Configuring Microsoft ADAM

Similar documents
Report Studio: Using Java Script to Select and Submit Values to a SAP Prompt.

Configuring IBM Cognos 8 authentication against Microsoft ADAM

Saving Report Output to the Server File System

How to import a WSDL Data Source and Prepare it for Use in Framework Manager

LDAP Configuration Guide

Integration Guide. Entrust Authority Security Manager 8.1 SP1 Microsoft Windows Server 2012 R2 Standard

Proven Practice Installing TM1 9.5 in Apache Tomcat Product(s): TM1 9.5 Area of Interest: Install Config

TM1 Registration and Maintenance of Windows Services

COGNOS (R) ENTERPRISE BI SERIES COGNOS IMPROMPTU (R) ADMINISTRATOR FOR WINDOWS

Connecting TM1 to Various Third- Party Data Sources

TM1 9.5 Quick Installation and Upgrade Guide. Nature of Document: Tip or Technique Product(s): TM1 9.5 Area of Interest: Upgrade/Migration

Web Authentication Using LDAP on Wireless LAN Controllers (WLCs) Configuration Example

Securing the IBM Cognos 8 BI Environment

Managing Report Server Database Connections

ACS 5.x: LDAP Server Configuration Example

6.4 Microsoft Windows

Active Directory Auditing Guide

Calculations that Span Dimensions

Using the AT and FOR Options with Relational Summary Functions

Setup Service Account in AD

Using ZENworks with Novell Service Desk

Managing External Identity Sources

Polycom CMA System Upgrade Guide

StarTeam LDAP QuickStart Manager Administration Guide

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP

Active Directory 2000 Plugin Installation for Cisco CallManager

VMware AirWatch Certificate Authentication for EAS with ADCS

AUTHORIZED DOCUMENTATION. Using ZENworks with Novell Service Desk Novell Service Desk February 03,

ZENworks Service Desk 8.0 Using ZENworks with ZENworks Service Desk. November 2018

User Manual. Active Directory Change Tracker

Using an LDAP With ActiveWorkflow

When starting the installation PKI Install will try to find a high port available for https connection.

Creating Column Profiles on LDAP Data Objects

COGNOS MANAGEMENT SERIES PLANNING

Windows Server 2003 Network Administration Goals

CounterACT User Directory Plugin

Overview of AdminSDHolder, protected groups and SDPROP Controlling groups that are protected by AdminSDHolder Security Descriptor propagator

Published By Imanami Corporation 5099 Preston Ave. Livermore, CA 94551, United States. Copyright 2008 by Imanami Corporation.

Configure the ISE for Integration with an LDAP Server

App Orchestration 2.6

LDAP/AD v1.0 User Guide

Windows Server 2008 Active Directory Resource Kit

Enforced Client Policy & Reporting Server (EPRS) 2.3. Administration Guide

Installing the Cisco Unified CallManager Customer Directory Plugin Release 4.3(1)

SPNEGO SINGLE SIGN-ON USING SECURE LOGIN SERVER X.509 CLIENT CERTIFICATES

CA SiteMinder Web Access Manager. Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

SAP NetWeaver Identity Management Virtual Directory Server. Tutorial. Version 7.0 Rev 4. - Accessing LDAP servers

NetWrix Privileged Account Manager Version 4.1 User Guide

One Identity Active Roles 7.2. Azure AD and Office 365 Management Administrator Guide

User Account Manager

Installing CaseMap Server User Guide

Obtaining the LDAP Search string (Distinguished Name)?

Introduction to LAN Introduction to TDC 363 Lecture 05 Course Outline What is NOS?

Remote Authentication

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Advanced Multidimensional Reporting

VMware Identity Manager Administration

FastPass Password Manager

TM1 Deployment Options and Bandwidth Considerations

8 Administering Groups

User Management in Resource Manager

LDAP Servers for AAA

CLI users are not listed on the Cisco Prime Collaboration User Management page.

