Rational® Asset Manager can integrate with
Lightweight Directory Access Protocol (LDAP) repositories to perform
user authentication, retrieve user information, and leverage group
bindings.
Before you begin
You must have repository administrator permission to perform
these steps. You must also must be familiar with the LDAP schema of
the registry to use.
Procedure
- Log in to the Rational Asset Manager web
application.
- Open the Administration page.
- Under Repository Administration, click Configuration.
- In the Custom User Registry section, select the "Use a
Custom User Registry" box.
- If you plan to use a custom class for integrating with
a custom user registry, provide the fully qualified class path; otherwise,
use the default class.
- Enter the login ID of a user who will have administrator
permission to access Rational Asset Manager. (If
you do not set up a valid administrator, you will not be able to log
in to the Rational Asset Manager web application as
an administrator and will not be able to configure it.)
- Click Configure.
- On the Custom User Class Configuration page, complete the
form to configure the relationship between Rational Asset
Manager and the LDAP registry schema. If you leave a text field blank,
it will revert to the default value. If you want a value to be null,
enter a space (" ").
- LDAP Server's URL: The URL
to the LDAP server; for example, ldap://<url>:389.
For secure communication, use ldaps://<url>:636.
- User's Distinguished Name:
A user name to use to log in to the registry in order to gain access.
Enter the distinguished name of the user, for example, uid=123456,c=us,ou=exampleorganization,o=example.com.
- The password for the user: The
password for the user above.
- A unique ID property for the user:
The property name of the objectClass instance
for the user that represents the unique ID. For example: (objectClass) person's serialNumber property,
or the (objectClass) user's sAMAccountName
property.
- User's Login ID property: The
(objectClass) property that a user uses to log in. Even though it
is common for the unique ID and login ID to be the same, it is possible
that the registry may be set so that a user logs in using another
ID (for example, using an email address). Note that the Login ID property
must be the same as the user's login ID, in Step 6.
- User's Phone Number property:
The (objectClass) property that represents the telephone number of
the user. For example: (objectClass) person's telephonenumber property.
- User's Email property: The (objectClass)'s
property representing the email address of the user. For example:
(objectClass) person's mail property.
- User's display name property:
The (objectClass) property representing the name for the user to display
in the interface. For example: (objectClass) person's cn property.
- Locale property: : The (objectClass)'s
property representing the email language setting of the user. For
example: (objectClass) person's language property. If you leave the field blank, it reverts to the default value
and users can manage their email language setting from . If you set the field the LDAP language value is used.
If the value is a language that is supported in Rational Asset Manager,
such as de, ko, ja, zh_TW, zh_CN, es, pt_BR, en, fr,
and ru), the user profiles are set with that
language preference. It the value is not valid or does not exist in
LDAP, en (English) is used by default.
- User's user class property: The
(objectClass) property to use when determining if a user is in a particular
user class. If this field is left empty, users are not separated into
classes. Type any property that is available in the LDAP repository.
Type DN to use the LDAP distinguished name
to classify users.
- LDAP User base searching: To
avoid searching parts of the registry that do not contain user objects,
enter the value of the path of the root from where to start the search.
For example, ou=exampleorganization,o=example.com.
- User search filter: The template
to use when searching for a user. The %v represents the search term
that was entered from an input text field. The search will perform
as if a wild card is appended to the search term. The default search
template is constructed to find all person objectClasses
where either the mail property or the name property
is the same as the search term.
- LDAP Group base search: Similar
to a base search, this is the base search for searching groups. For
example, ou=memberlist,ou=groups,o=example.com.
- Group search filter: Similar
to the user based filter, this is the filter for searching groups.
The default searches any of groupOfUniqueNames (static
group), groupOfNames (static LDAP group), groupOfUrls (dynamic
LDAP group), group (Active Directory defined group)
for the search term entered by the user.
- Image URL template: It is common
to store images somewhere other than an LDAP registry. You can retrieve
a user's image using a URL by configuring this template to retrieve
the image at the same time as the user information in the registry.
In the template, ${property} represents a LDAP
objectClass property of the user object that is going to be replaced
when the image is retrieved. For example, for a user with a uid property=123456,
the default template https://<ImageServer url>/photo/${uid}.jpg results
in the URL https://<ImageServer URL>/photo/123456.jpg.
Results
The Rational Asset Manager web application is
now properly configured to use LDAP for user authentication and user
information retrieval. Community administrators can now bind user
groups to groups in the LDAP registry on the User Groups page for
their community. If you want to authenticate users by using LDAP,
you must configure it from the WebSphere® Application
Server administrative console.
Note: If you are using LDAP authentication
and a single LDAP hostname is mapped to multiple IP address in your
network configuration then you must use the WebSphere Application
Server administrative console to apply the appropriate configuration
property to prevent possible LDAP user account lockouts if users log
in to Rational Asset Manager with invalid credentials.
An invalid
login causes the server to validate the user with each IP address
and thus causes multiple login failures. If you have set a maximum
number of login attempts, one invalid logon could cause an LDAP account
lockout. To prevent this issue from occurring, follow the steps described
here: http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg1PK42672