Configuring Cognos-based Tivoli Common Reporting engine with Active Directory
Configure the reporting engine to use the same user repository as the user interface. This procedure is recommended for large user repositories.
About this task
Important: When you configure the user repository,
the reporting portlet can no longer be used by users not contained
in the configured user repository.
Procedure
- Open the IBM® Cognos® Configuration by
running:
- Start > All Programs > Tivoli Common Reporting 3.1 > IBM Cognos Configuration
- and c10_location/bin64/tcr_cogconfig.sh
- In the Explorer navigation on the left, go to Security, and right-click the Authentication section.
- Select New resource > Namespace....
- If you are using a Windows operating system:
- Enter a name, select Active Directory as the Type, and click OK. The new user registry is displayed in the Explorer window, under the Authentication component.
- Select the entry that you created, go to the Properties window
and in the NamespaceID field, specify a unique
identifier for the namespace.Tip: Do not use colons (:) in the Namespace ID property.
- Specify the Host and port. The host and port values must point to Active Directory Domain Controller host.
- Specify the Binding credentials.
- If you are using a non-Windows operating system:
- Enter a name, select LDAP as the Type, and click OK. The new user registry is displayed in the Explorer window, under the Authentication component.
- Select the entry that you created, go to the Properties window
and in the NamespaceID field, specify a unique
identifier for the namespace.Tip: Do not use colons (:) in the Namespace ID property.
- Specify the values for all other required properties to ensure
that IBM Cognos components
can locate and use your existing authentication provider.The following settings are examples:
- For User lookup, specify (sAMAccountName=${userID}).
- If you use a single sign-on, set the Use external identity value to True and specify (sAMAccountName=${environment("REMOTE_USER")}) for External identity mapping. To remove the domain name from the REMOTE_USER variable, specify (sAMAccountName=${replace(${environment("REMOTE_USER")}, "domain\\","")}).
- Enter user@domain for Bind user DN and password.
- Specify objectGUID for Unique identifier.
- If you want the LDAP authentication provider to bind to the directory server using a specific Bind user DN and password when performing searches, then specify these values. If no values are specified, the LDAP authentication provider binds as anonymous.
- If you do not use external identity mapping, use bind credentials
for searching the LDAP directory
server:
- Ensure that Use external identity is set to False.
- Set Use bind credentials for search to True.
- Specify the user ID and password for Bind user DN and password.
- To configure the LDAP advanced
mapping properties for use with the Active
Directory Server
objects, use the values specified in the list:
- LDAP properties
and LDAP values
for folder mappings:
- Object class - organizationalUnit, organization, container
- Description - description
- Name - ou, o, cn
- LDAP properties
and LDAP values
for group mappings:
- Object class - group
- Description - description
- Member - member
- Name - cn
- LDAP properties
and LDAP values
for account mappings:
- Object class - user
- Business phone - telephonenumber
- Content locale - Leave this field blank
- Description - description
- Fax/Phone - facsimiletelephonenumber
- Given name - givenname
- Home phone - hometelephonenumber
- Mobile phone - mobiletelephonenumber
- Password - unicodePassword
- Postal address - postaladdress
- Product locale - Leave this field blank
- Surname - surname
- User name - sAMAccountName
Note: LDAP attributes that are mapped to the Name property in Folder mappings, Group mappings, and Account mappings must be accessible to all authenticated users. In addition, the Name property must not be blank. - LDAP properties
and LDAP values
for folder mappings:
- From the File menu, click Save.
- If you are using a Windows operating system:
- Go to the Explorer window, right-click the new authentication resource under Authentication, and click Test to test the connection to a new namespace.
- Select the Cognos entry and edit the Allow anonymous access? field changing it to False.