Job Aid: LDAP or VMM Synch Tivoli Service Request Manager, Change and Configuration Management Database, Asset Management for IT Document version 1.0
Copyright International Business Machines Corporation 2010. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. ii
CONTENTS Revision History...4 Overview...5 Definitions...5 Question 1...5 Question 2...6 Question 3...6 Question 4...7 To use these documents go to...8 How-to Documents...8 Troubleshooting Documents...9 References...9 iii
REVISION HISTORY Date Version Comments 09/21/10 1.0 First version 4
Overview As a project gets underway for implementing IBM Tivoli Service Request Manager, IBM Tivoli Change and Configuration Management Database (CCMDB), or IBM Tivoli Asset Management for IT, customers need to make the decision for using LDAP or VMM to synchronize the users, and person data into Service Request Manager, Asset Management for IT, or CCMDB. This decision can be confusing, as VMM sync is provided a part of the standard installation steps. While VMM is provided it does not always align to the requirements that the customer has for the synchronization process. The following information in this document can aid the customer in the decision as to which synchronization process is the best technology for their business. The document is structured in the form of questions that the customer may have or have been asked of a consultant about VMM or LDAP. Additionally provided are technical support documents that can be referenced and links to troubleshooting ideas for both technologies. Definitions Lightweight Directory Access Protocol or LDAP is an application protocol for querying and modifying data using directory services running over TCP/IP. Thus a directory is a set of objects with attributes organized in a logical and hierarchical manner. It is typically used for organizing person data with in an organization. Virtual Member Manager or VMM. WebSphere Application Server V6.1 offers a federated user repository feature that makes it easy to access and maintain user data in multiple repositories. Question 1 Which tool should be used to authenticate users to Tivoli, SRM, CCMDB, or AMIT? If the client uses any tool that is not Active Directory it would likely be best to use VMMSync, If using ITF Lotus then VMM sync. If the client has a mixed environment many structures then again this would encourage the use of VMMSync 5
VMMsync always brings over all information so it can be a performance concern. If client uses Active Directory this would lend the implementation to use LDAPSync. If the environment is using WebLogic then it must use LDAPSync. If the business has very large directories then again this would lend well to the LDAP sync file process. LDAPSync after the first run only brings over changes, which can be an ease on Performance. *There are standard LDAP integrations with both Microsoft Active Directory and IBM Tivoli Directory Server. Question 2 How does VMM authorization work within Tivoli process automation engine tools? 1. Authentication will first happen thru VMM. 2. Authorization happens after a user has been authenticated. 3 The list of users and groups memberships shown on the GUI is obtained from VMM. 4. Once successful authentication happens access control is based on users and the groups they are member of. After a successful authentication, the user is authorized (case sensitive) to access particular access collections based on policy. Users and groups will be listed in the UI with the case returned from VMM. In order to determine what case is used to define an authorization policy for the user, can be done by looking at the authorization policy files. Note: VMM is used to federate one or more user repositories and sort of act like an abstracted LDAP. Once authenticated, authorization on the tool is handled by Tivoli tools (Maximo ) Security Group s framework. ESS provides authentication and token service (generation and validation) to support various SSO scenarios. Question 3 How does LDAP authorization work within Tivoli s process automation engine tools? 1. LDAP Lightweight Directory Access Protocol - used to maintain a central directory of username/passwords for authentication of different network products. GN GivenName - typically used to store the first name of the user - For example, this could be the user s first name and middle initial. 6
SN SurName - typically used to store the last name of the user For example, this could be the user s last name followed by a comma. CN CommonName - used to refer to the individual user. Concatenating GivenName and SurName typically creates this. OU OrganizationalUnit - Used to logically segment the LDAP for purposes within and organization. DC DomainContent - used to define each section of the address to the LDAP server (EXAMPLE "ladpserver.mro.com would be "DC=ldapserver, DC=mro, DC=com") DN DistinguishedName - used to identify an object in the LDAP directory. Each object must have a unique name. Adding CN, OU and DC attributes together typically makes up DN. SamAccountName SAM is part of a specification developed by Microsoft to maintain compatibility between LDAP and older NT4 platforms which used SAM Databases for security 2. Security and identification is driven by three identifiers in the tables: 1) Loginid used for authentication into the system 2) Userid typically the same as loginid 3) Personid name of the user as it will be displayed in the Start Center 3. Setup procedures for synchronizing Active Directory CN accounts with the tables for authentication. When setting this up, the ID used for authentication in the LDAP directory is the ID that should be synchronized to the loginid and userid fields. In the case of CN, it may also be the value populated in the personid field. Question 4 Can a client use LDAPSYNC instead of VMMSYNC for Synchronization - Active Directory Only? The version 7 installer defaults to using the VMMSYNC cron task to synchronize users from WebSphere to Maximo when WebSphere is used. Active Directory does not require the WebSphere LDAP interface component and can use the direct LDAPSYNC instead. These steps only work with Active Directory as LDAPSYNC is an Active Directory synchronizer. 1. The LDAPSYNC process was developed to copy user data from the Active Directory LDAP server to the table structures and enable authentication to Tivoli process automation engine tool set. This tool communicates directly with the 7
