Configuring Microsoft ADAM

Transcription

1 Proven Practice Configuring Microsoft ADAM Product(s): IBM Cognos Series 7 Area of Interest: Security

2 Configuring Microsoft ADAM 2 Copyright Copyright 2008 Cognos ULC (formerly Cognos Incorporated). Cognos ULC is an IBM Company. While every attempt has been made to ensure that the information in this document is accurate and complete, some typographical errors or technical inaccuracies may exist. Cognos does not accept responsibility for any kind of loss resulting from the use of information contained in this document. This document shows the publication date. The information contained in this document is subject to change without notice. Any improvements or changes to the information contained in this document will be documented in subsequent editions. This document contains proprietary information of Cognos. All rights are reserved. No part of this document may be copied, photocopied, reproduced, stored in a retrieval system, transmitted in any form or by any means, or translated into another language without the prior written consent of Cognos. Cognos and the Cognos logo are trademarks of Cognos ULC (formerly Cognos Incorporated) in the United States and/or other countries. IBM and the IBM logo are trademarks of International Business Machines Corporation in the United States, or other countries, or both. All other names are trademarks or registered trademarks of their respective companies. Information about Cognos products can be found at This document is maintained by the Best Practices, Product and Technology team. You can send comments, suggestions, and additions to cscogpp@ca.ibm.com.

3 Configuring Microsoft ADAM 3 Contents 1 INTRODUCTION PURPOSE APPLICABILITY CAVEATS MICROSOFT ADAM INSTALLING ADAM CONFIGURING ADAM Enabling Anonymous Binds Setting Administrator s Group EXTENDING THE SCHEMA CONFIGURATION MANAGER SCHEMA OBJECTS AND ATTRIBUTES...18

4 Configuring Microsoft ADAM 4 1 Introduction 1.1 Purpose This document provides a walkthrough of configuring Microsoft Active Directory Application Mode (ADAM) in a Windows 2003 environment for use with the IBM Cognos Series 7 products. Once the ADAM schema has been extended, the Cognos namespace can be created. 1.2 Applicability Product version is important when using this document. If the product version is not at least IBM Cognos Series 7 Version 3 MR2, the operation may fail. Any release prior to Series 7 V3 MR2 is unsupported with ADAM. 1.3 Caveats The document covers installing and configuring ADAM in a Windows 2003 environment. At the time of the creation of this document, Windows XP was not a supported platform and some additional steps may be required. 2 Microsoft ADAM 2.1 Installing ADAM Before the installation can begin, the install media must first be obtained. ADAM is a free download from the Microsoft site and can be found at this URL: When the install media has been downloaded, double click the adamsetup.exe executable to start the install process. Ensure that a new instance is selected when prompted during the Setup Options.

5 Configuring Microsoft ADAM 5 When prompted for an Instance Name select a name that will be easily identified. One of the suggested names is CognosADAM to ensure that the ADAM instance can easily be identified as the directory server instance for the IBM Cognos application(s).

6 Configuring Microsoft ADAM 6 Once the name has been selected, the next user input required is to identify which ports the application will run on. It is recommended to not use the standard LDAP port of 389, or SSL port of 636, due to possible conflicts with currently running directory servers, or any future directory server installations. For this document, ports and were used. The next step of the installation process is to create the partition that will store the application specific data. Make sure that the Yes, create an application directory partition radio button is selected. The base distinguished name (basedn) will have to be supplied as well. The format of the basedn is usually DC=domain,DC=com, but any values can be used. In addition to specifying the basedn, it is recommended to prefix the basedn with an Organization (O), or Organizational Unit (OU), that will contain the Cognos namespace. The installation detailed in this document uses, O=Cognos,DC=pro,DC=nhslsp, DC=net.

7 Configuring Microsoft ADAM 7 Specify the installation path to continue the install. The next step requires selecting which account will start the ADAM service. This could either be a local system account or a named domain account. Certain situations may require a named domain account, but for the purpose of this document, the local system account will be used.

8 Configuring Microsoft ADAM 8 The last stage in installing the ADAM application is to indicate which LDIF files will be imported and included in the starting schema for the ADAM instance. The only two that need to be selected are the MS-InetOrgPerson.LDF and MS-User.LDF LDIF files. As this is the last step, press the Next button and then the Finish button.