NBC-IG Installation Guide. Version 7.2

How to integrate hp OpenView Service Desk with Microsoft Active Directory

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP. For VMware AirWatch

SAS Web Infrastructure Kit 1.0. Administrator s Guide

CaseMap Server Installation Guide

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

IT222 Microsoft Network Operating Systems II

Azure MFA Integration with NetScaler

Novell Identity Manager

User Management Tool

VMware AirWatch Integration with Microsoft ADCS via DCOM

Telelogic Directory Server Product Manual Release 4.3

Installing CaseMap Server User Guide

Configuring Pentaho with LDAP or Active Directory

Configuring Embedded LDAP Authentication

Installing the Financial Analytic Publisher (FAP) for Controller 10.2

MetaManager 3.3 New Features Guide METAMANAGER AN IBM GLOBAL SOLUTIONS DIRECTORY OFFERING BSP Software LLC 1/5

Administration Guide. Lavastorm Analytics Engine 6.1.1

Enabling Smart Card Logon for Mac OS X Using Centrify Suite

Enabling Smart Card Logon for Linux Using Centrify Suite

Reconfiguring VMware vsphere Update Manager. 17 APR 2018 VMware vsphere 6.7 vsphere Update Manager 6.7

Active Directory Synchronisation

RSA Identity Governance and Lifecycle Collector Data Sheet For IBM Tivoli Directory Server

One Identity Manager 8.0. Administration Guide for Connecting to Active Directory

BusinessObjects Enterprise XI

DIGIPASS Authentication for O2 Succendo

BLUEPRINT REQUIREMENTS CENTER 2010 BLUEPRINT TEAM REPOSITORY VERSION 2. Administrator s Guide

COGNOS (R) ENTERPRISE BI SERIES COGNOS REPORTNET (TM)

maxecurity Product Suite

COGNOS (R) ENTERPRISE PLANNING SERIES

Authentication Services ActiveRoles Integration Pack 2.1.x. Administration Guide

Configuring Remote Access using the RDS Gateway

CA IdentityMinder. Glossary

Grandstream Networks, Inc. LDAP Configuration Guide

Authenticating and Importing Users with AD and LDAP

Novell Kerberos Login Method for NMASTM

Getting Started with Penn State WikiSpaces

Transcription:

Proven Practice Configuring Microsoft ADAM Product(s): IBM Cognos Series 7 Area of Interest: Security

Configuring Microsoft ADAM 2 Copyright Copyright 2008 Cognos ULC (formerly Cognos Incorporated). Cognos ULC is an IBM Company. While every attempt has been made to ensure that the information in this document is accurate and complete, some typographical errors or technical inaccuracies may exist. Cognos does not accept responsibility for any kind of loss resulting from the use of information contained in this document. This document shows the publication date. The information contained in this document is subject to change without notice. Any improvements or changes to the information contained in this document will be documented in subsequent editions. This document contains proprietary information of Cognos. All rights are reserved. No part of this document may be copied, photocopied, reproduced, stored in a retrieval system, transmitted in any form or by any means, or translated into another language without the prior written consent of Cognos. Cognos and the Cognos logo are trademarks of Cognos ULC (formerly Cognos Incorporated) in the United States and/or other countries. IBM and the IBM logo are trademarks of International Business Machines Corporation in the United States, or other countries, or both. All other names are trademarks or registered trademarks of their respective companies. Information about Cognos products can be found at www.cognos.com This document is maintained by the Best Practices, Product and Technology team. You can send comments, suggestions, and additions to cscogpp@ca.ibm.com.

Configuring Microsoft ADAM 3 Contents 1 INTRODUCTION... 4 1.1 PURPOSE...4 1.2 APPLICABILITY...4 1.3 CAVEATS...4 2 MICROSOFT ADAM... 4 2.1 INSTALLING ADAM...4 2.2 CONFIGURING ADAM...9 2.2.1 Enabling Anonymous Binds...13 2.2.2 Setting Administrator s Group...14 3 EXTENDING THE SCHEMA... 15 3.1 CONFIGURATION MANAGER...16 3.2 SCHEMA OBJECTS AND ATTRIBUTES...18

