Appendix C Using OpenLDAP and Active Directory with the Configuration Manager

Using an OpenLDAP Server with the Configuration Manager

To use an OpenLDAP server as the repository for the Configuration Manager data, the schema of the server must be extended to feature the object classes and attributes used to store configuration data. A custom schema file named apoc.schema can be found in the openldap subdirectory of the Configuration Manager deployment tool provided in the Java Desktop System Management Tools CD.

This file must be copied in the schema subdirectory of the OpenLDAP configuration directory (/etc/openldap) and added to the OpenLDAP schema by including it in the slapd.conf file located in that directory. This is done by inserting a line that reads include /etc/openldap/schema/apoc.schema at the end of the sequence of schema includes that are present in that file. For more information on extending the schema of an OpenLDAP server, refer to the server's manual.

In order to prepare the OpenLDAP database to store configuration data, the deployment tool provided with the Configuration Manager must be used. The schema having already been extended by the previous step of the installation, only the createServiceTree script needs to be run. The script must be started from the deployment tool directory as any user by the following command: ./createServiceTree. The script prompts the user for the information about the OpenLDAP database as indicated in the deployment tool section of this document. A default mapping file using typical object classes and attributes featured in OpenLDAP is provided in the openldap subdirectory of the deployment tool. The file is called OrganisationalMapping and can be deployed by copying it over the file with the same name in the main deployment tool directory prior to launching createServiceTree.

The Configuration Manager Agent will try and connect to the OpenLDAP server anonymously by providing the DN of the user it requires data for, but no password. This mode of anonymous authentication can be disabled by default in some releases of OpenLDAP servers, in which case it must be enabled by adding a line reading allow bind_anon_cred in the common server parameters defined in the file slapd.conf located in the OpenLDAP configuration directory (/etc/openldap). For more information on that parameter, refer to the server's manual.

Using an Active Directory Server with the Configuration Manager

To use an Active Directory server as a repository for the Configuration Manager data, the schema of the server must be extended to feature the object classes and attributes used to store configuration data. A schema extension file named apoc-ad.ldf can be found in the ad subdirectory of the Configuration Manager deployment tool provided on the Management Tools CD. Refer to the deployment tool section for more information.

The apoc-ad.ldf file must be imported in the Active Directory schema using the following steps:

1. Enable schema extensions. Refer to Active Directory documentation or more information how to perform that operation.

2. Execute the following from the command prompt: ldifde -i -c "DC=Sun,DC=COM" <BaseDN> -f apoc-ad-registry.ldf.

   ---

   Note –

   Replace <BaseDN> with the Active Directory base DN.

   ---

In order to prepare the Active Directory server to store configuration data, the deployment tool must be used. The schema having already been extended by the previous step of the installation, only the createServiceTree script needs to be run. It must be started from the deployment tool directory as any user by the following: ./createServiceTree. The script prompts the user for the information about the Active Directory database. A default mapping file using typical object classes and attributes featured in Active Directory is provided in the ad subdirectory of the deployment tool directory. This file is called OrganisationalMapping and can be deployed by copying it over the file with the same name in the main deployment tool directory prior to launching createServiceTree.

From that point, the Active Directory server can be used with the Configuration Manager. When installing the Configuration Manager, provide the full DN and password of a user with read rights to the tree. This can be a user that is not able to use Active Directory for any other purpose. Refer to Active Directory documentation for more information on how to setup such a user. In addition, the domain name for the Active Directory must be known to the machine that is running the Configuration Manager. You can do this by adding a line mapping the IP address of the Active Directory server with its domain name to the /etc/hosts file of that machine.

In order to retrieve the configuration data from a Java Desktop System host, the domain name of the Active Directory must also be known to that host. Authentication of the Java Desktop System user can be done in two ways: anonymously and using GSSAPI.

• To authenticate using anonymous connections, the Active Directory server must be configured to grant read rights to everyone. Refer to Active Directory documentation for more information on how to perform that operation.

• To authenticate using GSSAPI, the file /etc/krb5.conf, which specifies the Kerberos parameters, must be modified to define the Active Directory realm and point to the Active Directory server as its Key Distribution Center (KDC). It must also specify, as the default encryption types, the DES types supported by Active Directory, namely des-cbc-crc and des-cbc-md5. Refer to the Kerberos documentation for more information on how to perform that operation. Before accessing the configuration data, valid credentials for the user who is logged in the Java Desktop System must be obtained. This can be performed manually by running the kinit command and by providing the user password defined in Active Directory. Other schemes may generate these credentials automatically at login. Refer to the Java Desktop System documentation for further information.