9 Configuring Microsoft ADAM Configuring ADAM After the successful installation of the ADAM application, certain configuration changes will need to be made in order to allow the Cognos application to connect to the directory server and extend the schema. The configuration changes will need to be made through the ADAM ADSI Edit interface which can be found at: Start -> All Programs -> ADAM -> ADAM ADSI Edit. With the ADAM ADSI Edit interface open, right-click on the ADAM ADSI Edit root and select Connect to This presents the Connection Settings dialog box, in which the distinguished name will have to be entered in order to connect to the node. Use the base distinguished name that was entered when the new instance was created in step 2.1. Supply the machine name and port number that used to run ADAM. Right click your Cognos application DN node, select New, and click Object

10 Configuring Microsoft ADAM 10

11 Configuring Microsoft ADAM 11 In the Create Object dialog box select the user object class. Press the Next button and then supply a value for the new user object. In this example cognosadmin was the value that was used. Once the new user object has been created, the password will need to be reset. Right click this new user and select Reset Password, in the reset password dialog set your new password, confirm the password, and then press the OK button.

12 Configuring Microsoft ADAM 12 Right click this new user and select Properties, select msds- UserAccountDisabled from attribute list and press the Edit button. In Boolean Attribute Editor dialog box, if the value of True is set then select False, press the OK button. Press the OK button again to close the user properties. Under your Cognos application partition click the top node, there is the entry CN=Roles, select it and its children nodes appear in the right pane, right click CN=Administrators and select Properties. In CN=Administrators Properties page select its member attribute and click Edit, in Multi-valued Distinguished Name With Security Principal Editor click Add ADAM Account.

13 Configuring Microsoft ADAM 13 In Add ADAM Account input this new user s Distinguish name (DN) click OK. You can find the value of distinguishedname attribute from Properties of the newly added user in step d. Click OK to close Multi-valued Distinguished Name With Security Principal Editor. NOTE: Created UserDN is: Cn=cognosadmin,o=Cognos,DC=pro,DC=nhslsp,DC=net You should leave ADAM default settings in member. (By default, ADAM add the configuration partition s Administrators role, CN=Administrators,CN=Roles CN=Configuration,CN={GUID}, in this member, you should not remove it.) Enabling Anonymous Binds Before the schema can be successfully extended, Active Directory Application Mode must first be configured to accept anonymous requests. To accomplish this, the following steps will need to be executed: 1. Start ADAM ADSI Edit and right click root node, select Connect to.

14 Configuring Microsoft ADAM In Connection Settings, create your new configuration partition name in Connection Name, put your ADAM server name and port number, select Well-known naming context and select Configuration, then click OK. 3. Under your configuration partition click the top node, there is the entry CN=Services, click CN=Services to expand this node, click CN=Windows NT to expand to its children, right click CN=Directory Service and select Properties,. 4. In CN=Directory Service s Properties page select its attribute dsheuristics and click Edit, in String Attribute Editor input the string as value and click OK Setting Administrator s Group The last stage in the configuration process, is to add the Authenticated Users group into the configuration partition s Administrators group. 1. Start ADAM ADSI Edit and right click root node, select Connect to. 2. In Connection Settings, create your new configuration partition name in Connection Name, put your ADAM server name and port number, select Well-known naming context and select Configuration, then click OK.

15 Configuring Microsoft ADAM Under your configuration partition click the top node, there is the entry CN=Roles, click it to select this node, right click CN=Administrators and select Properties. 4. In CN=Administrators Properties page select its member attribute and click Edit, in Multi-valued Distinguished Name With Security Principal Editor click Add Windows Account. 5. In Select Users or Groups click Locations and select your local host name, click OK, then click Advanced button. 6. Click Find Now, select Authenticated Users and click OK. Click OK to close Select Users or Groups dialog. 7. Click OK to close Multi-valued Distinguished Name With Security Principal Editor 8. Click OK to close CN=Administrators Properties. Note: 9. After successfully configuring ADAM through Cognos Configuration Manager, remember to remove Authenticated Users from CN=Administrators member. Important: Microsoft has a patch (838342) that will not require that Authenticated Users be added to the Administrators role. This is key as most companies will want to either create a Cognos Admin account or designate an existing account. This patch can be obtained from Microsoft as Cognos will not distribute this to customers. Again, has to be obtained from Microsoft. 3 Extending the Schema The process of extending the schema to be able to use Active Directory as an authentication source, is split into two operations; extending the schema, where IBM Cognos specific objects and attributes are added to the existing ADAM schema, and creating the Cognos namespace that will contain all of the users and user classes to be used in the IBM Cognos security infrastructure.