Configuring Microsoft ADAM 4 1 Introduction 1.1 Purpose This document provides a walkthrough of configuring Microsoft Active Directory Application Mode (ADAM) in a Windows 2003 environment for use with the IBM Cognos Series 7 products. Once the ADAM schema has been extended, the Cognos namespace can be created. 1.2 Applicability Product version is important when using this document. If the product version is not at least IBM Cognos Series 7 Version 3 MR2, the operation may fail. Any release prior to Series 7 V3 MR2 is unsupported with ADAM. 1.3 Caveats The document covers installing and configuring ADAM in a Windows 2003 environment. At the time of the creation of this document, Windows XP was not a supported platform and some additional steps may be required. 2 Microsoft ADAM 2.1 Installing ADAM Before the installation can begin, the install media must first be obtained. ADAM is a free download from the Microsoft site and can be found at this URL: http://www.microsoft.com/downloads/details.aspx?familyid=9688f8b9-1034-4ef6-a3e5-2a2a57b5c8e4&displaylang=en When the install media has been downloaded, double click the adamsetup.exe executable to start the install process. Ensure that a new instance is selected when prompted during the Setup Options.

Configuring Microsoft ADAM 5 When prompted for an Instance Name select a name that will be easily identified. One of the suggested names is CognosADAM to ensure that the ADAM instance can easily be identified as the directory server instance for the IBM Cognos application(s).

Configuring Microsoft ADAM 6 Once the name has been selected, the next user input required is to identify which ports the application will run on. It is recommended to not use the standard LDAP port of 389, or SSL port of 636, due to possible conflicts with currently running directory servers, or any future directory server installations. For this document, ports 38900 and 63600 were used. The next step of the installation process is to create the partition that will store the application specific data. Make sure that the Yes, create an application directory partition radio button is selected. The base distinguished name (basedn) will have to be supplied as well. The format of the basedn is usually DC=domain,DC=com, but any values can be used. In addition to specifying the basedn, it is recommended to prefix the basedn with an Organization (O), or Organizational Unit (OU), that will contain the Cognos namespace. The installation detailed in this document uses, O=Cognos,DC=pro,DC=nhslsp, DC=net.

Configuring Microsoft ADAM 7 Specify the installation path to continue the install. The next step requires selecting which account will start the ADAM service. This could either be a local system account or a named domain account. Certain situations may require a named domain account, but for the purpose of this document, the local system account will be used.

Configuring Microsoft ADAM 8 The last stage in installing the ADAM application is to indicate which LDIF files will be imported and included in the starting schema for the ADAM instance. The only two that need to be selected are the MS-InetOrgPerson.LDF and MS-User.LDF LDIF files. As this is the last step, press the Next button and then the Finish button.

Configuring Microsoft ADAM 9 2.2 Configuring ADAM After the successful installation of the ADAM application, certain configuration changes will need to be made in order to allow the Cognos application to connect to the directory server and extend the schema. The configuration changes will need to be made through the ADAM ADSI Edit interface which can be found at: Start -> All Programs -> ADAM -> ADAM ADSI Edit. With the ADAM ADSI Edit interface open, right-click on the ADAM ADSI Edit root and select Connect to This presents the Connection Settings dialog box, in which the distinguished name will have to be entered in order to connect to the node. Use the base distinguished name that was entered when the new instance was created in step 2.1. Supply the machine name and port number that used to run ADAM. Right click your Cognos application DN node, select New, and click Object

Configuring Microsoft ADAM 10

Configuring Microsoft ADAM 11 In the Create Object dialog box select the user object class. Press the Next button and then supply a value for the new user object. In this example cognosadmin was the value that was used. Once the new user object has been created, the password will need to be reset. Right click this new user and select Reset Password, in the reset password dialog set your new password, confirm the password, and then press the OK button.

Configuring Microsoft ADAM 12 Right click this new user and select Properties, select msds- UserAccountDisabled from attribute list and press the Edit button. In Boolean Attribute Editor dialog box, if the value of True is set then select False, press the OK button. Press the OK button again to close the user properties. Under your Cognos application partition click the top node, there is the entry CN=Roles, select it and its children nodes appear in the right pane, right click CN=Administrators and select Properties. In CN=Administrators Properties page select its member attribute and click Edit, in Multi-valued Distinguished Name With Security Principal Editor click Add ADAM Account.

