Configuring for LDAP integration

Rational® Asset Manager can integrate with Lightweight Directory Access Protocol (LDAP) repositories to perform user authentication, retrieve user information, and leverage group bindings.

Before you begin

You must have repository administrator permission to perform these steps. You must also must be familiar with the LDAP schema of the registry to use.

Procedure

  1. Log in to the Rational Asset Manager web application.
  2. Open the Administration page.
  3. Under Repository Administration, click Configuration.
  4. In the Custom User Registry section, select the "Use a Custom User Registry" box.
  5. If you plan to use a custom class for integrating with a custom user registry, provide the fully qualified class path; otherwise, use the default class.
  6. Enter the login ID of a user who will have administrator permission to access Rational Asset Manager. (If you do not set up a valid administrator, you will not be able to log in to the Rational Asset Manager web application as an administrator and will not be able to configure it.)
  7. Click Configure.
  8. On the Custom User Class Configuration page, complete the form to configure the relationship between Rational Asset Manager and the LDAP registry schema. If you leave a text field blank, it will revert to the default value. If you want a value to be null, enter a space (" ").
    1. LDAP Server's URL: The URL to the LDAP server; for example, ldap://<url>:389. For secure communication, use ldaps://<url>:636.
    2. User's Distinguished Name: A user name to use to log in to the registry in order to gain access. Enter the distinguished name of the user, for example, uid=123456,c=us,ou=exampleorganization,o=example.com.
    3. The password for the user: The password for the user above.
    4. A unique ID property for the user: The property name of the objectClass instance for the user that represents the unique ID. For example: (objectClass) person's serialNumber property, or the (objectClass) user's sAMAccountName property.
    5. User's Login ID property: The (objectClass) property that a user uses to log in. Even though it is common for the unique ID and login ID to be the same, it is possible that the registry may be set so that a user logs in using another ID (for example, using an email address). Note that the Login ID property must be the same as the user's login ID, in Step 6.
    6. User's Phone Number property: The (objectClass) property that represents the telephone number of the user. For example: (objectClass) person's telephonenumber property.
    7. User's Email property: The (objectClass)'s property representing the email address of the user. For example: (objectClass) person's mail property.
    8. User's display name property: The (objectClass) property representing the name for the user to display in the interface. For example: (objectClass) person's cn property.
    9. Locale property: : The (objectClass)'s property representing the email language setting of the user. For example: (objectClass) person's language property. If you leave the field blank, it reverts to the default value and users can manage their email language setting from MyDashboard > Edit. If you set the field the LDAP language value is used. If the value is a language that is supported in Rational Asset Manager, such as de, ko, ja, zh_TW, zh_CN, es, pt_BR, en, fr, and ru), the user profiles are set with that language preference. It the value is not valid or does not exist in LDAP, en (English) is used by default.
    10. User's user class property: The (objectClass) property to use when determining if a user is in a particular user class. If this field is left empty, users are not separated into classes. Type any property that is available in the LDAP repository. Type DN to use the LDAP distinguished name to classify users.
    11. LDAP User base searching: To avoid searching parts of the registry that do not contain user objects, enter the value of the path of the root from where to start the search. For example, ou=exampleorganization,o=example.com.
    12. User search filter: The template to use when searching for a user. The %v represents the search term that was entered from an input text field. The search will perform as if a wild card is appended to the search term. The default search template is constructed to find all person objectClasses where either the mail property or the name property is the same as the search term.
    13. LDAP Group base search: Similar to a base search, this is the base search for searching groups. For example, ou=memberlist,ou=groups,o=example.com.
    14. Group search filter: Similar to the user based filter, this is the filter for searching groups. The default searches any of groupOfUniqueNames (static group), groupOfNames (static LDAP group), groupOfUrls (dynamic LDAP group), group (Active Directory defined group) for the search term entered by the user.
    15. Image URL template: It is common to store images somewhere other than an LDAP registry. You can retrieve a user's image using a URL by configuring this template to retrieve the image at the same time as the user information in the registry. In the template, ${property} represents a LDAP objectClass property of the user object that is going to be replaced when the image is retrieved. For example, for a user with a uid property=123456, the default template https://<ImageServer url>/photo/${uid}.jpg results in the URL https://<ImageServer URL>/photo/123456.jpg.

Results

The Rational Asset Manager web application is now properly configured to use LDAP for user authentication and user information retrieval. Community administrators can now bind user groups to groups in the LDAP registry on the User Groups page for their community. If you want to authenticate users by using LDAP, you must configure it from the WebSphere® Application Server administrative console.
Note: If you are using LDAP authentication and a single LDAP hostname is mapped to multiple IP address in your network configuration then you must use the WebSphere Application Server administrative console to apply the appropriate configuration property to prevent possible LDAP user account lockouts if users log in to Rational Asset Manager with invalid credentials.

An invalid login causes the server to validate the user with each IP address and thus causes multiple login failures. If you have set a maximum number of login attempts, one invalid logon could cause an LDAP account lockout. To prevent this issue from occurring, follow the steps described here: http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg1PK42672


Feedback