16 Configuring Microsoft ADAM 16 When using Configuration Manager, the two processes appear to be part of the same operation, but there are in fact two distinct operations that occur. Once the schema has been extended, the objects and attributes are forever part of the Active Directory schema so ensure that you are configuring the correct domain. That being said, the schema only needs to be extended once, but multiple namespaces can be created at different locations within Active Directory. This can be done either through the Access Manager admin interface, which allows you to create multiple namespaces within the same instance, or, through Configuration Manager which permits the creation of different instances within the same directory server instance. This is achieved by setting different basedn values for the Base distinguished name (DN) parameter. For instance, specifying o=cognos_prod,dc=support,sc=local and o=cognos_dev,dc=support,dc=local would create two unique instances of the Cognos namespace that would have to be administered separately. Important: In order to successfully extend the ADAM schema with the Cognos objects and attributes, Configuration Manager must be installed on the same server as ADAM. At the time that this document was written, trying to configure ADAM remotely would fail. 3.1 Configuration Manager To complete the schema extension and the creation of the namespace, the Configuration Manager utility must be used. In Configuration Manager, modify the values required to extend the directory server schema by accessing the General page under Services -> Access Manager Directory Server. The values that need to be modified to extend the schema can be found in the right hand frame. Are you sure that you want to configure this directory server? This value should be set to yes, otherwise the operation will not be executed when the settings are applied. Schema Version This value should be set to CURRENT unless older Series 7 applications will be accessing this directory server as well. Server Type This value can be left to the default Auto Detect or the Active Directory option can be selected.

17 Configuring Microsoft ADAM 17 Computer Host name of the directory server housing the Cognos schema. This can be machine name, IP address or fully qualified DNS name. Port Port number that the directory server instance is running on. Base distinguished name (DN) Organizational Unit (OU) or Container (CN) where the Cognos namespace will be created. This can be done at the root DN, DC=Support,DC=local for example, or can be in part of the subtree, such as, O=Cognos,DC=Support,DC=local. Again, it would be good practice to not specify just the basedn and use an Organization or Organizational Unit such as Cognos to house the namespace. The namespace does not need to be created in the root of the domain. It can be created at any point of the domain hierarchy. For example, if the desired location was in an Organizational Unit (OU) called applications, which was under the root of the domain, the basedn would then be: o=cognos,ou=applications,dc=support,dc=local. Unrestricted User distinguished name (DN) User account that has sufficient privileges to extend the schema of the directory server as well as create the namespace. The value should be the full DN to the user account and NOT just the user name. Unrestricted User password Matching password value for the user specified as the unrestricted user. Primary ticket service - Host and port where the Access Manager Server or Ticket Server service is running. This value can be supplied after the schema has been extended either through Configuration Manager or the Access Manager admin tool, but it is recommended that this be set at the same time as the schema extension.

18 Configuring Microsoft ADAM 18 Apply these settings by clicking on the General object in the tree and pressing the apply button. The settings can also be applied by rightclicking on the General object and selecting Apply Selection. If all values are correct, and the credentials have enough privileges, the following message will be returned upon successful schema extension. 3.2 Schema Objects and Attributes Prior to extending the schema in Active Directory, administrators may inquire as to which objects and attributes will be added into the schema. As mentioned before, this is an irreversible action, so great discretion is sometimes used. All of the files that deal with the schema modification are located in the <install_path>\cerx\accman directory. The files in this directory are organized by both schema version (15.2 or 16.0) and directory server type. The files required for the CURRENT schema type (see section 2.2.3) contain 16.0 in the file name.

19 Configuring Microsoft ADAM 19 For example, slapd.oc.conf.16.0.extension. All files that are required for Active Directory have the.active Directory suffix in the file names. For example, slapd.oc.conf.16.0.extension.active_directory. Files that create the Object Classes contain.oc. in the file name, and files that create attributes contain.at. in the file name.

20 Configuring Microsoft ADAM 20 Here is a sample from the slapd.oc.conf.16.0.extension.active_directory file: # objectclasses below added for Cognos Authenticator Directory Service #Schema Version 16.0 objectclass authsubdirectory oid requires objectclass, cn allows authcreationdate, authconfigurationitem, authdefaultnamespace, authmiscellaneous, camutf8namespaces parents authsecuritydata, authsubdirectory, domaindns, organization, organizationalunit objectclass camobjectdirectory oid requires objectclass, cn parents authsecuritydata, camobjectdirectory And a sample from the slapd.at.conf.16.0.extension.active_directory file: #attributes below added for Cognos Authenticator Directory Service #Schema Version 16.0 attribute camuserfolderref camuserfolderref dn attribute camdbsignonref camdbsignonref dn attribute camuserclassref camuserclassref dn 13804