Configuring Microsoft ADAM 13 In Add ADAM Account input this new user s Distinguish name (DN) click OK. You can find the value of distinguishedname attribute from Properties of the newly added user in step d. Click OK to close Multi-valued Distinguished Name With Security Principal Editor. NOTE: Created UserDN is: Cn=cognosadmin,o=Cognos,DC=pro,DC=nhslsp,DC=net You should leave ADAM default settings in member. (By default, ADAM add the configuration partition s Administrators role, CN=Administrators,CN=Roles CN=Configuration,CN={GUID}, in this member, you should not remove it.) 2.2.1 Enabling Anonymous Binds Before the schema can be successfully extended, Active Directory Application Mode must first be configured to accept anonymous requests. To accomplish this, the following steps will need to be executed: 1. Start ADAM ADSI Edit and right click root node, select Connect to.

Configuring Microsoft ADAM 14 2. In Connection Settings, create your new configuration partition name in Connection Name, put your ADAM server name and port number, select Well-known naming context and select Configuration, then click OK. 3. Under your configuration partition click the top node, there is the entry CN=Services, click CN=Services to expand this node, click CN=Windows NT to expand to its children, right click CN=Directory Service and select Properties,. 4. In CN=Directory Service s Properties page select its attribute dsheuristics and click Edit, in String Attribute Editor input the string 0000002001001 as value and click OK. 2.2.2 Setting Administrator s Group The last stage in the configuration process, is to add the Authenticated Users group into the configuration partition s Administrators group. 1. Start ADAM ADSI Edit and right click root node, select Connect to. 2. In Connection Settings, create your new configuration partition name in Connection Name, put your ADAM server name and port number, select Well-known naming context and select Configuration, then click OK.

Configuring Microsoft ADAM 15 3. Under your configuration partition click the top node, there is the entry CN=Roles, click it to select this node, right click CN=Administrators and select Properties. 4. In CN=Administrators Properties page select its member attribute and click Edit, in Multi-valued Distinguished Name With Security Principal Editor click Add Windows Account. 5. In Select Users or Groups click Locations and select your local host name, click OK, then click Advanced button. 6. Click Find Now, select Authenticated Users and click OK. Click OK to close Select Users or Groups dialog. 7. Click OK to close Multi-valued Distinguished Name With Security Principal Editor 8. Click OK to close CN=Administrators Properties. Note: 9. After successfully configuring ADAM through Cognos Configuration Manager, remember to remove Authenticated Users from CN=Administrators member. Important: Microsoft has a patch (838342) that will not require that Authenticated Users be added to the Administrators role. This is key as most companies will want to either create a Cognos Admin account or designate an existing account. This patch can be obtained from Microsoft as Cognos will not distribute this to customers. Again, has to be obtained from Microsoft. http://support.microsoft.com/default.aspx?scid=kb;en-us;838342 3 Extending the Schema The process of extending the schema to be able to use Active Directory as an authentication source, is split into two operations; extending the schema, where IBM Cognos specific objects and attributes are added to the existing ADAM schema, and creating the Cognos namespace that will contain all of the users and user classes to be used in the IBM Cognos security infrastructure.

Configuring Microsoft ADAM 16 When using Configuration Manager, the two processes appear to be part of the same operation, but there are in fact two distinct operations that occur. Once the schema has been extended, the objects and attributes are forever part of the Active Directory schema so ensure that you are configuring the correct domain. That being said, the schema only needs to be extended once, but multiple namespaces can be created at different locations within Active Directory. This can be done either through the Access Manager admin interface, which allows you to create multiple namespaces within the same instance, or, through Configuration Manager which permits the creation of different instances within the same directory server instance. This is achieved by setting different basedn values for the Base distinguished name (DN) parameter. For instance, specifying o=cognos_prod,dc=support,sc=local and o=cognos_dev,dc=support,dc=local would create two unique instances of the Cognos namespace that would have to be administered separately. Important: In order to successfully extend the ADAM schema with the Cognos objects and attributes, Configuration Manager must be installed on the same server as ADAM. At the time that this document was written, trying to configure ADAM remotely would fail. 3.1 Configuration Manager To complete the schema extension and the creation of the namespace, the Configuration Manager utility must be used. In Configuration Manager, modify the values required to extend the directory server schema by accessing the General page under Services -> Access Manager Directory Server. The values that need to be modified to extend the schema can be found in the right hand frame. Are you sure that you want to configure this directory server? This value should be set to yes, otherwise the operation will not be executed when the settings are applied. Schema Version This value should be set to CURRENT unless older Series 7 applications will be accessing this directory server as well. Server Type This value can be left to the default Auto Detect or the Active Directory option can be selected.

