0222 ilm ldap installation5,32hf2
TRANSCRIPT
-
8/10/2019 0222 ILM LDAP Installation5,32HF2
1/5
2010-2011 Informatica Corporation
Installing the LDAP Plug-in for ILM Products(Version 5.3.2 HotFix 2 to 5.3.4)
-
8/10/2019 0222 ILM LDAP Installation5,32HF2
2/5
2
Abstract
This article explains how to install a plug-in that authenticates LDAP users for the ILM products.
Supported Versions ILM Products 5.3.2 HotFix 2 - 5.3.4
Table of Contents
Overview ........................................................................................................................................................................... 2
LDAP Authentication Setup .............................................................................................................................................. 2
Usage ................................................................................................................................................................................ 4
Upgrade from Previous ILM Versions ............................................................................................................................... 5
Current Limitations ............................................................................................................................................................ 5
OverviewThese instructions are for customers who want to authenticate users outside of the ILM application. No corporatepasswords are stored in the ILM databases. Currently the following LDAP products are supported:
Sun LDAP
Active Directory
LDAP Authentication Setup1. Shut down the ILM product.
2. Modify the conf.properties file as follows:
authenticationMethod=LDAP
The following properties are used by the "Sync with LDAP Server" service and map LDAP attributes to values inthe AM_USERS table:
LDAP attribute name that maps to the ILM user name (AM_USERS.USER_NAME):
ldap.attribute.userName
LDAP attribute name that maps to the ILM full user name (AM_USERS.FULL_NAME):
ldap.attribute.fullName
LDAP attribute name that maps to the email address (AM_USERS.EMAIL_ADDRESS):
ldap.attribute.email
LDAP attribute name that maps to the email address (AM_USERS.ORGANIZATION_NAME):
ldap.attribute.organizationName
-
8/10/2019 0222 ILM LDAP Installation5,32HF2
3/5
3
If these properties are not set in conf.properties they default to the following values:
Property Name Sun LDAP Active Directory
ldap.attribute.userName uid sAMAccountName
ldap.attribute.fullName uid displayName
ldap.attribute.email mail mail
ldap.attribute.organizationName If this property is not set then the user's Organization Name will be set to "LDAP User".
3. Start the ILM application.
Note: Once LDAP authentication has been enabled and the ILM application restarted, the only local user available willbe AMADMIN.
Once the installation steps above have been completed you can verify that the installation was successful bycompleting the following steps:
1. After login as AMADMIN go to the Jobs > Schedule a Jobmenu.
2. Select the Standalone Programsoption. Then, click the Add Itembutton. From the pop-up box scroll down andchoose Sync with LDAP Server program.
-
8/10/2019 0222 ILM LDAP Installation5,32HF2
4/5
4
3. Once selected at the bottom of the definition click the button next to the LDAP System label. If all was installedcorrectly the below screen is what should be seen.
UsageOnce verification of the installation has been successful, the AMADMIN user needs to submit the Sync with LDAPserver standalone program which will synchronize the ILM users with LDAP. The Sync with LDAP Server programparameters (required parameters are in bold) are as follows:
Host of LDAP server: ldap.mycompany.com
This entry is just the IP address or the DNS name of the machine that is your LDAP application.
LDAP port: 389
This entry is the port on the machine that contains your LDAP application.
User: [email protected]
The user is any user that has authorization to login into the LDAP application and perform basic filtering.
Password
The password for the user in step 3.
Search Base: OU=MYTEAM,OU=USA,DC=mycompany,DC=com
The search base is where the LDAP definition will start before executing the filter.
User Filter: (objecttype=EMPLOYEE)
The user filter is a simple or even complex combination of conditions that help determine which users areselected.
-
8/10/2019 0222 ILM LDAP Installation5,32HF2
5/5
5
Note:This version of the definition does not support following paths. Only users in the Search Base will befiltered.
Group Base: OU=GROUPS,DC=mycompany,DC=com
Optionally, this entry sets the base entry in the LDAP tree where you can select which group(s) you want to usethat will further filter out users from the User Filter.
Group Filter: CN=MYGROUP
Optionally, this entry determines which groups are selected. After the User Filter has returned the result set backto the application those users will then be compared to users only in the group(s) selected. From here only truematches are then added into ILM.
LDAP System: LOV
Allows the user to select which LDAP application they have implemented.
Once the job is scheduled it will immediately execute based upon the values provided for the attributes above. Thedefinition operates in the following order:
1. Log in to the LDAP application and execute filter based upon values placed in User Base and User Filter.
2. If the Group Base and Group Filter attributes are defined, the definition will get any group(s) requested and filter
out all users returned from the User Filter. If not, skip this step.
3. Once all the users from the LDAP application have been determined the job create entries for new users orupdate entries for existing users. Users are given a very basic role (Platform - Users) allowing them to login but noother rights. The administrator will have to setup the newly added LDAP users with application specific roles.
4. Entries are also added to a new table (AM_USER_LDAP). These entries allow so users from many different OU(Organizational Units) etc to be added into the application. When a user logs in their correct LDAP context isretrieved and used in the authentication process with the LDAP application.
5. Closes connection and finishes.
Upgrade from Previous ILM Versions
Customers upgrading to 5.3.2 HF2 from previous versions of ILM and who are already using LDAP authentication mustfollow these steps:
1. Shut down the ILM web server.
2. Back up the ILM Home schema.
3. Modify the conf.properties file. SeeLDAP Authentication Setup on page2.
4. Start the ILM server.
5. Resubmit the Sync with LDAP Server service.
Current Limitations
Group filtering does currently not work. The Group Base and Group Filter service attributes should be left blank.
Authors
Data Archive for Application Retirement Team