Siebel Security Guide > Security Adapter Authentication >

Configuring LDAP or ADSI Security Adapters Using the Siebel Configuration Wizard

This topic describes how to configure the LDAP or ADSI security adapters provided with Siebel Business Applications using the Siebel Configuration Wizard. Alternatively, you can configure the security adapter settings by setting Gateway Name Server parameters directly using Server Manager. When you configure Siebel Gateway Name Server parameters, the Siebel Gateway Name Server must be running.

NOTE:  When configuring a Siebel Developer Web Client, you configure authentication parameters stored in the Siebel application configuration file.

The Siebel Enterprise is configured to use database authentication by default. When you specify LDAP or ADSI as the security adapter type using the Configuration Wizard, the setting you make provides the value for the Security Adapter Mode (SecAdptMode) parameter, however, to enable LDAP or ADSI authentication, you must also manually change the SecAdptName and SecAdptMode parameters using Server Manager. When you specify LDAP or ADSI as the security adapter mode, additional configuration parameters are defined for the particular LDAP or ADSI security adapter. For example, the Security Adapter DLL Name (SecAdptDllName) parameter is automatically set when you specify LDAP or ADSI as the security adapter mode.

The Security Adapter Mode and Security Adapter Name parameters can be set for the Siebel Enterprise Server, for a particular Siebel Server, for an individual AOM component, or for the Synchronization Manager component (for Siebel Remote).

CAUTION:  If you want to configure a server component or a Siebel Server to use different LDAP or ADSI authentication settings than those already configured at a higher level (that is, configured for the Siebel Enterprise or Siebel Server), you must create a new LDAP or ADSI security adapter. Otherwise, the settings you make reconfigure the existing security adapter wherever it is used.

The Siebel Configuration Wizard sets authentication-related configuration parameters for Siebel Business Applications authentication, but does not make changes to the LDAP or ADSI directory. Make sure the configuration information you enter is compatible with your directory server.

The following procedure describes how to run the Siebel Configuration Wizard to configure the LDAP or ADSI security adapters provided with Siebel Business Applications.

To configure your LDAP or ADSI security adapter

1. Launch the Siebel Configuration Wizard and navigate to the Enterprise Security Authentication Profile screen.

   For details about launching the wizard, see the Siebel Installation Guide for the operating system you are using.

2. Choose the authentication type that corresponds to the security adapter you want to implement, and click Next.
   • Select LDAP Authentication to implement the LDAP security adapter.
   • Select ADSI Authentication to implement the ADSI security adapter.

     Enter values for the various parameters that the Configuration Wizard presents to you as described in the following steps. The screens that the Configuration Wizard presents depends on the authentication type you selected in Step 2.

3. Enter information pertaining to the security adapter and the use of checksum validation:
   • Security Adapter Name (named subsystem). Specify the name of the security adapter. The setting you make provides a value for the Security Adapter Name parameter. You can accept the default name, or specify a nondefault name. If an enterprise profile (named subsystem) does not already exist with the name you specify, the Siebel Configuration Wizard creates a new enterprise profile using that name. The default names are:
     • For LDAP, the default name is LDAPSecAdpt.
     • For ADSI, the deafly name is ADSISecAdpt.
   • Security Authentication Library CRC Checksum. Specify whether you want to use checksum validation for the security adapter DLL file. Corresponds to the CRC parameter.

     If you do not want to use checksum validation, enter 0. Otherwise, enter the value that you generate as described in Configuring Checksum Validation.

4. Directory Server Domain Name. Corresponds to the ServerName parameter.

   Specifies the name of the computer on which the LDAP or ADSI directory server runs. You must specify the fully qualified domain name of the LDAP directory server, not just the domain name. For example, specify ldapserver.oracle.com, not oracle.com.

   For ADSI, if SSL is configured between the Siebel Server and the directory server, you must specify the fully qualified domain name of the directory server. If the Siebel Server and directory server are in the same domain, you can specify the directory server's complete computer name or its IP address.

5. Port Number (LDAP only). The port number used by the LDAP directory server. Use port 389 (the default) for standard transmission, or port 636 for secure transmission. Corresponds to the Port parameter.

   The ADSI directory server port is set as part of the directory installation, not as a configuration parameter.

6. Enter configuration information pertaining to attribute mapping:
   • Siebel Username Attribute. The Siebel user ID attribute used by the directory. An example entry for an LDAP directory is uid. An example entry for ADSI is sAMAccountName (maximum length 20 characters). If your directory uses a different attribute for the Siebel user ID, enter that attribute instead. Corresponds to the UsernameAttributeType parameter.
   • Siebel Password Attribute (LDAP only). The password for the Siebel user ID attribute used by the directory. Corresponds to the PasswordAttributeType parameter.
7. Enter additional configuration information pertaining to attribute mapping:
   • Database Account Attribute. The database credentials attribute type used by the directory. For LDAP and ADSI, an example entry is dbaccount. If your directory uses a different attribute for the database account, enter that attribute instead. Corresponds to the CredentialsAttributeType parameter. Configuring the shared database account requires you to have defined the database account attribute.