Configuring Microsoft ADAM 17 Computer Host name of the directory server housing the Cognos schema. This can be machine name, IP address or fully qualified DNS name. Port Port number that the directory server instance is running on. Base distinguished name (DN) Organizational Unit (OU) or Container (CN) where the Cognos namespace will be created. This can be done at the root DN, DC=Support,DC=local for example, or can be in part of the subtree, such as, O=Cognos,DC=Support,DC=local. Again, it would be good practice to not specify just the basedn and use an Organization or Organizational Unit such as Cognos to house the namespace. The namespace does not need to be created in the root of the domain. It can be created at any point of the domain hierarchy. For example, if the desired location was in an Organizational Unit (OU) called applications, which was under the root of the domain, the basedn would then be: o=cognos,ou=applications,dc=support,dc=local. Unrestricted User distinguished name (DN) User account that has sufficient privileges to extend the schema of the directory server as well as create the namespace. The value should be the full DN to the user account and NOT just the user name. Unrestricted User password Matching password value for the user specified as the unrestricted user. Primary ticket service - Host and port where the Access Manager Server or Ticket Server service is running. This value can be supplied after the schema has been extended either through Configuration Manager or the Access Manager admin tool, but it is recommended that this be set at the same time as the schema extension.

Configuring Microsoft ADAM 18 Apply these settings by clicking on the General object in the tree and pressing the apply button. The settings can also be applied by rightclicking on the General object and selecting Apply Selection. If all values are correct, and the credentials have enough privileges, the following message will be returned upon successful schema extension. 3.2 Schema Objects and Attributes Prior to extending the schema in Active Directory, administrators may inquire as to which objects and attributes will be added into the schema. As mentioned before, this is an irreversible action, so great discretion is sometimes used. All of the files that deal with the schema modification are located in the <install_path>\cerx\accman directory. The files in this directory are organized by both schema version (15.2 or 16.0) and directory server type. The files required for the CURRENT schema type (see section 2.2.3) contain 16.0 in the file name.

Configuring Microsoft ADAM 19 For example, slapd.oc.conf.16.0.extension. All files that are required for Active Directory have the.active Directory suffix in the file names. For example, slapd.oc.conf.16.0.extension.active_directory. Files that create the Object Classes contain.oc. in the file name, and files that create attributes contain.at. in the file name.

Configuring Microsoft ADAM 20 Here is a sample from the slapd.oc.conf.16.0.extension.active_directory file: # objectclasses below added for Cognos Authenticator Directory Service #Schema Version 16.0 objectclass authsubdirectory oid 1.2.840.114050.1.1.1.2.1 requires objectclass, cn allows authcreationdate, authconfigurationitem, authdefaultnamespace, authmiscellaneous, camutf8namespaces parents authsecuritydata, authsubdirectory, domaindns, organization, organizationalunit objectclass camobjectdirectory oid 1.2.840.114050.1.1.1.2.13 requires objectclass, cn parents authsecuritydata, camobjectdirectory And a sample from the slapd.at.conf.16.0.extension.active_directory file: #attributes below added for Cognos Authenticator Directory Service #Schema Version 16.0 attribute camuserfolderref camuserfolderref 1.2.840.114050.1.1.1.1.300 dn 13801 attribute camdbsignonref camdbsignonref 1.2.840.114050.1.1.1.1.301 dn 13806 attribute camuserclassref camuserclassref 1.2.840.114050.1.1.1.1.302 dn 13804

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback