Security Guide for Siebel Business Applications > Security Adapter Authentication > About LDAP/ADSI Security Adapter Authentication >

Requirements for LDAP/ADS Directory

If you are using LDAP or ADSI authentication, you must provide your own directory product, whether it is one of the directory servers supported by Siebel-provided security adapters or another directory of your choice. For specific information about third-party products supported by Siebel Business Applications, see System Requirements and Supported Platforms on Siebel SupportWeb for your Siebel application.

  • If you provide one of the Siebel-supported directory servers (that is, a supported LDAP directory or Microsoft ADS), then you can use a Siebel-provided security adapter, or you can create your own Siebel-compliant security adapter.
  • If you provide a directory other than those supported by the Siebel-provided security adapters, then you are responsible for implementing a security adapter that will support this directory.

Data Requirements for Directory

Your LDAP/ADS directory must store, at a minimum, the following data for each user. Each piece of data is contained in an attribute of the directory.

  • Siebel user ID. This attribute value must match the value in the user ID field for the user's Person record in the Siebel Database. It is used to identify the user's database record for access-control purposes.
  • Database account. This attribute value must be of the form username=U password=P, where U and P are credentials for a database account. There may be any amount of white space between the two key-value pairs, and there must be no space within each pair. The keywords username and password must be lowercase.
  • Username. This attribute value is the key passed to the directory that identifies the user. In a simple implementation, it may be the Siebel user ID, and so it may not need to be a separate attribute.
  • Password. The storage of a user's login password differs between LDAP servers and ADS.
    • LDAP. Whether the password is stored in the directory depends on whether you are using Web SSO.
      • If the user authenticates through the LDAP directory, using the LDAP security adapter, then the login password must be stored in an attribute.
      • If the user is authenticated by an authentication service, such as in a Web SSO implementation, a password attribute is not required.
    • ADS. ADS does not store the password as an attribute. The password can be entered at the directory level as a function of the client, or the ADSI security adapter can use ADS methods to create or modify a password.
      • If the user authenticates through the ADS directory, using the ADSI security adapter, then the login password must be provided.
      • If the user is authenticated by an authentication service, such as in a Web SSO implementation, a password is not required.

You can use other user attributes to store whatever data you want, such as first and last name. Authentication options that you choose may require that you commit additional attributes.

If you create a new attribute object for your directory to store Siebel attributes (for example, Siebel User ID), you can use the Private Enterprise Number that Siebel Systems has registered with the Internet Assigned Numbers Authority ( to provide a unique X500 Object ID. This number is*.

An additional type of data, roles, is supported, but is not required. Roles are an alternate means of associating Siebel responsibilities with users. Responsibilities are typically associated with users in the Siebel Database, but they can instead be stored in the directory. Leave role values empty to administer responsibilities from within Siebel Business Applications. For more information, see Configuring Roles Defined in Directory.

User Privileges for Directory

Depending on your authentication and registration strategies and the options that you implement within your strategy, you must define users in the directory that read and may possibly write user information in the directory. It is critical that users who read or write data in the directory have appropriate search and write privileges to the directory.

NOTE:  For ADSI authentication, it is recommended to use the Delegate Control Wizard to define privileges for users in the ADS directory.

You must create the following user:

  • Application user. You must implement the application user, which is the only user that must be able to search and write records to the directory. For more information, see Configuring the Application User.

LDAP Security Adapter Requirements

If you are using LDAP authentication with any supported LDAP directory product, you must confirm that the IBM LDAP Client software that is provided by Siebel Systems is installed. If this LDAP Client is not yet installed, then you must manually install it.

  • The LDAP Client software must be installed on the Siebel Server machine where the LDAP security adapter will function.
  • In addition, if you require LDAP security adapter functionality from a Siebel Developer Web Client, you must install the LDAP client software on each such client computer.

For IBM LDAP Client installation instructions, see Installing LDAP Client Software.

ADSI Security Adapter Requirements

If you are running the Siebel Server on supported Microsoft Windows platforms and you are using ADSI authentication, you must meet the requirements described here. For more information about some of these issues, refer to your Microsoft Active Directory documentation.

  • To allow users to set or change passwords, the ADSI client software must be able to establish a secure connection to the Active Directory Server. This requirement may be met in multiple ways:
    • Including all systems as part of a single Microsoft Windows domain forest
    • Configuring trust relationships
    • Configuring Secure Sockets Layer (SSL)

      It is also recommended to place all Siebel Servers and Active Directory Servers in the same domain forest.

      NOTE:  To perform user management in the ADS directory through the Siebel client, it is strongly recommended that you configure ADS at the server level for SSL communications between the Active Directory client and server. This is different from SSL communications between the security adapter and the directory, which is configured through Siebel Business Applications and is discussed in Configuring Secure Communications for Security Adapter.

  • DNS servers on your network must be properly configured with DNS entries for ADS. Client computers using the ADSI security adapter must be configured to be able to retrieve these entries from the appropriate DNS servers.
  • If you require ADSI security adapter functionality for Siebel Developer Web Client deployments, you must install the ADSI client software on each such client computer, where applicable. This requirement does not apply universally across supported Microsoft Windows platforms.

    NOTE:  For more information about ADSI client issues, search Microsoft's Web site for information about Active Directory Client Extensions.

To confirm successful installation of a Siebel-supported ADSI client

  1. Navigate to the system32 subdirectory of the installation location for the Microsoft Windows operating system (for example, C:\WINDOWS\system32).
  2. Verify that the correct versions of each DLL required for the ADSI client are present in the subdirectory. For details, refer to your vendor documentation.
  3. For each DLL, right-click on the file and choose Properties.
  4. Click the Version tab to see the version number.
Security Guide for Siebel Business Applications