Active Directory and uses straight Active Directory queries and filters to find data to be copied. 2. Version 7 of process automation engine expands on LDAP compatibility by leveraging existing technology in WebSphere to communicate with LDAP servers. By using the WebSphere tools, the LDAP data is essentially normalized to a single format regardless of the LDAP server it is connected to. 3. VMMSYNC is designed to synchronize users by communicating with the normalized WebSphere directory. To do this, queries and filters that would normally work for Active Directory must be modified to use the WebSphere structure. The VMMSYNC process introduces a new layer of technology and complexity to the synchronization process since now both WebSphere and VMMSYNC must be configured to map the data correctly. 4. If Active Directory is the LDAP server that will be used with process automation engine 7, administrators can disable the VMMSYNC cron task and enable the LDAPSYNC cron task. The LDAPSYNC cron task will communicate directly with Active Directory. The following Development and Technical notes are stored on the IBM Support site for LDAP and VMM To use these documents go to http://www- 947.ibm.com/support/entry/portal/Overview/Software/Software_support_(general) When there enter the exact wording noted here and the article will be shown from support. The first set of support documents are focused on how to set up authentication, the second set are available to assist in trouble shooting issues that can come up. How-to Documents - Master Document - LDAP Configurations Flow Chart - Understanding the Maximo Implementation of LDAP - Understanding LDAPSYNC synchronization using the Global Catalog - Using LDAPSYNC instead of VMMSYNC for Synchronization - Active Directory Only - Modifying the LDAP group used for Authentication with Web Logic and Maximo - Maximo/WebLogic Active Directory Integration - VMMSYNC GroupMapping and UserMapping XML filter definition syntax 8
- MustGather: Maximo LDAP Configuration - Modifying the Standard Mappings in the ldapsync.xml File with Active Directory - Virtual Member Manager (VMM) authentication - LDAP error: Failed to perform user synchronization - Configuring CCMDB to use Microsoft Active Directory - LDAP Mapping for Phone and Email Types in Maximo 6 - Information to collect when researching LDAP / VMM Synch questions - LDAP Synch and required fields - LDAP and VMM Sync using business object validation as of 7.1.1.4 - Disabling "Remember my password" in Internet Explorer when LDAP is enabled Troubleshooting Documents - Not a Valid Data Type error in LDAP/VMM Synch 7.1.1.4 - Error adding a security group when LDAP is enabled - Failed to store synchronization parameters in database - LDAP - Maximo does not require Re-Authentication after Time-out - Error synchronizing users javax.naming.partialresultexception - BMXAA4222E - USERMAPPING or GROUPMAPPING XML invalid - LDAP re-authentication when session times out or multiple sessions running - LDAP synchronization errors in Maximo for fields not required - Retrieve attributes from Active Directory. - LDAP overwrites the attribute values. - LDAP Cron Tasks appears to run but do not sync any users. - Cannot find mxe.ldapgroupmgmt System Property - Using the viewqueue and deletequeue Utilities in an LDAP Environment - LDAP login causes a "401 -- Unauthorized" browser error - LDAP server authenticates user References Here is the general link to locate several redbooks on Security http://www.redbooks.ibm.com/cgibin/searchsite.cgi?query=maximo+and+deployment Here is a specific link to the redbook that certainly has security http://www.redbooks.ibm.com/abstracts/sg247640.html?open Trademarks 9
IBM, Lotus, Maximo, Service Request Manager, Tivoli, and WebSphere are trademarks or registered trademarks of IBM Corporation in the United States, other countries, or both. Microsoft is a trademark or registered trademark of Microsoft Corporation in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others. Copyright IBM Corporation 2010 IBM United States of America Produced in the United States of America All Rights Reserved The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. Information in this paper as to the availability of products (including portlets) was believed accurate as of the time of publication. IBM cannot guarantee that identified products (including portlets) will continue to be made available by their suppliers. This information could include technical inaccuracies or typographical errors. Changes may be made periodically to the information herein; these changes may be incorporated in subsequent versions of the paper. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this paper at any time without notice. Any references in this document to non-ibm Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. 10
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan 11