistry.xml and
save it in the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity directory
or modify the ldapRegistry.xml that is output
by the ldapRegistryHelper.sh command.
- Update the ldapRegistry.xml with the
appropriate configuration information:
- For IBM® Tivoli® Directory Server,
add the text:
<ldapRegistry id="IBMDirectoryServerLDAP" realm="SampleLdapIDSRealm"
host="host.domain.com" port="389" ignoreCase="true"
baseDN="o=domain,c=us"
bindDN="cn=root"
bindPassword="password"
ldapType="IBM Tivoli Directory Server">
<idsFilters
userFilter="(&(uid=%v)(objectclass=ePerson))"
groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)
(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))"
userIdMap="*:uid"
groupIdMap="*:cn"
groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:
uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember" />
</ldapRegistry>
- For Microsoft Active Directory, add the text:
<ldapRegistry id="ActiveDirectoryLDAP" realm="SampleLdapADRealm"
host="host.domain.com" port="389" ignoreCase="true"
baseDN="cn=users,dc=domain,dc=com"
bindDN="cn=myuser,cn=users,dc=domain,dc=com"
bindPassword="password"
ldapType="Microsoft Active Directory" />
- Update these attributes to reflect your LDAP server configuration:
- ID
- realm
- host
- port
- baseDN
- bindDN
- AD users must run the securityUtility command
that is in the <HOME>/IBM/LogAnalysis/bin directory
to encode the bindPassword password. This step is
optional for TDS users as they do not require the bindPassword password.
After you run the command, copy the encrypted value that
is output by the command to the bindPassword property.
For
more information about this command, see unity_securityUtility.sh command
- (Optional) If your implementation uses a Microsoft Active
Directory LDAP that uses different object classes to define users
and groups, update the userFilter and groupFilter attributes
as required.
- (Optional) If your implementation uses Microsoft Active
Directory, update the user and group mapping attributes as required
for your LDAP environment.
- Open the server.xml file in the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity directory
and add these lines:
- Only one type of user registry can be configured for authentication,
therefore you must disable the database-managed custom user registry
to enable LDAP. Comment out the following lines in the server.xml file
that reference the database-managed custom user registry:
<!-- Include the basic registry predefined with default users
and groups -->
<!-- <include optional="true" location="${server.config.dir}/
unityUserRegistry.xml"/>
-->
If you do not remove this reference, an error message
is displayed.
- Add an include tag to replace the reference to the custom user
registry with a reference to the ldapRegistry.xml file.
For example:
<!-- Include the LDAP registry for user and groups -->
<include optional="true" location="${server.config.dir}/
ldapRegistry.xml"/>
- If the UnityAdmins or UnityUsers groups
are not in your LDAP server, you can map other groups in the LDAP
registry to security roles in IBM Operations Analytics - Log Analysis.
To map groups to security roles, edit the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity/unityConfig.xml file. For example:
<security-role name="UnityUser">
<group name="UnityUsers" />
<group name="UnityAdmins" />
<group name="TestLANonAdmin"/>
<group name="TestLAAdmin"/>
</security-role>
<security-role name="UnityAdmin">
<group name="UnityAdmins" />
<group name="TestLAAdmin"/>
</security-role>
- To start the IBM Operations Analytics -
Log Analysis server, use the following command:
<HOME>/IBM/LogAnalysis/utilities/unity.sh -start
- To add LDAP users to IBM Operations Analytics - Log Analysis,
log in as unityadmin.
Note: You can delete the LDAP user registered with IBM Operations Analytics - Log Analysis but
you cannot edit or delete the actual LDAP users.
- To add roles and permissions to LDAP users,
open the IBM Operations Analytics - Log Analysis UI and click Administrative
Settings. For more information about adding roles and
permissions, see the Adding users to roles and Adding
permissions to roles topics in the Users and roles section
of the Configuring guide.
- Users who are deleted from the LDAP registry
must be removed from IBM Operations Analytics - Log Analysis by
the unityadmin user to prevent storage of obsolete
information in the IBM Operations Analytics - Log Analysis Derby
database.
What to do next
After you configure LDAP user registry, you must update
the unityadmin password in the IBM Operations Analytics - Log Analysis configuration
files. For more information, see Updating passwords in the configuration files.