     If you use LDAP, you can choose to specify the database credentials as server parameters rather than as attributes of a directory entry. For more details on this option and on how to store database credentials as attributes of a directory entry, see Configuring the Shared Database Account.

   • LDAP Roles Attribute. The attribute type for roles stored in the directory. This setting is required only if you use roles in your directory. Corresponds to the RolesAttributeType parameter.

     For more information, see Configuring Roles Defined in the Directory.

   • Shared Database Account Distinguished Name (DN). Specify the full DN for the shared database account stored in the directory. Corresponds to the SharedCredentialsDN parameter.

     Configuring the shared database account also uses the database account attribute you defined in Database Account Attribute.

     If you use an LDAP directory server, you can, as an alternative, specify the database credentials as profile parameters. For more information on this option, see Step 8.

8. Cache shared database user credentials. Choose the appropriate action:
   • Select the check box Cache shared database user credentials if you want to store the database credentials for the shared database account as profile parameters for the LDAP Security Adapter profile (alias LDAPSecAdpt) instead of directory attributes. Proceed to Step 9.
   • Leave the check box clear if you want to store each user's database account credentials in an attribute of that user's record in the directory. Proceed to Step 10.
9. Shared Database Account. Specify the shared database account user name and password.

   For more information on the shared database account, see Configuring the Shared Database Account.

10. Configure the application user:
    • Application User Distinguished Name (DN). The full DN (distinguished name) for the application user stored in the directory. Corresponds to the ApplicationUser parameter.

      In addition to defining the application user here, you must also create the application user in the LDAP or ADSI directory. For more information, see Configuring the Application User.

      NOTE:  If you are configuring an ADSI security adapter, ensure that the application user is either a domain user or has access to the directory server. If the application user cannot access the directory server, the authentication process fails.

      In addition to defining the application user here, you must also create the application user in the LDAP or ADSI directory. For more information, see Configuring the Application User.

    • Application Password. The password for the application user stored in the directory. Corresponds to the ApplicationPassword parameter. Confirm the password.
11. Configure Web Single Sign-On (Web SSO). Specify whether you want to configure Web SSO. Corresponds to the SingleSignOn parameter.
    • If you check Yes, then you must specify the shared secret. Go to Step 12.
    • If you do not check Yes, go to Step 14.

      For more information about configuring Web SSO, see Web Single Sign-On Authentication.

12. Enter configuration information pertaining to Web SSO:
    • Credentials Attribute. The database credentials attribute type used by the directory. For LDAP and ADSI, an example entry is dbaccount.
    • User Specification. The Web server variable which stores the user's identity key.

      Proceed to Step 13.

13. Shared Secret. Specify the trust token to use for Web SSO. Corresponds to the TrustToken parameter. The value also corresponds to the TrustToken parameter in the eapps.cfg file on the SWSE.

    You also specify a value for the SSL Database as described in Step 16.

14. Hash User Password. Specify whether you want to use password hashing for user passwords. Corresponds to the HashUserPwd parameter.
15. Hash Database Password. Specify whether you want to use password hashing for the database credentials password. Corresponds to the HashDBPwd parameter.

    For more information, see About Password Hashing.

16. SSL Database (LDAP only). To enable Secure Sockets Layer (SSL), provide the location of the ldapkey.kdb file. Corresponds to the SslDatabase parameter.

    For more information, see Configuring Secure Communications for Security Adapters.

17. Implement Adapter-Defined User Name. Specify whether you want to implement the adapter-defined user name. Corresponds to the UseAdapterUserName parameter. For more information, see Configuring Adapter-Defined User Name.
    • If you check Yes, then you must specify the Siebel User ID attribute. Go to Step 18.
    • If you do not check Yes, go to Step 19.
18. Siebel User ID Attribute. Specify the Siebel User ID attribute for the adapter-defined user name. Corresponds to the SiebelUsernameAttributeType parameter.
19. Base Distinguished Name (DN). Specify the base distinguished name (DN) in which you are storing your users. Corresponds to the BaseDN parameter.
20. Propagate Change. Specify whether you want to configure the ability to propagate changes to the LDAP or ADSI directory from a Siebel Developer Web Client or a Siebel Mobile Web Client. Corresponds to the PropagateChange parameter.

    NOTE:  If you specify this option, then you must also set the SecThickClientExtAuthent system preference to TRUE.

21. Review the settings and, if satisfied, execute the configuration to apply changes.
22. When the Siebel Configuration Wizard has executed successfully, enable LDAP or ADSI authentication and implement the security adapter settings you have just configured by using Siebel Server Manager to change the SecAdptName and SecAdptMode parameters to specify either LDAP or ADSI. For information on this task, see Parameters for Enterprise, Siebel Servers, or Components.